Privacy Policy

Last updated: May 11, 2026

This document constitutes the official privacy policy of Second Armor SRL, a company incorporated under Belgian law. The applicable law is Regulation (EU) 2016/679 (GDPR), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and the ePrivacy Directive.

1. Identity and contact details of the data controller

In accordance with Article 13 of the GDPR, the controller of your personal data is:

Corporate name - Second Armor SRL Company number (BCE) - BE 1024.224.186 Registered office - Avenue Henri Pirenne 11, 1180 Uccle, Belgium Contact email - contact@secondarmor.com Website - https://secondarmor.eu GDPR capacity - Data Controller

For any question relating to the protection of your personal data or to exercise your rights, you may contact us at the email address above or by post at the address of the registered office.

2. Definitions

In this policy, the following terms shall have the meaning set out below:

Term Definition

Personal data: Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
Processing: Any operation applied to personal data (collection, recording, storage, use, transmission, erasure, etc.).
Data controller: The legal entity which determines the purposes and means of the processing. In this case: Second Armor SRL.
Processor: The legal entity which processes data on behalf of the data controller, on the controller's instructions (Art. 28 GDPR).
Advertising identifier: Unique and resettable identifier assigned by the mobile operating system for advertising purposes (IDFA on iOS, AAID on Android).
Consent: Freely given, specific, informed and unambiguous indication of will by which the data subject accepts the processing of their data (Art. 7 GDPR).
Service: The secondarmor.eu website and the Second Armor mobile application, together or separately.
You/User: Any natural person accessing or using the Service, whether buyer, seller or simple visitor.

3. Collection and use of your personal data

3.1 Categories of data collected

3.1.1 Data you provide to us directly

When creating your account or using the Service, we may ask you to provide us with the following information:

First name, last name, email address, phone number
Postal address, postal code, city, country
Profile information that you choose to fill in (biography, profile picture, preferences)
Banking information for the purpose of paying out payments (sellers only — processing delegated to Stripe)
Payment information for purchases (processing delegated to Stripe — Second Armor does not store your bank card data)
Content you publish: listing titles and descriptions, photographs, item condition, messages exchanged with other users
Shipping-related data (delivery addresses)

3.1.2 Data collected automatically

When you use the Service, certain data is collected automatically:

Technical data: IP address, browser type and version, operating system, device identifiers
Browsing data: pages visited, date and time of visit, session duration, links clicked
Mobile application usage data: device type, unique device identifier, application version, diagnostic data
Technical logs and performance metrics
Crash reports and diagnostic data (via Sentry)

3.1.3 Mobile advertising identifiers (IDFA / AAID)

On iOS, we only collect the IDFA if you grant your explicit authorization via Apple's App Tracking Transparency (ATT) mechanism, in accordance with App Store rules. The Meta SDK is configured in a dormant state by default (autoLogAppEventsEnabled: false, isAutoInitEnabled: false) and only initializes after your ATT consent.

On Android, you can reset, delete or limit your advertising identifier via the privacy settings of your device.

3.1.4 Tracking technologies and cookies (website)

We use cookies and similar technologies on our website for authentication, preferences, analytics and advertising measurement purposes. These technologies may include:

Session cookies and persistent cookies
Web beacons
Scripts and tags

Our website includes a consent banner presented on your first visit. You can accept or refuse non-essential cookies via this banner. You can also modify your preferences at any time from your account settings (section "Tracking & analytics").

Cookies strictly necessary for the operation and security of the Service do not require your prior consent.

3.1.5 Table of tracking technologies used

Authentication and session

Purpose: Login management, security Provider: Sharetribe / Us Legal basis: Performance of the contract Advertising / Tracking? No

Preferences and features

Purpose: Storage of user preferences Provider: Us Legal basis: Legitimate interest or consent Advertising / Tracking? No

Analytics and performance

Purpose: Measurement of Service usage Provider: Sentry / Internal Legal basis: Legitimate interest Advertising / Tracking? No

Crash reporting

Purpose: Debugging, error analysis Provider: Sentry Legal basis: Legitimate interest Advertising / Tracking? No

Push notifications

Purpose: Sending transactional notifications Provider: Expo Legal basis: Performance of the contract Advertising / Tracking? No

Advertising identifiers (IDFA/AAID)

Purpose: Advertising attribution, campaign measurement Provider: Meta Platforms Legal basis: Consent Advertising / Tracking? Yes

Mobile attribution events

Purpose: Measurement of installs, registrations and purchases attributed to advertising campaigns Provider: Meta Platforms Legal basis: Consent Advertising / Tracking? Yes

User identifiers (Sharetribe UUID)

Purpose: Account management, marketplace operation, fraud prevention Provider: Sharetribe / Us Legal basis: Performance of the contract Advertising / Tracking? No

Transaction events

Purpose: Payment processing, transfers, analytics Provider: Stripe / Sharetribe Legal basis: Performance of the contract and legal obligation Advertising / Tracking? No

Marketplace searches

Purpose: Display of relevant listings Provider: Sharetribe / Us Legal basis: Performance of the contract and legitimate interest Advertising / Tracking? No

Tracking technologies for advertising purposes (IDFA/AAID identifiers and Meta attribution events) are only activated on the basis of your prior and explicit consent. You can withdraw this consent at any time.

3.2 Purposes of processing and legal bases

In accordance with Article 13(1)(c) of the GDPR, we indicate below, for each processing purpose, the applicable legal basis:

Purpose: Provide and manage the Service Legal basis (Art. 6 GDPR): Art. 6(1)(b) — Performance of the contract Details: Necessary for account creation and use of the marketplace

Purpose: Processing of payments and transfers Legal basis (Art. 6 GDPR): Art. 6(1)(b) — Performance of the contract Details: Processing delegated to Stripe Payments Europe Ltd

Purpose: Shipping and delivery Legal basis (Art. 6 GDPR): Art. 6(1)(b) — Performance of the contract Details: Transmission of the delivery address to Sendcloud

Purpose: Transactional communication Legal basis (Art. 6 GDPR): Art. 6(1)(b) — Performance of the contract Details: Order confirmations, notifications, support

Purpose: Fraud prevention and security Legal basis (Art. 6 GDPR): Art. 6(1)(f) — Legitimate interest Details: Protection of the platform and its users

Purpose: Improvement of the Service Legal basis (Art. 6 GDPR): Art. 6(1)(f) — Legitimate interest Details: Usage analysis, debugging, optimization

Purpose: Compliance with legal obligations Legal basis (Art. 6 GDPR): Art. 6(1)(c) — Legal obligation Details: Accounting retention (7 years, Belgian Companies Code)

Purpose: Advertising measurement and attribution Legal basis (Art. 6 GDPR): Art. 6(1)(a) — Consent Details: Only after explicit consent (Meta SDK, Pixel, CAPI)

Purpose: Push notifications Legal basis (Art. 6 GDPR): Art. 6(1)(b) — Performance of the contract Details: Transactional notifications only

Purpose: Referral program Legal basis (Art. 6 GDPR): Art. 6(1)(b) and (f) — Contract and legitimate interest Details: Administration of the program, prevention of abuse

Purpose: Business transfer (merger, acquisition) Legal basis (Art. 6 GDPR): Art. 6(1)(f) — Legitimate interest Details: In the event of sale or restructuring of the company

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before such withdrawal. Consent withdrawal is made via your account settings (section "Tracking & analytics") or via the cookie banner on the website.

3.3 Retention periods

We retain your personal data only for as long as necessary for the purposes described in this policy and in compliance with applicable legal obligations. The table below specifies the retention periods by category of data:

Data category: Account data (profile, preferences) Retention period: Duration of the relationship + 3 years after account closure Basis: Belgian civil limitation period (Art. 2262bis Civil Code)

Data category: Transaction and payment data Retention period: 7 years from the transaction Basis: Belgian Companies Code — legal accounting obligation

Data category: Contractual data (proof of agreement) Retention period: 10 years Basis: Belgian contractual limitation period

Data category: Technical logs and server logs Retention period: 30 to 90 days Basis: Principle of minimization (Art. 5(1)(e) GDPR)

Data category: Crash reports (Sentry) Retention period: 90 days Basis: Principle of minimization

Data category: Push notification tokens Retention period: Until invalidation or account deletion Basis: Performance of the contract

Data category: Advertising attribution data (Meta) Retention period: According to Meta settings — 180 days by default Basis: Consent and Meta policy

Data category: Referral program data Retention period: Duration of the program + 3 years Basis: Prevention of abuse and civil limitation period

Upon expiry of these periods, your data is deleted in a secure manner or anonymized in an irreversible way.

3.4 Transfers of data outside the European Union

Some of our processors are established or host infrastructure outside the European Union, in particular in the United States. These transfers are governed in accordance with Chapter V of the GDPR according to the following mechanisms:

Provider: Meta Platforms Ireland Ltd. Location: Ireland (EU) / USA Transfer mechanism: Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework Data transferred: Pixel and CAPI events (SHA-256 hashed PII)

Provider: Apple Inc. Location: United States / USA Transfer mechanism: EU-US Data Privacy Framework Data transferred: APNS tokens, distribution metadata

Provider: Google LLC Location: United States / USA Transfer mechanism: EU-US Data Privacy Framework Data transferred: FCM tokens, distribution metadata

Provider: Render Services Inc. Location: United States / USA Transfer mechanism: Standard Contractual Clauses (SCCs) + Render DPA Data transferred: HTTP requests, application logs (7-30 days)

Provider: Expo, Inc. Location: United States / USA Transfer mechanism: Standard Contractual Clauses (SCCs) Data transferred: Build pipeline only — no end-user data

Provider: Sentry / Functional Software Inc. Location: United States / USA Transfer mechanism: Standard Contractual Clauses (SCCs) + Sentry DPA Data transferred: Crash reports and diagnostic data

We ensure that any international transfer of personal data benefits from an adequate level of protection within the meaning of the GDPR. Data Processing Agreements (DPAs) are in place with all our processors.

4. Detailed information on processing by processor

4.1 Marketplace infrastructure — Sharetribe Flex

Sharetribe Oy (Finland, EU) provides the technical infrastructure of the marketplace: management of user accounts, listings, transactions and messaging.

Data processed: user accounts, listings, transactions, messages, push notification tokens
Location: European Union (Finland)
DPA in place: yes — https://www.sharetribe.com/terms-of-use/dpa/
Privacy policy: https://www.sharetribe.com/legal/privacy/

4.2 Payments — Stripe Payments Europe Ltd.

Stripe Payments Europe Ltd. (Ireland, EU) processes buyers' payments and transfers to sellers. Second Armor does not store any bank card data.

Data processed: bank card data, amounts, transfer data (seller IBANs)
Location: Ireland (EU)
DPA in place: yes — https://stripe.com/legal/dpa
Privacy policy: https://stripe.com/privacy

PayPal is technically integrated into the Service but disabled. No data is transmitted to PayPal as long as this service remains disabled.

4.3 Shipping and logistics — Sendcloud

Sendcloud B.V. (Netherlands, EU) provides shipping label generation and parcel tracking services. A Data Processing Agreement (DPA) in accordance with Article 28 GDPR is in place, incorporating the Standard Contractual Clauses of the European Commission.

Data transmitted to Sendcloud for buyers:

Initials, first name, last name
Full address (street, postal code, city, country)
Email address
Any other data required by carriers for the performance of the delivery (e.g. phone number for delivery notifications)

Transmission to underlying carriers:

Sendcloud retransmits the identification and address data of buyers to the carriers selected at the time of the order (DHL, DPD, Bpost or others) solely for the purposes of executing the delivery and tracking parcels. This transmission is contractually framed, the carriers being subject to the same data protection obligations.

Terms:

Purpose: label generation, delivery execution, tracking (track & trace)
Retention period: 365 days after delivery, in accordance with the Sendcloud DPA (Annex II)
Location: European Union — Sendcloud entities in the Netherlands, Germany, France, Italy and the United Kingdom (covered by the EU-UK adequacy decision)
No sensitive data within the meaning of Art. 9 GDPR is processed in this context
DPA in place: yes — https://www.sendcloud.com/legal/dpa/
Privacy policy: https://www.sendcloud.com/privacy/

4.4 Advertising attribution — Meta Platforms (SDK, Pixel and CAPI)

We use the Meta SDK (react-native-fbsdk-next) on the mobile application, the Meta Pixel on the website, and the Conversions API (CAPI) server-side, exclusively for advertising measurement and attribution purposes, and only after obtaining your explicit consent.

Technical safeguards implemented:

The mobile SDK is configured in a dormant state by default — no event is sent to Meta before your ATT consent (iOS) or your explicit agreement (Android)
The web Pixel is only injected into the page if you have accepted marketing cookies via our consent banner
All directly identifiable personal data (email, phone, external identifier) is SHA-256 hashed server-side before any transmission to Meta, in accordance with Meta specifications and the GDPR principle of minimization
You can withdraw your consent at any time: mobile via Profile → Settings → Account → "Tracking & analytics"; web via account settings or the cookie banner
Upon revocation, the first-party Meta cookies (_fbp, _fbc) are deleted and the CAPI mirror is interrupted

Data transmitted to Meta:

Channel: Mobile Events: CompleteRegistration, ListingCreated, Purchase Data transmitted: Registration method, listing UUID, currency, amount — no directly identifying data

Channel: Web (Pixel) Events: PageView, Lead, CompleteRegistration, ViewContent, AddToWishlist, InitiateCheckout, Purchase Data transmitted: content_ids, content_type, value, currency — SHA-256 hashed email/phone via CAPI

Channel: Server (CAPI) Events: Server-side mirror of Pixel events Data transmitted: Hashed email, hashed phone, hashed external_id, server IP, User-Agent — Meta cookies passed unhashed per Meta spec

Location: Meta Platforms Ireland Ltd. (Ireland, EU) — with possible transfers to Meta USA governed by SCCs
Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessingterms
Meta privacy policy: https://www.facebook.com/privacy/policy

4.5 Crash reporting and diagnostics — Sentry

Sentry (Functional Software, Inc., United States) is used for the detection and analysis of technical errors.

Data processed: error traces, device information, application version, performance data — no user content data
Retention period: 90 days
DPA in place: yes — https://sentry.io/legal/dpa/
Privacy policy: https://sentry.io/privacy/

4.6 Push notifications — Expo (Expo, Inc.)

Expo, Inc. (United States) is used for the distribution of transactional push notifications via its notification service.

Data processed: push notification tokens, delivery metadata
No notification content data is stored by Expo beyond delivery
Privacy policy: https://expo.dev/privacy

4.7 Server hosting — Render Services Inc.

Render Services Inc. (United States) hosts the application server of Second Armor (API, Sharetribe, Stripe, Sendcloud and Meta CAPI integrations).

Data processed at runtime: incoming HTTP requests, application logs (including pseudonymized user UUID identifiers), performance metrics
Log retention: 7 to 30 days depending on the plan
DPA in place: yes — https://render.com/legal/dpa

Render acts as infrastructure host. It does not permanently store personal data — logs are transient technical data necessary for the security and maintenance of the Service.

4.8 Mobile distribution — Apple Inc. and Google LLC

The Second Armor mobile application is distributed via Apple's App Store and the Google Play Store.

Apple Inc. (United States): processing of APNS tokens for iOS push notifications, application distribution data
Google LLC (United States): processing of FCM tokens for Android push notifications, distribution data
These processing activities are governed by the terms of use of Apple and Google respectively

4.9 Email communications

Transactional emails (account verification, password reset, order confirmations, notifications) are sent via the Sharetribe infrastructure.

5. Sharing of your personal data

We do not sell your personal data. We may share your data in the following situations:

With our processors (listed in section 4): only within the strict framework of the provision of services and on the basis of a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR
With other users of the marketplace: information you make public in your listings (title, description, photos, price) is visible to all users of the Service
With carriers and logistics providers: your delivery address is transmitted to the selected carrier via Sendcloud for the execution of the order
Upon legal request: if required by law or if a competent authority requests it within the framework of regular legal proceedings
In the context of a corporate restructuring: in the event of a merger, acquisition or sale of assets, your data could be transferred to the successor, which would be required to comply with this policy
With your consent: in any other case where you have expressly authorized us to share your data

6. Security of your personal data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction or disclosure, in accordance with Article 32 of the GDPR. These measures include in particular:

Encryption of all communications between your device and our servers (HTTPS/TLS)
Secure storage of consent preferences on the mobile device (iOS Keychain / Android EncryptedSharedPreferences)
SHA-256 hashing of directly identifiable personal data before transmission to advertising partners
Access to systems limited to authorized persons according to the principle of least privilege
Monitoring of errors and security incidents via Sentry

However, no electronic transmission or storage system is infallible. We cannot guarantee absolute security.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours in accordance with Article 33 of the GDPR, and inform you if the breach is likely to result in a high risk.

7. Your rights regarding data protection

7.1 Applicable rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights with regard to your personal data:

Right: Right of access (Art. 15) Description: Obtain confirmation that data concerning you is being processed and obtain a copy thereof

Right: Right to rectification (Art. 16) Description: Have inaccurate or incomplete data concerning you corrected

Right: Right to erasure (Art. 17) Description: Request the deletion of your data in the cases provided for by the GDPR ("right to be forgotten")

Right: Right to restriction (Art. 18) Description: Request the temporary suspension of the processing of your data

Right: Right to portability (Art. 20) Description: Receive your data in a structured and machine-readable format, and transmit it to another controller

Right: Right to object (Art. 21) Description: Object to processing based on legitimate interest, including profiling for advertising purposes

Right: Right to withdraw consent (Art. 7(3)) Description: Withdraw at any time your consent to the processing that depends on it, without affecting the lawfulness of previous processing

Right: Right to lodge a complaint (Art. 77) Description: Lodge a complaint with the competent supervisory authority

7.2 How to exercise your rights

To exercise any of these rights, you may:

Contact us by email at: contact@secondarmor.com
Write to us at the address of the registered office: Avenue Henri Pirenne 11, 1180 Uccle, Belgium
Modify certain information directly via your account settings

We will respond to your request within one month from its receipt. This period may be extended by two additional months in the case of complex or numerous requests, after notification. We may ask you to verify your identity before processing your request.

7.3 Right to lodge a complaint with the supervisory authority

If you consider that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the competent data protection authority:

Competent authority: Data Protection Authority (APD / GBA) Address: Rue de la Presse 35, 1000 Brussels, Belgium Website: https://www.dataprotectionauthority.be Email: contact@apd-gba.be

8. Protection of minors' data

The Service is reserved for persons who have reached the age of legal majority, namely 18 years in Belgium. We do not knowingly collect personal data from persons under 18 years of age.

If we learn that a minor has provided us with personal data without the consent of their parents or legal guardians, we will take the necessary measures to delete such data as soon as possible.

If you are a parent or guardian and you become aware that a minor under your responsibility has transmitted personal data to us, please contact us at contact@secondarmor.com.

9. Referral program — data processing

If you participate in Second Armor's referral program, we process the following data:

Referral codes and identifiers
Registrations attributed to a referral
Reward qualification events

This data is processed exclusively for the purposes of managing the program, preventing abuse and applying rewards. The applicable legal basis is the performance of the contract (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).

Data related to the referral program is retained for the duration of the program and 3 years after its end or your last participation.

10. Links to third-party sites

The Service may contain links to third-party websites or services that are not operated by Second Armor. We assume no responsibility for the privacy practices of these third-party sites. We encourage you to consult their privacy policy before providing them with personal data.

11. Modifications to this policy

We may update this privacy policy periodically. The date of the last update is indicated at the top of the document.

In the event of substantial modifications affecting your rights or the processing of your data, we will inform you by email or via a notification in the Service, prior to the entry into force of these modifications.

By continuing to use the Service after the entry into force of the modifications, you acknowledge having taken note of the updated policy.

12. Applicable language version

This privacy policy may be translated into other languages for convenience. In the event of any discrepancy or inconsistency between the English version and any translated version, the English version shall prevail.

Second Armor SRL — BE 1024.224.186 Avenue Henri Pirenne 11, 1180 Uccle, Belgium contact@secondarmor.com — https://secondarmor.eu