Draft — not legally reviewed. This document is a working draft. It must be reviewed by a Swiss data protection specialist or lawyer before public launch to ensure compliance with the revised FADP (in force 2023) and the EU GDPR.

Privacy Policy

Last updated: April 2026

1. Who we are

MotoShare operates the peer-to-peer motorcycle rental platform at motoshare.io (the "Platform"). For the purposes of the Swiss Federal Act on Data Protection ("FADP") and the EU General Data Protection Regulation ("GDPR"), MotoShare is the controller of personal data processed through the Platform. Full contact details are in our Imprint.

2. What data we collect

We collect the following categories of personal data:

  • Account data: email address, full name, password (hashed), optional phone number and bio, profile photo.
  • Verification data: if you upload a copy of your motorcycle licence for verification, we store the image along with a verification status (pending, approved, rejected).
  • Listing data (Owners): photos, location (city and canton), technical information about your motorcycle, pricing.
  • Booking data: booking dates, prices, messages exchanged through the Platform, reviews.
  • Payment data: we do not store full card details. Payment information is collected and processed by Stripe (see Section 5). We receive a transaction ID, amount, status, and the last 4 digits of the card.
  • Technical data: IP address, browser type, device type, pages visited, approximate location inferred from IP. Used for security, rate limiting, and basic analytics.
  • Cookies: we use essential cookies for authentication sessions (via Supabase Auth). We do not use advertising cookies.

3. Why we process it (legal bases)

  • To provide the Platform (create account, list bikes, book rentals, handle payments): performance of a contract (Art. 6(1)(b) GDPR; Art. 31 FADP).
  • To send transactional emails (booking confirmations, password resets): performance of a contract.
  • To prevent fraud, abuse, and unauthorised access: legitimate interest (Art. 6(1)(f) GDPR).
  • To comply with Swiss tax, accounting, and legal obligations: legal obligation (Art. 6(1)(c) GDPR).
  • For product analytics: legitimate interest, with a privacy-friendly tool (Plausible) that does not use cookies or track across sites.

4. Who we share it with

We share your personal data only with the counterparty to your booking (Owner or Rider) and with service providers who process data on our behalf:

ProcessorPurposeLocation
Supabase Inc.Database, authentication, file storageEU (Ireland)
Vercel Inc.Website hosting, CDNGlobal (edge)
Stripe Payments Europe Ltd.Payment processingEU (Ireland)
Resend Inc.Transactional email deliveryUSA
Plausible Insights OÜPrivacy-friendly, cookieless analyticsEU (Estonia)

Where processors are based outside Switzerland or the EU (e.g. Resend in the USA), transfers rely on EU Standard Contractual Clauses and the processor's compliance with the EU-US Data Privacy Framework where applicable.

5. Payments and Stripe

When you pay for a rental, the payment form is hosted by Stripe. Your card number, expiry, and CVC go directly to Stripe and never touch MotoShare's servers. Stripe's privacy policy is available at stripe.com/privacy.

6. How long we keep it

  • Account data: for as long as your account is active; deleted 12 months after account closure, except where longer retention is required by law.
  • Booking and payment records: 10 years (Swiss accounting retention obligation under CO 958f).
  • Messages between Users: 24 months after the last message, unless attached to an ongoing dispute.
  • Licence verification images: deleted 30 days after your account is closed, or immediately on request if no dispute is active.
  • Server logs and IP addresses: 90 days.

7. Your rights

Under the FADP and GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
  • Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with an EU supervisory authority if you are in the EU.

To exercise any of these rights, email privacy@motoshare.io. We will respond within 30 days.

8. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest (Supabase-managed), Row Level Security policies restricting database access, hashed passwords, and access controls for our own team. No system is perfectly secure; we cannot guarantee absolute security and encourage you to use a strong, unique password.

9. Children

The Platform is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or in-Platform notice at least 14 days before they take effect.

11. Contact

Privacy questions or data subject requests: privacy@motoshare.io.