Privacy Policy
This policy explains what personal data Reluv collects, why we collect it, and what rights you have over it. We have written it in plain English because we think you deserve to understand it without a law degree.
Last updated: 21 May 2026
01 —Who we are
Reluv operates the peer-to-peer fashion marketplace at reluv.co.uk. For the purposes of UK data protection law, Reluv is the data controller — that means we decide how and why your personal data is processed.
You can contact us about anything in this policy at privacy@reluv.co.uk.
02 —What data we collect and why
We only collect data that is necessary to run the platform, process transactions, prevent fraud, and meet legal obligations. Here is a plain-English breakdown.
Account registration
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email address | To create your account, send transactional emails, and let you sign in. | Contract performance |
| Display name / handle | To identify you publicly on the platform. | Contract performance |
| Password (hashed) | To authenticate you. We never store your password in readable form. | Contract performance |
| Signup IP address | To detect fraud and ban evasion at the point of registration. | Legitimate interest |
| Login IP address | Recorded on each sign-in to help detect account takeover and ban evasion. | Legitimate interest |
Selling
| Data | Why we collect it | Legal basis |
|---|---|---|
| Legal name | Required by Stripe for identity verification (KYC) before payouts are enabled. | Legal obligation / contract performance |
| Home / return address | Used as the shipping origin for return labels. | Contract performance |
| Bank / payout details | To pay you when a sale is confirmed. Held and processed by Stripe — Reluv does not store raw bank details. | Contract performance |
| Listing photos and descriptions | To display your items for sale and to record condition evidence if a dispute arises. | Contract performance |
Buying
| Data | Why we collect it | Legal basis |
|---|---|---|
| Delivery address | To ship the item to you and generate shipping labels. | Contract performance |
| Payment card details | To charge you at checkout. Tokenised and held by Stripe — Reluv never sees your full card number. | Contract performance |
Platform activity
| Data | Why we collect it | Legal basis |
|---|---|---|
| Order history | To display your purchase and sales records, and to meet HMRC record-keeping requirements. | Contract performance / legal obligation |
| Messages between users | To facilitate communication between buyers and sellers, and to provide evidence in dispute resolution. | Contract performance / legitimate interest |
| Dispute evidence | Photos and descriptions submitted during a resolution are retained to support a fair outcome. | Legitimate interest |
| Notification preferences | So we only contact you in the ways you have asked us to. | Contract performance |
Fraud prevention and safety
| Data | Why we collect it | Legal basis |
|---|---|---|
| Banned email list | To prevent banned users from re-registering with the same email address. | Legitimate interest |
| IP addresses (signup + login) | To detect ban evasion, account takeover, and other abusive behaviour. | Legitimate interest |
03 —Legal basis for processing
UK GDPR requires us to have a lawful reason for processing your personal data. We rely on three:
- Contract performance — processing that is necessary to operate your account, complete a transaction, arrange shipping, or handle a dispute. Without this data we cannot provide the service.
- Legitimate interest — fraud prevention, ban enforcement, IP logging for security, and retaining dispute evidence. We have assessed that these interests are not overridden by your rights. You can object to processing on this basis (see section 9).
- Legal obligation — retaining transaction records for HMRC and other applicable UK law. We cannot honour deletion requests for data we are required by law to keep.
04 —How we use your data
We use the data described in section 2 to:
- Create and maintain your account.
- Process payments, hold funds in escrow, and release them to sellers.
- Generate and manage shipping labels through ShipEngine.
- Send transactional emails (order confirmations, dispute updates, shipping notifications) via Resend.
- Resolve disputes fairly — we review messages and evidence from both parties.
- Detect and prevent fraud, ban evasion, and other abuse of the platform.
- Meet our legal obligations under UK tax law.
- Respond to your support requests.
05 —Who we share your data with
We share data only with the third-party processors listed below, and only to the extent necessary for them to perform their service.
| Data | Why we collect it | Legal basis |
|---|---|---|
| Stripe | Payment processing, payout disbursement, and seller identity verification (KYC). Stripe acts as a data processor for payment transactions and as an independent data controller for its own KYC obligations. | stripe.com/gb/privacy |
| ShipEngine | Generating shipping labels and validating delivery addresses. Receives buyer and seller addresses. | shipengine.com/privacy |
| Resend | Sending transactional emails (e.g. order confirmations). Receives your email address and the content of those emails. | resend.com/legal/privacy-policy |
| Vercel / hosting | Server-side hosting and CDN delivery. May process request metadata (IP addresses, user agents) in server logs. | vercel.com/legal/privacy-policy |
We may also disclose personal data if required to do so by law, court order, or a regulatory authority, or if necessary to protect the rights or safety of Reluv or its users.
06 —International transfers
Reluv is a UK-based service. However, some of our third-party processors (Stripe, ShipEngine, Resend, Vercel) operate infrastructure in the United States and other countries outside the UK and the European Economic Area.
Where your data is transferred outside the UK, we ensure it is protected by appropriate safeguards, which may include:
- UK adequacy regulations (for countries the ICO has deemed adequate);
- Standard contractual clauses (SCCs) approved by the ICO; or
- The processor's participation in a recognised certification framework.
You can contact us at privacy@reluv.co.uk if you would like further information about the specific safeguards in place for any transfer.
07 —How long we keep your data
| Data | Why we collect it | Legal basis |
|---|---|---|
| Orders and transaction records | Retained for 7 years from the transaction date. | Legal obligation (HMRC / UK tax law) |
| Messages | Retained while your account is active. Deleted when your account is deleted, unless the message forms part of a dispute or legal hold. | Contract performance / legitimate interest |
| IP address logs (signup and login) | Retained for 12 months. | Legitimate interest (fraud prevention) |
| Banned email records | Retained indefinitely to prevent re-registration of banned accounts. | Legitimate interest (platform safety) |
| Account data (general) | Deleted within 30 days of a valid account deletion request, except where a legal hold applies. | Contract performance |
When a deletion request is made, we will confirm whether a legal hold applies to any part of your data and, if so, explain what is retained and for how long.
08 —Cookies
We currently use only essential session cookies placed by NextAuth to keep you signed in. These cookies are strictly necessary for the platform to function and do not require your consent under PECR.
09 —Your rights
Under UK GDPR you have the following rights over your personal data:
- Access — you can ask for a copy of the personal data we hold about you.
- Rectification — you can ask us to correct inaccurate data.
- Erasure — you can ask us to delete your data. This right is not absolute: we will explain any legal hold that prevents full deletion.
- Portability — you can ask for your data in a structured, machine-readable format so you can transfer it to another service.
- Restriction — you can ask us to pause processing of your data while a dispute or investigation is ongoing.
- Objection — you can object to processing based on our legitimate interest (for example, IP logging for fraud prevention). We will stop unless we can show a compelling legitimate ground that overrides your interests.
To exercise any of these rights, email privacy@reluv.co.uk. We will respond within one month. We may ask you to verify your identity before we action a request.
10 —Children
Reluv is intended for users who are 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@reluv.co.uk and we will delete it promptly.
11 —Changes to this policy
We may update this policy from time to time to reflect changes in how we operate or in applicable law. When we make a material change, we will notify registered users by email and update the “Last updated” date at the top of this page. We encourage you to review the policy periodically.
Continued use of Reluv after a notified change constitutes acceptance of the updated policy. If you do not agree with a change, you can delete your account before it takes effect.
12 —Contact and complaints
If you have a question or concern about how we handle your data, please contact us first — we would like the chance to resolve it directly.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
© 2026 Reluv · reluv.co.uk · Privacy Policy