Privacy Policy
Ricardo's World ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and what rights you have under the General Data Protection Regulation (GDPR) and the Dutch implementation thereof (Algemene Verordening Gegevensbescherming, AVG).
By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. If you have any questions or wish to exercise your rights, please contact the owner at ricardo@explorericardo.com.
Data Controller
The data controller responsible for your personal data is Ricardo Neudorfer, reachable at ricardo@explorericardo.com. As a data controller, i determine the purposes and means of processing your personal data and are fully responsible for ensuring that our processing activities comply with the GDPR and AVG.
If you have questions, concerns, or requests regarding your personal data, you may contact us at any time using the email address above. The owner will respond to all data subject requests within the timeframes required by law.
Data We Collect
We only collect personal data that is strictly necessary to deliver our services to you. Below is a clear overview of the categories of personal data we store and why each category is needed.
Your full name, email address, and company name (if applicable). Required to create and manage your account.
Street address, city, postal code, state/province, and country. Required for invoicing and tax compliance.
Your phone number and associated country code, where you choose to provide them. This information is optional and may be used for account-related communication or support when needed.
Business VAT identification number where applicable. Used for EU VAT compliance on invoices.
Payment method type, card brand, and the last 4 digits only. Full card numbers are never stored by us and are handled exclusively by Stripe.
Details of your active and past subscriptions, payments, and invoices. Required for billing history and legal financial record-keeping.
IP address, browser user agent, login timestamps, and session identifiers. Used to manage authenticated sessions and detect unauthorized access.
Password data, two-factor authentication (2FA) credentials, passkey credentials, and related account security information needed to protect your account and support secure login features.
Where parcel tracking is used, your delivery address, tracking number, order number, status updates, and related tracking details are stored to enable shipping notifications and parcel status updates.
Used for account notifications, invoices, service updates, and responding to your requests. We do not send unsolicited marketing emails.
How We Use Your Data
We use the personal data we collect only for the following specific purposes. We do not process your data for any purpose that is incompatible with the reason it was originally collected.
-
1
Account management — to create and maintain your account, verify your identity, and provide access to our services.
-
2
Billing and invoicing — to process payments, generate invoices, apply VAT correctly, and maintain financial records required by law.
-
3
Service delivery — to provide subscriptions, manage parcel tracking notifications, and deliver the services you have signed up for.
-
4
Security and fraud prevention — to detect and prevent unauthorized access, account takeovers, and fraudulent activity using login and session data.
-
5
Communication — to send transactional emails such as payment confirmations, subscription updates, and responses to your support requests.
-
6
Legal compliance — to meet our obligations under applicable Dutch and EU law, including financial record-keeping requirements.
Legal Basis For Processing
Under the GDPR and AVG, we are required to have a lawful basis for each type of personal data processing. The legal bases we rely on are listed below.
-
Contract
Performance of a contract (Article 6(1)(b) GDPR) — Processing your account identity, billing address, payment details, and subscription data is necessary to provide the services you have agreed to receive.
-
Legal Obligation
Compliance with a legal obligation (Article 6(1)(c) GDPR) — Retaining invoices and financial records is required under Dutch tax and accounting law.
-
Legitimate Interest
Legitimate interests (Article 6(1)(f) GDPR) — Storing session data, IP addresses, and login history is necessary to protect the security of our platform and your account from unauthorized access and fraud.
Security Measures
We take the security of your personal data seriously. We implement technical and organizational measures appropriate to the risk level of the data we process.
Passwords are stored using strong one-way cryptographic hashing. Plain-text passwords are never stored or logged.
Two-factor authentication data and recovery-related account security data are handled as restricted account security information and are not displayed publicly.
Billing addresses and shipping addresses are stored only where needed for invoicing, delivery, and account administration.
Only the last 4 digits and card brand are stored. Full card numbers are never held by us, and payment processing is handled by Stripe.
IP addresses are stored only in session and audit records for security purposes and are not shared with third parties for tracking.
WebAuthn and passkey-related account security data is used only for secure authentication and account access control.
Data Retention
We retain personal data for as long as it is needed to provide and operate your account, comply with legal obligations, and support the services you use. Specific retention periods may differ depending on the type of data and whether your account remains active or has been deleted.
-
1
Account data — retained for as long as your account exists. If your account is deleted, some related data may also be removed, while certain records may be retained where required for legal, billing, fraud prevention, or administrative purposes.
-
2
Invoices and financial records — retained for 7 years as required by Dutch tax law (Belastingdienst).
-
3
Session data and login records — retained for up to 1 year for security, account access control, and fraud prevention purposes.
-
4
Parcel tracking data — retained for as long as your account exists where parcel tracking features are connected to your account. Once your account is deleted, we may remove parcel tracking data that is no longer needed for service, legal, or administrative purposes.
-
5
Deleted accounts — if your account is deleted, some personal data may be removed or no longer actively used, but certain records may remain where retention is required for legal, billing, fraud prevention, dispute handling, or other legitimate business purposes.
Third-Party Services
We work with a limited number of trusted third-party processors to deliver our services. Each processor only receives the data they need to perform their specific function and is bound by a Data Processing Agreement (DPA) in accordance with GDPR requirements.
Handles all payment card processing. We share your email, billing name, and billing address with Stripe to generate a customer record. Stripe is GDPR-compliant and operates under Standard Contractual Clauses for EU data transfers. See stripe.com/privacy.
Our servers are hosted within the EU. All personal data is stored and processed on EU-based infrastructure. No personal data is transferred outside the EEA without appropriate safeguards.
Your Rights Under GDPR
As a data subject under the GDPR and AVG, you have the following rights regarding your personal data. To exercise any of these rights, contact the owner at ricardo@explorericardo.com. He will respond within one month of receiving your request.
-
1
Right of access (Article 15) — You may request a copy of all personal data we hold about you, along with information about how and why it is processed.
-
2
Right to rectification (Article 16) — You may request that we correct any inaccurate or incomplete personal data we hold about you. Most account data can also be updated directly in your account settings.
-
3
Right to erasure (Article 17) — You may request that we delete your personal data where it is no longer necessary for the purpose it was collected, subject to any overriding legal retention obligations.
-
4
Right to restriction of processing (Article 18) — You may request that we limit the processing of your personal data in certain circumstances, such as while a dispute about accuracy is being resolved.
-
5
Right to data portability (Article 20) — You may request a machine-readable copy of the personal data you provided to us, where processing is based on your consent or a contract.
-
6
Right to object (Article 21) — You may object to the processing of your personal data where we rely on legitimate interests as our legal basis.
-
7
Right to lodge a complaint — If you believe your data is being processed unlawfully, you have the right to file a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens.
Cookies & Sessions
We use strictly necessary session cookies to maintain your authenticated session after you log in. These cookies do not track you across other websites and are not used for advertising or analytics.
A secure, HTTP-only session identifier stored in a cookie. This is required to keep you logged in while you navigate our portal. It expires when your session ends or at the configured session timeout.
We do not use Google Analytics, Meta Pixel, or any other third-party tracking cookies. Your browsing behaviour on our platform is not profiled or shared with advertisers.
Because we only use strictly necessary cookies, we are not required to display a cookie consent banner under the Dutch Telecommunicatiewet. However, you may block cookies in your browser settings, which will prevent you from logging in to our services.
Changes To This Policy
We may update this Privacy Policy from time to time to reflect changes in our services or applicable law. When we make material changes, the owner will notify you by email to your registered address and update the "Last updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of our services after a policy update constitutes your acknowledgment of the revised policy.
Contact
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a privacy concern, please contact the owner directly. He aims to respond to all requests within 30 days.