1. Data Controller
The data controller responsible for your personal data is:
SASU OneRoadTrip
Share capital: €500
848 chemin du Pré des Cavaliers, 06670 Levens, France
RCS Nice No. 994 750 008
Email: contact@oneroadtrip.com
Data Protection Officer (DPO): Marc Sorci – contact@oneroadtrip.com
2. Data Collected and Purposes
We collect and process the following data:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email, identifier (via Google or email) | Account creation and management | Contract performance (T&C) |
| Preferences (language, themes) | Service personalization | Contract performance |
| Itineraries and travel projects | Service operation | Contract performance |
| IP address, browsing data | Security, fraud prevention | Legitimate interest |
| Support emails | User assistance | Legitimate interest |
| Audience data (if accepted) | Statistics and improvement | Consent |
3. Retention Periods
- Account data and content: retained while the account is active, then deleted within 30 days of deletion request or account closure.
- Security logs: 12 months maximum.
- Support data: 24 months after the last exchange.
- Billing data: 10 years (legal requirement).
- Analytics cookies: 13 months maximum.
4. Data Recipients
Your data may be shared with the following recipients:
- Hosting: Netlify (application infrastructure) and OVH (complementary services and storage)
- Authentication: Firebase (Google) for login management
- Analytics: audience measurement tools (only if you have consented)
These service providers act as processors and only use your data to provide services on our behalf, in accordance with our instructions and GDPR requirements.
5. Transfers Outside the European Union
Some of our service providers (particularly Google Firebase) may process data outside the European Union. These transfers are governed by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Where applicable, the EU-US Data Privacy Framework
You can obtain a copy of appropriate safeguards by contacting us.
6. Your Rights
Under GDPR, you have the following rights:
- Right of access: obtain confirmation that your data is being processed and receive a copy
- Right to rectification: have inaccurate or incomplete data corrected
- Right to erasure: request deletion of your data ("right to be forgotten")
- Right to restriction: request suspension of processing in certain cases
- Right to portability: receive your data in a structured, reusable format
- Right to object: object to processing based on legitimate interest
You may also file a complaint with the CNIL (French Data Protection Authority): www.cnil.fr or your local supervisory authority.
7. Data Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, modification, disclosure or destruction, including:
- Encryption of data in transit (HTTPS/TLS)
- Secure authentication via Firebase
- Restricted data access on a need-to-know basis
- Access monitoring and logging
8. Children
The Website is not intended for children under 16 years of age. We do not knowingly collect personal data from minors without parental consent. If you are a parent and discover that your child has provided us with data, please contact us to have it deleted.
9. Cookies
The Website uses cookies and similar technologies. To learn more about the cookies used and manage your preferences, please see our Cookie Policy. No non-essential cookies are placed without your prior consent.
10. Changes
We may modify this policy at any time. In case of substantial changes, we may inform you by email (if applicable) or by a visible notification on the Website. The last update date is indicated below.
Last updated: December 2025