Spin Back Cycles Privacy Policy

1. Who we are

Spin Back Cycles S.à r.l.‑S (‘we’, ‘us’, ‘our’) is a company incorporated under the laws of the Grand Duchy of Luxembourg, registered with the Registre de Commerce et des Sociétés under number [RCS number]. We operate the Spin Back Cycles online marketplace at spinbackcycles.lu (the ‘Platform’).

For the purposes of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the Luxembourg Law of 1 August 2018 on the organisation of the CNPD and the general data protection framework, we are the data controller of personal data collected through the Platform.

2. What personal data we collect

We collect the following categories of personal data:

Data you provide to us directly

  • Account registration data: your name, email address, and the password you create (stored in encrypted form).
  • Profile data: your profile name, profile photo (if uploaded), and your commune of residence (displayed publicly to indicate your general location).
  • Listing data: information you provide when creating a listing, including photographs, descriptions, prices, and bike specification details.
  • Communication data: messages sent through the in-app messaging system between buyers and sellers.
  • Transaction data: records of completed or attempted transactions on the Platform.
  • Support correspondence: emails and messages sent to us at our contact addresses.

Data we collect automatically

  • Usage data: information about how you use the Platform, including pages visited, search queries, filters applied, and listings viewed.
  • Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
  • Cookie data: see our Cookie section below.

Data we receive from third parties

  • Authentication data: if you choose to sign in using a third-party service (such as Google), we receive basic profile information from that service in accordance with their privacy policy and your consent settings.
  • Payment processing data: payment transaction references from our payment processor. We do not store full payment card details.

3. How we use your personal data

We use your personal data only for the purposes listed below, on the legal bases indicated:

  • Creating and managing your account [Art. 6(1)(b) — contract performance] Duration of account + 3 years
  • Enabling listings, messaging, and transactions between users [Art. 6(1)(b) — contract performance] Duration of account + 5 years (transaction records)
  • Charging and collecting success fees [Art. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation] 10 years (Luxembourg accounting law)
  • Sending platform notifications (new messages, listing activity) [Art. 6(1)(b) — contract performance] Duration of account
  • Sending marketing emails (optional newsletter, platform updates) [Art. 6(1)(a) — consent] Until consent is withdrawn
  • Improving and operating the Platform safely [Art. 6(1)(f) — legitimate interest] 24 months (usage/analytics data)
  • Preventing fraud and enforcing our Terms & Conditions [Art. 6(1)(f) — legitimate interest] Duration of investigation + 3 years
  • Complying with applicable law (tax, accounting, regulatory) [Art. 6(1)(c) — legal obligation] As required by law

4. Who we share your data with

We do not sell your personal data to third parties. We share data only in the following circumstances:

  • Service providers: we use Sharetribe (our platform technology provider), hosting providers, and payment processors to operate the Platform. These providers act as data processors under contracts that require them to protect your data and use it only for the purposes we specify.
  • Between buyers and sellers: your profile name, commune of residence, and listing details are visible to other Platform users. Your email address and full address are never shown publicly.
  • In-app messaging: messages you send to other users are visible to those users and to us for the purposes of moderation and fraud prevention.
  • Legal requirements: we may disclose personal data if required to do so by applicable law, court order, or competent authority, including the CNPD.
  • Business transfers: in the event of a merger, acquisition, or sale of the business, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

5. International transfers

The Platform is operated from Luxembourg and your data is stored within the European Economic Area (EEA). If any of our service providers are located outside the EEA, we ensure that appropriate safeguards are in place (such as EU Standard Contractual Clauses) before transferring your data.

6. Cookies

The Platform uses cookies and similar tracking technologies. Cookies are small text files stored on your device when you visit the Platform.

We use the following types of cookies:

  • Strictly necessary cookies: required for the Platform to function. These cannot be switched off. They include session management, authentication, and security cookies.
  • Analytics cookies: help us understand how visitors use the Platform, which pages are most visited, and where errors occur. We use this information to improve the Platform. These are only set with your consent.
  • Preference cookies: remember your settings and preferences (such as language). These are only set with your consent.

When you first visit the Platform, you will be asked to accept or decline non-essential cookies. You can change your cookie preferences at any time via the Cookie Settings link in the footer.

You can also control cookies through your browser settings; however, disabling strictly necessary cookies will affect Platform functionality.

7. Your rights

Under GDPR, you have the following rights in relation to your personal data:

  • Right of access: you can request a copy of the personal data we hold about you.
  • Right to rectification: you can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure: you can ask us to delete your personal data where there is no legitimate reason for us to continue holding it.
  • Right to restriction of processing: you can ask us to pause the processing of your personal data in certain circumstances.
  • Right to data portability: you can ask us to provide your personal data in a structured, commonly used, machine-readable format.
  • Right to object: you can object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: where processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To exercise any of these rights, contact us at privacy@spinbackcycles.lu. We will respond within 30 days. You also have the right to lodge a complaint with the CNPD (cnpd.public.lu).

8. Data security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted password storage, HTTPS encryption for all data in transit, and restricted access to personal data within our organisation.

No method of transmission over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

9. Children

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@spinbackcycles.lu and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify registered users by email and display a prominent notice on the Platform. The date of the most recent update is shown at the top of this page. Continued use of the Platform after changes are published constitutes acceptance of the updated policy.

11. Contact us

For any questions about this Privacy Policy or how we handle your data, contact us at:

  • Email privacy@spinbackcycles.lu
  • Post Spin Back Cycles S.à r.l.‑S, 133 Val St Croix, L-1371 Luxembourg
  • Supervisory authority Commission Nationale pour la Protection des Données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg. cnpd.public.lu