Back to home

UK GDPR / Data Protection Act 2018

PRIVACY POLICY

Last updated: February 2026 · Version 1.0

In short: we only collect what we need to run the marketplace, we never sell your data, your payment details live with Stripe (not us), and you can export or delete your account at any time from your account settings.

1. Who we are

Unveiled Threads ("we", "us", "our") is a UK-based online marketplace connecting small and medium clothing brands with buyers. For the purposes of UK GDPR and the Data Protection Act 2018, we are the Data Controller of the personal data described in this notice.

We are registered with the UK Information Commissioner's Office (ICO) under registration number ZC176765. You can verify our registration on the ICO public register.

If you have any questions about this policy or your data, contact us at privacy@unveiledthreads.co.uk.

2. What data we collect

Account data

  • Your name and email address
  • A securely hashed password (we never see your raw password)
  • The role attached to your account (buyer / brand / admin)

Brand application data (sellers only)

  • Brand name, business description, website & social handles
  • Business email address

Order & transaction data

  • Shipping address you provide at checkout
  • Product, price, quantity and order status
  • Tracking number and courier (when provided by the seller)

Payment data

We do not store card numbers, CVV, bank details or KYC documents. All payments are processed by Stripe Inc. (PCI-DSS Level 1 certified). When a seller signs up to receive payouts, identity verification documents are submitted directly to Stripe — they never touch our servers.

Communications data

  • Messages you send to other users via the in-app messaging system
  • Community posts and comments you publish on the platform
  • Reviews you leave for purchases

Technical data

  • IP address (for rate-limiting and security only)
  • Browser type and basic device information
  • Strictly necessary session cookies (no advertising trackers)

3. Why we use your data & legal basis

  • Contract — to run your account, process orders and connect you with sellers.
  • Legitimate interest — to keep the platform secure, prevent fraud, detect off-platform sales, and improve the service.
  • Legal obligation — to keep transaction records for tax and accounting purposes (typically 6 years under UK HMRC rules).
  • Consent — for any future marketing emails (you opt in, you can opt out anytime).

4. Who we share data with

We only share personal data with carefully chosen processors who help us run the service:

  • Stripe Inc. — payment processing and seller KYC (US/EU, GDPR-compliant)
  • Resend — transactional email delivery
  • MongoDB Atlas — encrypted database hosting (EU region)
  • Anthropic (Claude) — automated content moderation only (messages are scanned, not stored by the AI)
  • Sellers — when you place an order, the seller receives your name, shipping address and order details so they can fulfil the order

We do not sell your personal data and we do not share it with advertising networks.

5. How long we keep your data

  • Account data — while your account is active, then deleted on request
  • Order records — anonymised after account deletion, retained for up to 6 years for HMRC
  • Messages — retained while the conversation exists, redacted on account deletion
  • Password reset tokens — 1 hour, then invalidated
  • Server logs — 30 days max

6. Your rights

Under UK GDPR you have the following rights, free of charge, at any time:

  • Right of access — see what data we hold (Account → Export My Data)
  • Right to portability — download a copy in JSON format
  • Right to rectification — fix incorrect data via account settings or email us
  • Right to erasure — delete your account permanently (Account → Delete Account)
  • Right to object / restrict processing — email us at privacy@unveiledthreads.co.uk
  • Right to complain — to the UK Information Commissioner's Office at ico.org.uk

Want to export or delete your data right now?

Go to Account Settings — both happen instantly with no email back-and-forth.

7. Cookies

We use a single category of cookies: strictly necessary cookies for authentication (your secure session token) and CSRF protection. We do not use advertising, analytics or tracking cookies. Because these cookies are essential for the site to function, no consent is required under PECR — but we still show you a banner so you know they're there.

8. Security

  • All traffic is encrypted via TLS 1.2+
  • Passwords are hashed with bcrypt (industry standard)
  • Card and bank data never reach our servers
  • Rate-limiting and account enumeration protection on auth endpoints
  • Production secrets are stored in deployment environment variables, never in code

9. International transfers

Some of our processors (Stripe, Resend, Anthropic) may process data outside the UK/EEA. Where this happens we rely on Standard Contractual Clauses (SCCs) and equivalent UK transfer mechanisms approved by the ICO.

10. Children

Unveiled Threads is not directed at anyone under 16. If you believe we've collected data about a child, email us and we will delete it immediately.

11. Changes to this policy

If we make material changes we'll update this page and notify active users by email. Continued use of the service after an update means you accept the revised policy.

12. Contact

This Privacy Policy works alongside our Terms & Conditions. Together they govern your use of Unveiled Threads.

Cookies

We only use strictly necessary cookies to keep you signed in and protect your account. No advertising trackers, no analytics tags.

Made with Emergent