Privacy Policy

Last updated: April 14, 2026

Heavy Buddy ("we", "us", "our") operates the Heavy Buddy marketplace platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in compliance with the General Data Protection Regulation (GDPR - EU 2016/679) and the Swiss Federal Act on Data Protection (FADP).

1. Data Controller

Heavy Buddy
Based in France — Serving Europe & worldwide
Email: privacy@heavybuddy.com

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Username
• Email address
• Hashed password (we never store plain-text passwords)

2.2 Ad & Transaction Data

When you create ads or place orders, we collect:

• Ad details (title, description, photos, price, location)
• Order information (buyer/seller details, order status)
• Messages exchanged between buyers and sellers

2.3 Technical Data

Automatically collected when you use our platform:

• IP address
• Browser type and version
• Pages visited, timestamps, and interaction data
• Session cookies (strictly necessary for authentication)

3. Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

• Consent (Art. 6(1)(a)): You provide explicit consent when creating an account and accepting our terms.
• Contract Performance (Art. 6(1)(b)): Processing necessary to provide our marketplace services (ad management, orders, messaging).
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform improvement.
• Legal Obligation (Art. 6(1)(c)): Tax records, regulatory compliance.

4. How We Use Your Data

• Provide and operate the marketplace platform
• Facilitate communication between buyers and sellers
• Process transactions and manage orders
• Send essential service notifications (order updates, messages)
• Ensure platform security and prevent fraud
• Improve our services through anonymized analytics

5. Data Sharing

We do not sell your personal data. We may share data with:

• Other users: Your public profile and ad information is visible to other users.
• Payment processor (Stripe): Payment data is processed directly by Stripe under their own privacy policy.
• Hosting provider (Infomaniak, Switzerland): Data is stored on Swiss-hosted infrastructure with GDPR-compliant data processing agreements.
• Legal authorities: When required by applicable law or court order.

6. Data Storage & Transfers

Your data is stored on servers operated by Infomaniak in Switzerland, which benefits from an EU adequacy decision. We do not transfer personal data outside the EEA/Switzerland without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

7. Data Retention

• Account data: Retained while your account is active, then deleted within 30 days of account deletion request.
• Ad data: Retained while the ad is active; expired/deleted ads are removed within 90 days.
• Transaction records: Retained for 10 years as required by tax regulations.
• Messages: Retained while both accounts are active; deleted within 30 days when either account is deleted.
• Server logs: Automatically purged after 90 days.

8. Cookies and third-party resources

We use only strictly necessary cookies for:

• Session management: Keeping you logged in (Django session cookie).
• CSRF protection: Preventing cross-site request forgery attacks.
• Language preference: Remembering your selected language (Django i18n cookie).

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Third-party resources: All fonts, icons and visual assets used on Heavy Buddy are self-hosted on our own servers. We do not load any external resources from Google Fonts, jsDelivr, or any other third-party CDN that could transmit your IP address outside the European Union. The only exception is the OpenStreetMap tile service used to display maps on listing pages (operated by the OpenStreetMap Foundation, EU/UK), which does not set cookies and is required to provide the mapping feature.

Therefore, no cookie consent banner is required under GDPR/ePrivacy regulations. Should we introduce analytics, advertising, or other non-essential third-party services in the future, we will update this policy and implement an appropriate consent mechanism.

9. Your Rights (GDPR Art. 15-22)

You have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data.
• Right to Rectification (Art. 16): Correct inaccurate personal data via your profile settings.
• Right to Erasure (Art. 17): Request deletion of your account and associated data.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@heavybuddy.com. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit
• Passwords hashed using industry-standard algorithms
• CSRF protection on all forms
• Regular security updates and monitoring
• Access controls and authentication mechanisms

11. Children's Privacy

Our platform is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertes) — www.cnil.fr.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or a prominent notice on our platform. Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact

For any questions or requests regarding this Privacy Policy or your personal data:

Heavy Buddy — Data Protection
Email: privacy@heavybuddy.com