Privacy Policy

1. Who we are

GermanMarkt (“we”, “our”) is the data controller for personal data processed through this site. You can reach the data controller at support@gm-egy.com.

2. What we collect

The data we collect depends on which role you use the platform in.

All users

• Email address and password (hashed) — to create and sign you in.
• Full name — to address you and to identify you on orders.
• Optional WhatsApp number — to contact you about an order.
• Technical data set by your browser: IP address, user-agent, approximate time zone, and small pieces of localStorage used to keep your basket, language, disclaimer acknowledgement, and similar UI state.

Buyers (Egypt)

• Shipping address and phone number, so a delivery partner can reach you.
• Order history (items, quantities, prices in EGP, status timestamps).
• Any messages, dispute notes, or review text you submit.

Delivery partners (Germany)

• Home address (street, house number, city, postal code) inside Germany. Used by our middleware to confirm you are inside the country before you can claim a ticket.
• A home-location GPS pin (latitude/longitude) that you set yourself. Used together with your live device GPS so we can verify you are within roughly 30 km of your home when you accept a ticket.
• Periodic GPS pings (latitude, longitude, timestamp) from your browser while you are signed in and have granted location access. These are stored in our driver_locations table and used to gate the ticket-accept action. We do not run continuous background tracking; pings are only created when the page is open.
• Your next scheduled flight date, used to determine claim priority.
• A TOTP (time-based one-time password) shared secret used for two-factor authentication when you accept a ticket. The secret is stored encrypted at rest.

What we do not collect

GermanMarkt is cash on delivery. We do not handle card numbers, CVVs, bank details, government IDs, or biometric data. We do not track you across other websites and we have no third-party advertising or analytics pixels embedded.

3. Why we collect it (legal basis)

• Performance of a contract. Account, contact, address, and order data are needed to deliver the service you signed up for.
• Legitimate interest. Home-radius geofence pings, TOTP enrolment, and audit logs are used to prevent fraud and keep both sides of the trip honest. The interest in protecting buyers and delivery partners outweighs the limited intrusion of these checks.
• Consent. Browser geolocation is requested through the standard browser permission prompt and you can revoke it at any time in your browser settings.
• Legal obligation. We may retain order records to comply with tax and accounting law.

4. How long we keep it

• Account profile — for as long as your account is open. After deletion: removed within 30 days, except for fields referenced by completed orders (see below).
• Completed orders — retained for up to 7 years for tax, accounting, and dispute-history purposes.
• Cancelled and refused orders — purged from active tables within 30 days; an anonymised audit record may remain.
• GPS pings — only the most recent ping per delivery partner is used by the geofence; historical pings are not retained for analytics.
• Reviews — retained for the lifetime of the platform; you can request anonymisation at any time.

5. Who we share it with

We do not sell your personal data. We share it with the following third parties only as needed to operate the service:

• Supabase (Postgres database and authentication service) hosts all of the data described above. Supabase processes data on our behalf under a data-processing agreement.
• OpenAI is used only for translating product descriptions and names from German to Arabic. Product text we send for translation does not include any buyer or delivery-partner personal data.
• Our hosting provider may process server logs that include IP addresses and request paths in order to deliver the site.
• Other users you transact with.A buyer’s shipping address, phone number, name, and order items are shown to the delivery partner who accepts that order. A delivery partner’s display name (not their home address) is shown to buyers whose orders they handle.

We will disclose data to public authorities when we are legally compelled to do so. We will never disclose data to a private third party for marketing or analytics.

6. International data transfers

The marketplace is cross-border by design. Buyer data created in Egypt is visible to delivery partners in Germany when they accept the buyer’s order, and German delivery-partner data is visible to admins in Egypt. Where this involves personal data covered by the EU GDPR, transfers are made under the appropriate safeguards (including Standard Contractual Clauses where required). Supabase hosts data in EU regions by default.

7. Cookies and similar storage

We do not use third-party tracking cookies. We use the following first-party storage on your device:

• HTTP-only auth cookies set by Supabase to keep you signed in.
• localStoragefor: your shopping basket, language preference, the “I’ve seen the disclaimer” flag, and other small UI preferences.

You can clear these at any time from your browser’s site-data settings. Doing so will sign you out and reset your basket.

8. Your rights

Under Egyptian Data Protection Law 151/2020 and (where applicable) the EU GDPR, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted, subject to the retention periods above.
• Receive a copy of your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent for processing that relies on consent.
• Lodge a complaint with the Egyptian Personal Data Protection Centre, or with a competent EU data-protection authority if you are based in the EU.

To exercise any of these rights email support@gm-egy.com from the address on your account. We respond within 30 days.

9. Children

GermanMarkt is intended for users aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, email support@gm-egy.com and we will delete it.

10. Security

We rely on Supabase’s managed Postgres with row-level security policies, HTTPS in transit, encryption at rest, hashed passwords, and a complete audit log of admin actions. No system is perfectly secure; if we ever detect a breach affecting your data we will notify you promptly and report to the relevant authorities as required.

11. Marketing

We do not currently send marketing email. If we begin to, it will be opt-in only and every message will include a one-click unsubscribe link.

12. Changes to this policy

If we make material changes to this policy we will update the date above and surface a notice in the app the next time you sign in.