Privacy Policy
Last updated: 25 May 2026
1. Who we are
Trade or Die (tradeordie.org) is a vinyl record trading platform for independent labels, artists, and distributors.
2. What data we collect and why
Account data
Your email address, display name, organisation name, country, bio, and profile photo — collected when you sign up or update your profile.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
Listing data
Record title, artist, label, release year, format, genre, quantity, notes, cover image, and optional Bandcamp embed URL — collected when you create or edit a listing.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
Trade data
Trade proposals and their messages, trade status, and ratings (including comments) — collected as you use the trading features.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
Email notifications
Your email address is used to notify you of trade activity — new proposals, accepted or declined trades, new messages, and contact form replies. You can manage your account to stop receiving notifications by deleting your account.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — keeping you informed about transactions you have initiated
Security and abuse prevention
Cloudflare Turnstile is used on the signup and login pages to detect automated abuse. It processes basic browser signals to determine whether a request is from a human. It does not set persistent tracking cookies.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — protecting the platform and its users from spam and fraudulent accounts
Reports
If you submit a report about another user, we collect the reason and any details you provide, along with references to the relevant trade. Reports are only accessible to us and are used solely for moderation.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — maintaining a safe community
3. How long we keep your data
Account and listing data is kept for as long as your account is active.
When you delete your account, your profile is anonymised immediately — your display name, organisation, bio, and profile photo are removed, and your email address is dissociated from all records. Your trade history, messages, and ratings remain in anonymised form so that other users' trading records stay intact. We do not retain your email address after account deletion.
4. Who we share your data with
We use the following third-party services to operate the platform. We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.
Supabase
Provides our database, authentication, file storage, and serverless functions. Your account data, listings, messages, and uploaded files are stored and processed by Supabase.
Data is stored in the
European Union (eu-west-1, Ireland).
supabase.com/privacy
Resend
Handles all transactional emails — trade notifications, password reset emails, and contact form replies. Resend receives your email address and the content of each notification. Data is processed in the United States, covered by Standard Contractual Clauses.
resend.com/privacy
Cloudflare (Turnstile)
Used on signup and login pages to prevent automated abuse. Cloudflare receives basic browser signals (such as screen size and interaction patterns) — no persistent identifiers are stored on your device.
cloudflare.com/privacypolicy
Discogs
When you search for a record to import, your search query (artist/title text) is sent to the Discogs API to retrieve vinyl catalogue data. No personal data about you is shared with Discogs.
discogs.com/privacy
5. Cookies and local storage
We do not use advertising or tracking cookies. Your login session is maintained using Supabase's authentication tokens stored in your browser. We also store a single timestamp in your browser's local storage to track when you last visited your inbox — this is used to calculate the notification badge count and never leaves your device.
6. Your rights
Under the GDPR, you have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Rectification
Correct inaccurate or incomplete data. Most profile fields — display name, organisation, country, and bio — are editable directly on your Profile page.
Erasure
Delete your account at any time via your Profile page. This anonymises your data immediately and permanently.
Portability
Request a copy of your personal data in a structured, machine-readable format. Contact us at the address below.
Restriction and objection
Ask us to restrict processing of your data, or object to processing based on legitimate interests. Contact us to make such a request.
To exercise any of these rights, email us at info@tradeordie.org. We will respond within 30 days.
7. Supervisory authority
If you are in the European Union and believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority. In Greece, this is the Hellenic Data Protection Authority (HDPA): dpa.gr.
8. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page will always reflect the most recent version. For significant changes, we will notify users by email.