GDPR

Privacy policy

Last updated: 12 May 2026

1. Who we are

The data controller is Street Machine SRL, Belgian Crossroads Bank for Enterprises BE 0466.099.945, registered office in Belgium. You can reach us at didier.jadoul@streetmachine.be.

We rent a wedding car with chauffeur (Ford Galaxie Sunliner 1961) across Belgium via weddingcars.be, voituremariage.be and detrouwauto.be.

2. What data we collect and why

Customer account

When you create an account or request a quote: first and last name, email address, phone number (optional), preferred language, hashed password.

Legal basis: performance of the contract (art. 6.1.b GDPR).

Retention: as long as the account is active, then 24 months without activity, then automatic deletion.

Quotes and bookings

Requested dates, pickup and ceremony address, chosen package and options, amounts, payment method, Mollie payment reference (payment ID only — we never store card data).

Legal basis: performance of the contract.

Retention: 7 years from the service date (Belgian accounting obligation — art. III.86 Code of Economic Law).

Messages and communication

Email content exchanged, contact-form messages, internal notes about your file.

Legal basis: performance of the contract + legitimate interest (relationship follow-up).

Retention: linked to a booking → 7 years. Without booking → 24 months.

Wedding photographs

If you send us photographs from your wedding day for publication in our gallery, they are only published with your explicit written consent, which you may withdraw at any time.

Legal basis: consent (art. 6.1.a + art. 9 if identifiable faces).

Retention: as long as the gallery is online. Removal upon request.

Cookies and analytics

Strictly necessary cookies (session, language, consent), Plausible Analytics (anonymous, no third-party cookie — if accepted), and Meta Pixel (if you discovered us via a Facebook or Instagram ad and accept it).

Full details on our cookies page.

Legal basis: necessary = legitimate interest; analytics & marketing = consent.

Security logs

To protect the site (anti-bruteforce, anti-spam, audit): IP address, user-agent, timestamps of logins and sensitive actions (login, password change, export or deletion request).

Legal basis: legitimate interest (security).

Retention: 12 months.

3. Who has access to your data

We never sell your data. Access is limited to:

Our team: Didier Jadoul (managing director and DPO).
Technical sub-processors, bound by a processing agreement compliant with art. 28 GDPR:

Supabase Inc. (USA, region eu-central-1 Frankfurt) — database hosting + authentication.
Resend Inc. (USA) — transactional email delivery.
Mollie B.V. (Netherlands) — online payment processing.
Cloudflare Inc. (USA) — CDN + edge SSR.
Plausible Insights OÜ (Estonia) — analytics (with consent).
GPT Engineer App AB (Sweden) — Lovable development platform (limited access to test data).

Transfers to the USA (Supabase, Resend, Cloudflare) rely on the EU Standard Contractual Clauses (SCC) approved by the European Commission.

4. Your rights

Under GDPR, you have at any time the following rights:

Access (art. 15) — obtain a copy of all your data.
Rectification (art. 16) — correct any inaccurate data.
Erasure (art. 17 — "right to be forgotten") — delete your account.
Restriction (art. 18) — freeze processing while a verification is pending.
Portability (art. 20) — receive your data in a structured format (JSON).
Objection (art. 21) — refuse certain processing (e.g., marketing).
Withdraw consent — for cookies, published photographs, etc., at any time.

You can exercise these rights:

Directly from your account: My data.
By email: didier.jadoul@streetmachine.be

We respond within 30 days. Deletion is scheduled with a 30-day cooling-off period during which you can cancel the request. Accounting documents related to a wedding already honoured are kept for 7 years (legal obligation), in anonymised form if you requested deletion.

5. Security

We implement appropriate technical and organisational measures: TLS encryption of communications, bcrypt hashing of passwords, role-based access control (RBAC) with Row Level Security at the database level, logging of sensitive access, Tier 1 hosting (Supabase Pro, Cloudflare).

In case of a data breach likely to affect your rights, we notify the Belgian Data Protection Authority (APD/GBA) within 72 hours and inform you without undue delay.

6. Complaint to a supervisory authority

If you believe your rights are not respected, you may file a complaint with the Belgian Data Protection Authority:

Rue de la Presse 35, 1000 Brussels
contact@apd-gba.be — dataprotectionauthority.be

7. Changes to this policy

This policy may be updated. The last update date appears at the top of this page. For substantial changes (new processing, new sub-processors), we will notify you by email if you have an account.

Ford Galaxie Sunliner 1961 — wedding convertible with chauffeur, across Belgium.