Privacy Policy

Last updated: 22 June 2026

This Privacy Policy explains how Ricardo Team ("we", "us") collects, uses and protects personal data of subscribers to our transactional notification service.

1. Data we collect

• Email address — submitted by you via the subscription form or forwarded from your marketplace contact.
• Marketplace metadata — order number, item title and amount, used to compose the notification body.
• Delivery telemetry — bounce, open and unsubscribe events returned by our ESP (Postmark).
• IP address and User-Agent — only of the device used to submit the subscription form, for fraud prevention. Discarded after 30 days.

2. Purpose of processing

We process the data above strictly to:

• Send you the transactional notifications you subscribed to.
• Honour unsubscribe and data-deletion requests.
• Protect the service from abuse and bounce list pollution.

3. Legal basis (GDPR / Swiss DSG)

Processing is based on your explicit consent (Art. 6(1)(a) GDPR / Art. 6 DSG). For service-protection telemetry, we rely on our legitimate interest in operating the service securely (Art. 6(1)(f) GDPR).

4. Data we do NOT collect

• No payment card or banking data.
• No tracking cookies (the site uses zero cookies).
• No third-party analytics, no Google Analytics, no Meta Pixel.
• No data scraped from third-party marketplaces about you.

5. Recipients of your data

We share your email with the following processors strictly to deliver the service you subscribed to:

• Postmark (Wildbit LLC, USA) — transactional email delivery.
• Resend (Resend.com, Inc., USA / Ireland) — alternative delivery route for resilience.
• Microsoft 365 (Microsoft Ireland Operations Ltd) — receiving your replies.

Each processor is bound by a data-processing agreement (DPA) and provides Standard Contractual Clauses for any transfer outside the EU/EEA.

6. Retention

• Active subscribers: as long as the subscription is active.
• After unsubscribe: email kept on a suppression list (hash only) so we never accidentally re-add you. No other data retained.
• Subscription form IP/UA: 30 days maximum, then deleted.

7. Your rights

Under GDPR and Swiss DSG you have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Request deletion ("right to be forgotten").
• Withdraw consent at any time.
• Lodge a complaint with your supervisory authority (in Switzerland: EDÖB).

Send any request to kundendienst@ricardo.team. We respond within 30 days.

8. Security

All data is transmitted over TLS 1.2+. Access to the operator interface requires two-factor authentication. ESP credentials are stored in encrypted form on a server located in Switzerland.

9. Changes

Material changes to this policy will be announced by email at least 14 days in advance.

10. Contact

Privacy questions: kundendienst@ricardo.team
Postal contact: see Imprint.