Privacy Policy

Last updated: 4 June 2026

This Privacy Policy explains how Preloved Bazaar collects, uses, shares and protects your personal data when you use our marketplace at prelovedbazaar.co.uk and any related services (together, the “Platform”). It applies to everyone who uses the Platform — whether you are buying, selling, or both.

Please read it alongside our Terms of Use and our Cookie Policy, which together form your agreement with us. Words such as “Buyer”, “Seller” and “Listing” have the same meaning as in our Terms of Use.

1. Who we are — the data controller

For the personal data described in this policy, the data controller is Preloved Bazaar Shop Limited, a company registered in England and Wales (company number 15102071) (“Preloved Bazaar”, “we”, “us” or “our”). The data controller is the organisation that decides why and how your personal data is used.

• Trading name: Preloved Bazaar
• Operated by: Preloved Bazaar Shop Limited, a company registered in England and Wales, company number 15102071, with its registered office in West Yorkshire, United Kingdom (full details on the Companies House register / available on request)
• Contact for privacy matters: hello@prelovedbazaar.co.uk

We handle your personal data in line with UK data protection law — the UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office (ICO) is the UK’s data-protection regulator, and you can raise a concern with them (see section 9).

2. The personal data we collect

We collect personal data that you give us, that is created as you use the Platform, and (in limited cases) that we receive from others. The main categories are:

2.1 Account and profile data

• your name and the email address you register with;
• a username or display name, and any profile photo, bio or shop details you choose to add;
• your login credentials (your password is stored only in a securely hashed form — we never see it in plain text);
• because every account on Preloved Bazaar can both buy and sell, your account holds both your buyer and your seller information.

2.2 Listing data

• the photographs, descriptions, condition details, sizes, prices and postage terms you add when you list an item;
• any messages and offers exchanged about a listing.

AI listing suggestions. To help you list faster, when you add the main photo of an item we send that photo to Google (via the Google Gemini API) so it can suggest a category, colour, title and description for your listing. These are suggestions only — you can change or ignore any of them, and nothing is published until you save the listing. Google processes the image to generate the suggestions; on our paid API tier Google does not use your image to train its models and does not retain it beyond what is needed to provide the response. See Google’s API terms at ai.google.dev/gemini-api/terms and Google’s privacy policy at policies.google.com/privacy.

2.3 Order, transaction and delivery data

• the items you buy or sell, order references, prices, the Buyer Protection fee, and order status;
• the delivery address needed to fulfil an order, and the tracking number a Seller enters when they dispatch an item;
• refund, cancellation and dispute records relating to your orders.

2.4 Messages and disputes

• the content of messages you send through the Platform’s messaging tools;
• information you give us when you raise or respond to a problem with an order, including any photographs or other evidence you provide.

2.5 Payment and payout data

Payments and seller payouts are handled by our payment provider, Stripe (see section 4). We do not store your full card number. We hold limited transaction records (such as the order amount, currency, a payment reference and whether a payment succeeded, failed or was refunded) so we can run the Platform, administer escrow, and meet our record-keeping duties.

2.6 Technical and usage data

When you visit the Platform we automatically collect limited technical data such as your device and browser type, IP address, and how you interact with the site. Some of this is collected through cookies and similar technologies — see our Cookie Policy and section 5 below.

3. The lawful bases we rely on

Under the UK GDPR we must have a “lawful basis” for using your personal data. We rely on the following:

• Performance of a contract — to set up and run your account, list items, process orders, hold and release funds, handle disputes and refunds, and provide customer support. Without this data we cannot provide the Platform to you.
• Compliance with a legal obligation — to meet duties placed on us by law, in particular tax record-keeping requirements, anti-money-laundering and fraud-prevention obligations, and our duties under online-safety law, on the basis of which we retain certain records.
• Legitimate interests — to keep the Platform secure, prevent and investigate fraud and prohibited activity, debug and improve our service, and protect our users and our business. Where we rely on legitimate interests, we balance our interests against your rights and only proceed where your interests do not override ours.
• Consent — for non-essential cookies and similar technologies, and for any optional marketing communications. You can withdraw consent at any time (see sections 5 and 9). Withdrawing consent does not affect anything we did lawfully before you withdrew it.

4. Payments, and Stripe as an independent controller

All payments and seller payouts on the Platform are processed by Stripe. When you pay, or when a Seller receives a payout, your information is handled by Stripe under Stripe’s own privacy policy, which you can read at https://stripe.com/privacy.

For its payment processing, fraud prevention and identity-verification activities, Stripe acts as an independent data controller in its own right — it decides how it uses the data it collects to provide regulated payment services, verify identities (KYC) and prevent fraud, and it is responsible to you directly for that use. This means that, in addition to this policy, Stripe’s privacy policy governs what Stripe does with your payment and verification data.

Key points about payment data:

• We do not store your full card number or other full card details — these are handled by Stripe.
• Sellers receive payouts through a Stripe Connect Express account, and complete Stripe’s identity and bank-account checks directly with Stripe.
• We receive limited transaction information back from Stripe (such as a payment reference and whether a payment succeeded, failed or was refunded) so we can operate orders, escrow and refunds.

5. Cookies and similar technologies

We use cookies and similar technologies to make the Platform work, to keep it secure, and — only with your consent — for analytics or marketing. Strictly necessary cookies do not require consent; non-essential cookies are only set after you agree.

Full details, including the types of cookies we use and how to change your preferences at any time, are in our separate Cookie Policy. Where we rely on consent for cookies, we do so in line with the Privacy and Electronic Communications Regulations (PECR).

6. Who we share your data with

We do not sell your personal data. We share it only where it is necessary for the purposes in this policy, with the following categories of recipient:

• Other Buyers and Sellers — only as needed for an order. When you buy, the Seller receives the delivery address and order details needed to send your item. When you sell, the Buyer sees the information needed to complete the order. Messaging exchanges are shared with the other party to the conversation. We do not share more than the transaction requires.
• Stripe — our payment provider, to process payments, hold and transfer funds, run seller payouts, and carry out identity and fraud checks (see section 4).
• Our hosting and infrastructure provider — which stores and serves the Platform on our behalf.
• Our email/communications provider — used to send transactional emails (such as order, dispatch, dispute and refund notifications).
• Google (Gemini API) — when you use our optional AI listing-suggestion feature, the item photo you upload is sent to Google to generate suggested listing details (see section 2.2). Google processes the image to return the suggestions; on our paid tier it does not use the image to train its models.
• Law enforcement, regulators and other authorities — where we are legally required or permitted to disclose information, including to comply with our duties under the Online Safety Act 2023 and to report or respond to illegal content or activity, and to protect our users, the public or our rights.
• Professional advisers and, in future, a successor business — for example our advisers, or a buyer of the business if we ever sell or reorganise it, subject to appropriate confidentiality and data-protection safeguards.

7. International transfers

Some of our providers — in particular Stripe and Google, and potentially our hosting or email providers — may process personal data outside the United Kingdom. Where personal data is transferred outside the UK, we (or the provider acting as controller) ensure an appropriate safeguard is in place as required by UK data-protection law — such as transfer to a country with UK “adequacy” status, or the use of the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

8. How long we keep your data (retention)

We keep personal data only for as long as we need it for the purposes set out in this policy, and to meet our legal obligations. In particular:

• Order, transaction and tax records are kept for as long as required by HMRC record-keeping and tax law — generally six years from the end of the relevant accounting period.
• Messages and dispute records are kept for as long as needed to administer disputes, prevent fraud, and protect our users, and to meet our duties under online-safety law.
• Account data is kept while your account is open and for a reasonable period afterwards, after which it is deleted or anonymised — except where we must retain certain records to meet a legal obligation (see section 10).

When we no longer need personal data, we delete it securely or irreversibly anonymise it.

9. Your rights

Under UK data-protection law you have the following rights over your personal data. You can exercise any of them by contacting us at hello@prelovedbazaar.co.uk:

• Access — to ask for a copy of the personal data we hold about you;
• Rectification — to ask us to correct data that is inaccurate or incomplete;
• Erasure — to ask us to delete your data in certain circumstances (this is not absolute — we may need to keep some data to meet a legal obligation, such as tax records, or to resolve a live order or dispute);
• Restriction — to ask us to limit how we use your data in certain circumstances;
• Portability — to ask us to provide certain data you gave us in a structured, commonly used, machine-readable format, or to send it to another provider, where technically feasible;
• Objection — to object to processing we carry out on the basis of legitimate interests, and to object to direct marketing at any time;
• Withdraw consent — where we rely on your consent (for example for non-essential cookies or marketing), you can withdraw it at any time.

We will respond within the time limits set by law (usually one month). There is normally no charge.

Complaints. If you are unhappy with how we have handled your personal data, please tell us first so we can try to put it right. You also have the right to complain to the UK regulator, the Information Commissioner’s Office (ICO), at ico.org.uk/make-a-complaint or by calling its helpline.

10. Closing your account, and automated decision-making

10.1 Closing your account

You can ask to close your account at any time — see our Terms of Use for how account closure works. When you close your account we delete or anonymise your personal data, except where we are required to keep certain records to meet a legal obligation (for example HMRC tax records), or where we need to retain information to resolve a live order, held funds, or an open dispute.

10.2 Automated decision-making

Some parts of the Platform run automatically — for example, our escrow system releases a Seller’s funds after tracking is added and a holding window passes, automatically refunds a Buyer if a Seller never ships within the protection window, and a dispute that a Seller does not answer within the response window is automatically flagged in the Buyer’s favour. These automated steps follow fixed, published rules set out in our Terms of Use, and a refund following a dispute is reviewed and issued by a member of our team, not purely by a machine.

We do not make decisions that produce a legal or similarly significant effect on you based solely on automated processing without meaningful human involvement: a refund following a dispute is always reviewed and issued by a member of our team, not purely by a machine.

11. Changes to this policy, and how to contact us

We may update this Privacy Policy from time to time — for example to reflect new features, new providers, or changes in the law. When we make a material change we will update the “last updated” date above and, where appropriate, let you know.

For any privacy question or request, or to exercise your rights, contact us at hello@prelovedbazaar.co.uk.