Privacy Policy

Local Development d.o.o. ("PoDi", "we", "us", "our") operates the PoDi platform at podi.hr. PoDi connects people looking for auto parts with independent auto-parts vendors. PoDi is generally the controller for personal data processed to operate the platform, manage accounts, route requests, provide support, maintain security, and administer vendor billing.

If a vendor independently uses buyer details after an offer is accepted, that vendor is responsible for its own processing, legal notices, invoices, warranty obligations, and customer communication.

2.1 Buyer and request data

• Contact details: email address, phone number, country or region when provided.
• Vehicle details: make, model, production year/generation, variant, engine, fuel type, body type, colour, VIN text if entered or read from the technical vehicle-registration section. If you use registration-document scanning, the image is used only for OCR extraction and is not stored with the request; only the extracted technical vehicle data is stored. A VIN-plate photo is stored only if you upload it separately.
• Request details: part description, uploaded vehicle/part photos, tracking number, security token, status history, accepted offers, and review content if you leave a review.
• Communications: emails, replies, support messages, offer messages, and activity metadata. Email bodies forwarded through the platform may be logged for delivery, support, abuse prevention, and dispute evidence.

2.2 Vendor account and business data

• Account details: business name, email, password hash, phone number, address, tax/VAT number, verification and account status.
• Vendor preferences: supported or excluded vehicle makes, notification email, communication preferences, dashboard activity, offer history, response status, ratings, and reviews.
• Billing details: Stripe customer ID, subscription ID, plan, billing cycle, usage counts, promo-code use, invoice/payment metadata, invoice links, and payment status. We do not store full card numbers or card security codes.
• Optional business details: bank name, IBAN, SWIFT and address when used for offer PDFs or account settings.

2.3 Technical and security data

• Device and log data: IP address, browser and device information, URL, timestamps, error logs, rate-limit data, authentication/session data, and security events.
• Cookies and local storage: language preference, cookie choice, vendor/admin authentication state, and other strictly necessary browser storage described in the Cookie Policy.
• Location inference: on a first visit, we may use Cloudflare country headers or a server-side IP geolocation lookup to suggest the correct regional language. This is used for localisation, not precise tracking.

• You: when you submit a request, register, upload images, send replies, leave a review, contact support, or manage settings.
• Other platform users: vendors may provide offer details about you or your request; buyers may leave reviews about vendors.
• Service providers: Stripe, email providers, hosting/file-storage providers, fraud/security systems, and locale/geolocation infrastructure may provide processing metadata.
• Automatic collection: logs, cookies, local storage, request headers, and security-rate-limit events are generated as you use the service.

• Provide the service (contract/steps before contract): create and route part requests, let vendors send offers, show dashboards, authenticate accounts, generate tracking links, send operational emails, and administer vendor subscriptions.
• Marketplace safety (legitimate interests): prevent fraud, spam, abuse, unauthorized access, duplicate accounts, fake reviews, illegal listings, and security incidents.
• Communications (contract/legitimate interests): send confirmations, request updates, offer notifications, accepted-offer notices, review requests, service notices, and support replies.
• Billing and records (contract/legal obligation): process vendor subscription payments, invoices, tax/accounting records, payment failures, refunds where applicable, and compliance obligations.
• Improvement and analytics without advertising tracking (legitimate interests): understand aggregate platform performance, vendor response rates, request coverage, errors, and feature usage from operational data.
• Consent: optional non-essential cookies or marketing will be used only when we have the required consent. We currently do not use advertising cookies or third-party analytics cookies.
• Legal claims and compliance (legal obligation/legitimate interests): respond to lawful requests, enforce terms, keep evidence, defend claims, and protect rights and safety.

• Before a vendor responds: matched active vendors may receive request details needed to evaluate fitment, including vehicle details, part description, photos, VIN text/photo if provided, and buyer phone where needed for clarification.
• When offers are displayed: buyers can see vendor business name, offer message, price, availability, delivery estimate, photos, rating, and verification status.
• After an offer is accepted: relevant buyer and vendor contact details may be shared so the parties can complete payment, delivery, installation, warranty, returns, and dispute handling directly.
• Tracking pages: anyone with a tracking number may see basic request and offer information. The customer security token unlocks buyer-only actions and contact details. Keep tracking links private.
• Reviews: ratings and comments may be displayed in connection with the vendor. Do not include private personal data in public review text.

• Stripe: vendor subscription checkout, payment method setup, invoices, customer records, and payment status.
• Resend: sending transactional and operational emails and receiving inbound email replies that are routed through platform reply-to addresses.
• Hosting, database and file-storage providers: application hosting, database storage, backups, logs, uploaded photos, and delivery of uploaded files.
• IP geolocation/localisation providers: country-level language suggestion when Cloudflare headers are unavailable.
• Professional advisers and authorities: accountants, lawyers, courts, regulators, law enforcement, payment networks, and tax authorities where required or reasonably necessary.
• Business transfers: a successor may receive relevant data if PoDi is involved in a merger, financing, reorganisation, sale of assets, or similar transaction, subject to appropriate confidentiality and legal safeguards.

We aim to use EEA-based hosting and storage where practical. Some providers, including payment, email, security, support or infrastructure providers, may process data outside the EEA. Where required, we rely on adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, and supplementary technical and organisational measures.

Pursuant to GDPR Art. 5(1)(e) (storage limitation), we keep personal data only as long as needed for the purposes in section 4. The concrete periods per category are listed below and enforced automatically through scheduled system jobs.

• Buyer–vendor chat threads: 90 days after the underlying request expires when no offer was accepted. If an offer was accepted, the thread is kept 365 days from acceptance to support disputes about the executed transaction.
• Registration-document OCR images: used only temporarily during technical vehicle-data extraction and not stored with the request.
• Uploaded images (request photos, VIN-plate photos, offer photos): deleted 90 days after the parent request expires. If an offer was accepted, images are kept 365 days from acceptance to support delivery, warranty, or dispute follow-up. Files not linked to any request are deleted after 24 hours.
• Buyer contact data inside the request (email, phone, VIN, hashed identifiers): 90 days after the request expires with no accepted offer, the contact fields are anonymised while aggregate analytics remain. If an offer was accepted, the contact data is kept for 3 years from acceptance — the general statute of limitations for contract claims under Croatian Law of Obligations (Art. 225) — then anonymised.
• Sent email content (Email log): the message body is replaced with a redaction marker 90 days after sending, and the full row is deleted 2 years after sending. Delivery metadata is retained during that window to evidence delivery.
• Administrative/security audit logs: 2 years, sized to security incident detection, investigation, and response.
• Password-reset and email-verification tokens: swept 7 days after expiry. The raw token exists only inside the email link; only its hash is stored.
• Push notification subscriptions: removed after 180 days of inactivity.
• Vendor accounts that never confirm email verification: deleted 90 days after registration if the owner never clicks the verification link.
• Vendor accounts that never complete Stripe setup: deleted after 7 days along with the corresponding Stripe customer record.
• Accounting and tax records, fiscalised invoices, and payment transactions: retained for at least 11 years pursuant to Art. 8 of the Croatian Accounting Act and applicable VAT rules. This is a legal obligation that takes precedence over the right to erasure where retention is mandatory (GDPR Art. 17(3)(b)).
• Accounts closed at the owner’s request: the vendor’s personal data is deleted as soon as confirmation completes; financial records remain for the period the law requires.
• Consent and browser storage: retained until expiration, logout, browser storage deletion, or preference change, depending on the item described in the Cookie Policy.

• TLS/HTTPS for data in transit.
• Password hashing rather than storage of plain-text passwords.
• Authentication tokens, rate limits, origin checks, signed webhooks, and access controls for sensitive routes.
• Validation and file-type checks for uploads.
• Restricted access to production systems and operational logs.
• Monitoring, backups, and incident response appropriate to platform risk.

Subject to legal conditions and exceptions, you may have the right to:

• Request access to your personal data.
• Request correction of inaccurate or incomplete data.
• Request deletion of data.
• Request restriction of processing.
• Object to processing based on legitimate interests or direct marketing.
• Receive data portability where applicable.
• Withdraw consent where processing is based on consent.
• Complain to a supervisory authority, including the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, Croatia, [email protected].

To exercise rights, contact [email protected]. We respond without undue delay and in any event within one month of receipt, per GDPR Art. 12(3). That period can be extended by a further two months where necessary; we will inform you within the first month if such an extension applies. We may need to verify your identity and may refuse or limit requests where required or permitted by law, for example to protect another person, preserve evidence, comply with accounting duties, or prevent fraud.

Vendors registered on the platform can initiate a personal-data export (GDPR Art. 15) and account deletion (GDPR Art. 17) directly from the vendor account Settings. Account deletion requires email confirmation and irreversibly deletes personal data on confirmation, except for data the law requires us to retain (section 8).

The platform is not intended for people under 18. We do not knowingly collect data from children. If you believe a child submitted personal data, contact us so we can review and delete it where appropriate.

We use rule-based matching to route requests to vendors, for example by vehicle make, vendor preferences, verification status, subscription status, and notification settings. This does not produce legal or similarly significant effects by itself. We do not use automated decision-making to determine creditworthiness, insurance, employment, or eligibility for public benefits.

We may update this Privacy Policy when the platform, providers, legal requirements, or data practices change. Material changes will be posted on the platform and, where appropriate, communicated by email or in-product notice.