Beneluxauto

Privacy Policy

Last updated: 24 March 2026. This privacy policy explains how Beneluxauto processes personal data on this private, non-commercial test website under the GDPR and current German digital-services rules.

The content below is tied to the functionality currently present in the codebase: account registration, login, email verification, password reset, account deletion, contact form, vehicle listings, photo uploads, language preference and optional social login via Google/Facebook.

1. Controller

The controller responsible for data processing on this website is:

Operator
Beneluxauto
Address
Driehoek 12
City / Country
3920 Lommel, Germany
Email
support@beneluxauto.eu
Phone
+32 483 72 33 29

2. Categories of personal data

  • Technical usage data such as IP address, date/time, user agent, error information and request metadata required to deliver, log and secure the website and API.
  • Account data such as email address, password hash, first name, last name, phone number, region and city that you enter yourself.
  • Listing data such as vehicle details, price, description, region/city and uploaded photos.
  • Communication data from the contact form: email address, optional phone number and message content.
  • Authentication and session data, including necessary auth cookies, refresh cookies, NextAuth/OAuth session data and the NEXT_LOCALE language cookie.
  • Email-related data used for verification, password reset and scheduled account deletion.

3. Purposes and legal bases

  • Website delivery, troubleshooting, abuse prevention and IT security: Article 6(1)(f) GDPR.
  • Registration, login, account management, publishing and managing listings: Article 6(1)(b) GDPR.
  • Verification emails, password resets and account deletion including cancellation links: Article 6(1)(b) GDPR and, where relevant for security logging, Article 6(1)(f) GDPR.
  • Responding to contact requests: Article 6(1)(f) GDPR or Article 6(1)(b) GDPR where the request is aimed at potential contractual contact.
  • Storing or accessing strictly necessary information on end-user devices: Section 25(2) TDDDG; the related data processing is then based on Article 6(1)(b) or 6(1)(f) GDPR.
  • Social login via Google or Facebook only if you actively choose that login method: Article 6(1)(b) GDPR.

4. Cookies, local storage and consent

Based on the current codebase, no analytics, tracking or marketing cookies are loaded. At present, only technically necessary mechanisms are used for login, token refresh, language preference and session status.

For strictly necessary cookies or similar storage needed to provide a function explicitly requested by you, separate consent is not required under Section 25(2) TDDDG. If analytics, advertising or embedded third-party tools are added later, this assessment must be revisited.

5. Recipients and processors

  • Hosting, infrastructure and email providers insofar as this is technically necessary.
  • OAuth providers such as Google or Facebook only if you actively use social login; those providers also process data under their own privacy terms.
  • No sale of personal data.

6. International transfers

If social login via Google or Facebook is enabled and used by you, personal data may be processed outside the EU/EEA, especially in the United States. In that case, the transfer is triggered by your explicit choice of that login method and is subject to the terms of the respective provider.

7. Retention

  • We generally keep account data for as long as the account remains active.
  • If account deletion is requested, the current backend logic first deactivates the account and permanently deletes it after a 30-day waiting period unless deletion is cancelled within that period.
  • Listing and profile photos remain linked to the relevant account or listing until they are removed or the account is finally deleted.
  • Contact messages are kept until the request has been handled and for as long as necessary for evidence, support or abuse-prevention purposes.
  • Technical logs are kept only for as long as needed for security, debugging and stable operation.

8. Your rights

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object under Article 21 GDPR where processing is based on legitimate interests
  • right to withdraw consent with effect for the future where consent is used
  • right to lodge a complaint with a competent supervisory authority

9. Automated decision-making

Based on the current implementation, no solely automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR takes place.