In short: we only collect what we need to run the marketplace, we never sell your data, your payment details live with Stripe (not us), and you can export or delete your account at any time from your account settings.
1. Who we are
Unveiled Threads ("we", "us", "our") is a UK-based online marketplace connecting small and medium clothing brands with buyers. For the purposes of UK GDPR and the Data Protection Act 2018, we are the Data Controller of the personal data described in this notice.
We are registered with the UK Information Commissioner's Office (ICO) under registration number ZC176765. You can verify our registration on the ICO public register.
A securely hashed password (we never see your raw password)
The role attached to your account (buyer / brand / admin)
Brand application data (sellers only)
Brand name, business description, website & social handles
Business email address
Order & transaction data
Shipping address you provide at checkout
Product, price, quantity and order status
Tracking number and courier (when provided by the seller)
Payment data
We do not store card numbers, CVV, bank details or KYC documents. All payments are processed by Stripe Inc. (PCI-DSS Level 1 certified). When a seller signs up to receive payouts, identity verification documents are submitted directly to Stripe — they never touch our servers.
Communications data
Messages you send to other users via the in-app messaging system
Community posts and comments you publish on the platform
Reviews you leave for purchases
Technical data
IP address (for rate-limiting and security only)
Browser type and basic device information
Strictly necessary session cookies (no advertising trackers)
3. Why we use your data & legal basis
Contract — to run your account, process orders and connect you with sellers.
Legitimate interest — to keep the platform secure, prevent fraud, detect off-platform sales, and improve the service.
Legal obligation — to keep transaction records for tax and accounting purposes (typically 6 years under UK HMRC rules).
Consent — for any future marketing emails (you opt in, you can opt out anytime).
4. Who we share data with
We only share personal data with carefully chosen processors who help us run the service:
Stripe Inc. — payment processing and seller KYC (US/EU, GDPR-compliant)
Anthropic (Claude) — automated content moderation only (messages are scanned, not stored by the AI)
Sellers — when you place an order, the seller receives your name, shipping address and order details so they can fulfil the order
We do not sell your personal data and we do not share it with advertising networks.
5. How long we keep your data
Account data — while your account is active, then deleted on request
Order records — anonymised after account deletion, retained for up to 6 years for HMRC
Messages — retained while the conversation exists, redacted on account deletion
Password reset tokens — 1 hour, then invalidated
Server logs — 30 days max
6. Your rights
Under UK GDPR you have the following rights, free of charge, at any time:
Right of access — see what data we hold (Account → Export My Data)
Right to portability — download a copy in JSON format
Right to rectification — fix incorrect data via account settings or email us
Right to erasure — delete your account permanently (Account → Delete Account)
Right to object / restrict processing — email us at privacy@unveiledthreads.co.uk
Right to complain — to the UK Information Commissioner's Office at ico.org.uk
Want to export or delete your data right now?
Go to Account Settings — both happen instantly with no email back-and-forth.
7. Cookies
We use a single category of cookies: strictly necessary cookies for authentication (your secure session token) and CSRF protection. We do not use advertising, analytics or tracking cookies. Because these cookies are essential for the site to function, no consent is required under PECR — but we still show you a banner so you know they're there.
8. Security
All traffic is encrypted via TLS 1.2+
Passwords are hashed with bcrypt (industry standard)
Card and bank data never reach our servers
Rate-limiting and account enumeration protection on auth endpoints
Production secrets are stored in deployment environment variables, never in code
9. International transfers
Some of our processors (Stripe, Resend, Anthropic) may process data outside the UK/EEA. Where this happens we rely on Standard Contractual Clauses (SCCs) and equivalent UK transfer mechanisms approved by the ICO.
10. Children
Unveiled Threads is not directed at anyone under 16. If you believe we've collected data about a child, email us and we will delete it immediately.
11. Changes to this policy
If we make material changes we'll update this page and notify active users by email. Continued use of the service after an update means you accept the revised policy.