Privacy Policy

1. Who We Are

• The data controller is Reeqip Ltd, a company registered in England and Wales.
• Contact us about data matters at: privacy@reeqip.com

2. Data We Collect

We collect data in three ways: data you give us, data generated by your activity, and data from third parties.

Data you provide

• Account registration: name, email address, password (stored as a secure hash — never in plain text).
• Seller registration: phone number, store name, and for business/club accounts: company name, VAT number, company registration number, contact name, address, and website.
• Checkout: delivery name, address, and postcode used to arrange shipping. We do not store full card details — card data is handled exclusively by Stripe.
• Product listings: item descriptions, photos, dimensions, and pricing you upload.
• Messages: content of messages sent through in-app conversations and order threads.
• Reviews: ratings and written feedback you submit.
• Contact forms & email: any correspondence you send to our support or enquiry addresses.

Data generated by your activity

• Order history, payment status, and escrow state for transactions you are party to.
• Payout records (sellers only): amounts, dates, and Stripe transfer identifiers.
• Order timeline events: timestamps of every status change on your orders.
• Saved items (favourites) and browsing activity within the platform.
• Standard web server logs: IP address, browser type, pages visited, and timestamps. Logs are retained for up to 90 days for security and diagnostic purposes.

Data from third parties

• Stripe: we receive a payment status (succeeded, pending, failed) and, for sellers, a Stripe Connect account identifier. We do not receive full card numbers, CVVs, or bank account details.
• Carrier (Evri / Royal Mail): tracking events and delivery confirmation returned when we poll the shipping API on your behalf.

3. How We Use Your Data

4. Who We Share Your Data With

We do not sell your personal data. We share it only with the following processors and only to the extent necessary to run the platform:

• Stripe, Inc. — payment processing and seller payouts. Stripe is PCI-DSS Level 1 certified. Their privacy policy is at stripe.com/gb/privacy.
• Evri / Royal Mail — your delivery name and address are included in the shipping label generated for your order. No further data is shared.
• Cloudflare R2 — product images you upload are stored on Cloudflare's infrastructure and served via a CDN. Images are publicly accessible by URL once listed.
• Google Workspace — we use Google's SMTP service to send transactional and notification emails.
• Railway — our hosting provider. Your data is stored on servers within the EU/EEA or UK.
• Law enforcement / regulators — we may disclose data where required by law, court order, or regulatory authority.

5. Data Retention

• Account data — kept for the lifetime of your account and for 6 years after closure to comply with financial record-keeping obligations.
• Order records — retained for 6 years from the order date (UK tax and accounting law).
• Messages & reviews — retained while the associated account is active; may be anonymised on account deletion where the data is necessary for dispute resolution records.
• Server logs — retained for up to 90 days.
• Archived (deleted) orders — when an admin deletes an order, a copy is stored in our archive for audit purposes. Archived records are retained for 6 years.

6. Your Rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data where we no longer have a lawful basis to hold it (subject to legal retention obligations).
• Restriction — ask us to pause processing your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent — unsubscribe from our newsletter at any time using the link in the email or by emailing us.

To exercise any right, email privacy@reeqip.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Security

• All data is transmitted over HTTPS (TLS 1.2+).
• Passwords are stored using a strong key-derivation function (scrypt). We never store plain-text passwords.
• Payment card data is never transmitted to or stored on our servers — it goes directly to Stripe.
• Access to production systems is restricted to authorised personnel only.
• We log application errors internally and review them regularly for signs of anomalous activity.

8. Cookies

We use a small number of essential cookies and Stripe may set its own. For full details see our Cookie Policy.

9. Children

Reeqip is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with data, contact us at privacy@reeqip.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or by a prominent notice on the platform before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising from it shall be subject to the exclusive jurisdiction of the courts of England and Wales.