Legal · Privacy
Privacy Policy
This policy explains what personal data Reluv collects, why we collect it, and what rights you have over it. We have written it in plain English because we think you deserve to understand it without a law degree. It should be read alongside our Terms & Conditions, which govern use of the Platform.
Last updated: 3 July 2026
01 —Who we are
The peer-to-peer fashion marketplace at reluv.co.uk is operated by Reluv Ltd (“Reluv”), a company registered in England and Wales under company number 17271596, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For the purposes of UK data protection law, Reluv is the data controller — that means we decide how and why your personal data is processed. We are registered with the Information Commissioner’s Office (ICO) as a data controller under registration number ZC182698.
Reluv acts as data controller for account registration, platform activity, and fraud prevention data. For payment processing and certain identity (KYC) checks, Stripe acts as an independent controller or as our processor, as described in its own privacy policy. Where a third-party provider processes your data on our behalf, we put appropriate contractual safeguards in place; we are not responsible for the independent processing activities of providers such as Stripe beyond ensuring those safeguards exist and that the provider processes data in accordance with applicable law.
You can contact us about anything in this policy at privacy@reluv.co.uk.
02 —What data we collect and why
We only collect data that is necessary to run the platform, process transactions, prevent fraud, and meet legal obligations. Here is a plain-English breakdown.
Account registration
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email address | To create your account, send transactional emails, and let you sign in. | Contract performance |
| Display name / handle | To identify you publicly on the platform. | Contract performance |
| Password (hashed) | To authenticate you. We never store your password in readable form. | Contract performance |
| Signup IP address | To detect fraud and ban evasion at the point of registration. | Legitimate interest |
| Login IP address | Recorded on each sign-in to help detect account takeover and ban evasion. | Legitimate interest |
Selling
| Data | Why we collect it | Legal basis |
|---|---|---|
| Legal name | Required by Stripe for identity verification (KYC) before payouts are enabled. | Legal obligation / contract performance |
| Date of birth | Collected by Stripe during identity verification (KYC) and used, where you cross the reporting thresholds, for digital-platform reporting to HMRC (DAC7). Held by Stripe — Reluv does not store your date of birth. | Legal obligation / contract performance |
| Tax identifier (National Insurance number or UTR) | Where your sales cross the DAC7 reporting thresholds, HMRC requires us to report a tax identifier. It is collected and held by Stripe through its secure hosted flow — Reluv stores only confirmation that it has been provided, never the number itself. | Legal obligation |
| Home / return address | Used as the shipping origin for return labels. | Contract performance |
| Bank / payout details | To pay you when a sale is confirmed. Held and processed by Stripe — Reluv does not store raw bank details. | Contract performance |
| Listing photos, descriptions and details | To display your items for sale, to record condition evidence if a dispute arises, and to screen listings for compliance with our Terms (see 'Listing screening'). | Contract performance; legitimate interest (screening) |
Buying
| Data | Why we collect it | Legal basis |
|---|---|---|
| Delivery address | To ship the item to you and generate shipping labels. | Contract performance |
| Payment card details | To charge you at checkout. Tokenised and held by Stripe — Reluv never sees your full card number. | Contract performance |
Platform activity
| Data | Why we collect it | Legal basis |
|---|---|---|
| Order history | To display your purchase and sales records, and to meet HMRC record-keeping requirements. | Contract performance / legal obligation |
| Messages between users | To facilitate communication between buyers and sellers, and to provide evidence in dispute resolution. | Contract performance / legitimate interest |
| Dispute evidence | Photos and descriptions submitted during a resolution are retained to support a fair outcome. | Legitimate interest |
| Notification preferences | So we only contact you in the ways you have asked us to. | Contract performance |
| Ratings and reviews | The star ratings and written reviews you leave, and those left about you, used to operate our reviews system and help Users transact with confidence. Seller ratings are shown publicly on the profile; Buyer ratings have restricted visibility. | Contract performance / legitimate interest |
Fraud prevention and safety
| Data | Why we collect it | Legal basis |
|---|---|---|
| Banned email list | To prevent banned users from re-registering with the same email address. | Legitimate interest |
| IP addresses (signup + login) | To detect ban evasion, account takeover, and other abusive behaviour, including identifying accounts that share the same connection. | Legitimate interest |
| Approximate location (country) | Derived from your IP address at signup and login to spot suspicious sign-in patterns. We do not collect precise location. | Legitimate interest |
| Blocking and safety preferences | If you block another User, we record that so we can prevent them from contacting you and help keep the Platform safe. | Legitimate interest (user safety) |
Mobile apps
When you use our mobile applications, we may additionally collect the following. We do not use any of this data for advertising.
| Data | Why we collect it | Legal basis |
|---|---|---|
| Push notification token + platform | A device token issued by Apple or Google so we can send you transactional notifications (e.g. order and message updates) you have enabled. Deactivated when it stops working or you sign out. | Contract performance |
| Device and operating system information | Basic device metadata processed to deliver the app reliably and route notifications to the right platform. | Legitimate interest |
03 —Legal basis for processing
UK GDPR requires us to have a lawful reason for processing your personal data. We rely on the following lawful bases:
- Contract performance — processing that is necessary to operate your account, complete a transaction, arrange shipping, or handle a dispute. Without this data we cannot provide the service.
- Legitimate interest — fraud prevention, ban enforcement, IP logging for security, and retaining dispute evidence. We have carried out balancing tests and concluded that our legitimate interests in preventing fraud, ban evasion, and prohibited business selling, and in protecting the safety and integrity of the Platform, are not overridden by the impact on your rights and freedoms in these specific circumstances. You can object to processing on this basis (see section 10).
- Legitimate interest — sending you activity notifications for things you have chosen to follow on the Platform, such as letting you know when a shop you follow lists new items. These are part of the following feature you opted into, not marketing, and you can turn them off at any time in your notification settings (or via the unsubscribe link in the email).
- Legitimate interest — listing screening (fraud, IP, safety and quality): preventing fraud, protecting intellectual-property rights and buyers, detecting prohibited or illegal items, and maintaining the quality and safety of the marketplace. Our duties under the Online Safety Act 2023 reinforce these interests. We have carried out a Legitimate Interests Assessment and a Data Protection Impact Assessment for this processing.
- Legal obligation — retaining transaction records for HMRC and other applicable UK law. We cannot honour deletion requests for data we are required by law to keep.
- Consent — sending you marketing emails (Reluv news, offers and tips), only if you have opted in. This is entirely optional, never required to use Reluv, and you can withdraw it at any time in your notification settings or via the unsubscribe link in any marketing email.
04 —How we use your data
We use the data described in section 2 to:
- Create and maintain your account.
- Process payments, hold funds securely with Stripe, and release them to sellers.
- Generate and manage shipping labels through Parcel2Go (and the carriers it books, such as Royal Mail, Evri, and Yodel).
- Send transactional emails (order confirmations, dispute updates, shipping notifications) via Resend.
- Send transactional push notifications to your device if you use our mobile apps and have notifications enabled.
- Notify you about activity you have chosen to follow — for example, a daily email and in-app updates when shops you follow list new items. You can turn these off in your notification settings.
- Resolve disputes fairly — we review messages and evidence from both parties.
- Detect and prevent fraud, ban evasion, and other abuse of the platform.
- Let you block other Users and act on those blocks to prevent unwanted contact, and keep the Platform safe.
- Keep Reluv a marketplace for private individuals — we use sales activity and the declaration you give when selling to identify and prevent prohibited business selling.
- Meet our legal obligations, including UK tax law and digital-platform reporting to HMRC (DAC7).
- Respond to your support requests.
- Send you marketing emails (news, offers and tips) — only if you have opted in, and you can unsubscribe at any time.
Screening listings. We review the listings and listing images you submit to check compliance with our Terms and to detect prohibited items, counterfeit or replica goods, stock or catalogue images used as cover photos, and poor-quality photos. This review is carried out both manually and by automated means, including an AI tool provided by a third-party processor. The automated screening is directed at the item being sold and the photograph itself — it is not used to identify or analyse any person who may appear in a photo. Your images are sent to our processor only for this analysis: the processor does not use your content to train its models, and retains it only briefly to operate the service and prevent misuse, after which it is deleted. We keep only the resulting assessment (a flag, a confidence score and a short internal note), not the images.
Promoting Reluv. We may feature your own item photographs, together with the item details, to promote and advertise the Platform — on our website and apps, in emails, on our social media accounts, and in paid advertising on third-party platforms. We use your own photographs only (never third-party stock or manufacturer images), and only to promote Reluv itself — not to build a profile of you or to target you with ads. You can opt out at any time in your account settings or by emailing marketing@reluv.co.uk; the full terms of this licence are in the User-generated content section of our Terms & Conditions.
05 —Who we share your data with
We share data only with the third-party processors listed below, and only to the extent necessary for them to perform their service.
| Recipient | What they do | Privacy policy |
|---|---|---|
| Stripe | Payment processing, payout disbursement, and seller identity verification (KYC). Stripe acts as a data processor for payment transactions and as an independent data controller for its own KYC obligations. | stripe.com/gb/privacy |
| Parcel2Go | Generating shipping labels and arranging carrier collection/delivery. Parcel2Go books the chosen carrier (e.g. Royal Mail, Evri, Yodel) and receives buyer and seller names, addresses, and contact details, which it passes to that carrier to complete delivery. | parcel2go.com/privacy-policy |
| Resend | Sending transactional emails (e.g. order confirmations). Receives your email address and the content of those emails. | resend.com/legal/privacy-policy |
| Vercel / hosting | Server-side hosting and CDN delivery. May process request metadata (IP addresses, user agents) in server logs. | vercel.com/legal/privacy-policy |
| Anthropic | AI model provider. Processes listing images and details to generate listing suggestions and screening signals. Anthropic acts as our processor under a written data-processing agreement that covers its own onward sub-processors. Under that agreement and Anthropic's terms, your content is not used to train Anthropic's models and is retained only briefly to operate the service and prevent misuse. | anthropic.com/legal/privacy |
We may also disclose personal data if required to do so by law, court order, or a regulatory authority, or if necessary to protect the rights or safety of Reluv or its users.
06 —International transfers
Reluv is a UK-based service. However, some of our third-party processors (Stripe, Resend, Vercel, Anthropic) operate infrastructure in the United States and other countries outside the UK and the European Economic Area.
Where your data is transferred outside the UK, we ensure it is protected by appropriate safeguards, which may include:
- UK adequacy regulations (for countries the ICO has deemed adequate);
- Standard contractual clauses (SCCs) approved by the ICO; or
- The processor's participation in a recognised certification framework.
Some processing by our AI provider (Anthropic) takes place in the United States. We rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (incorporated into our provider's data-processing agreement), supported by a transfer risk assessment, to ensure an equivalent level of protection. Where our provider is certified under the UK Extension to the EU–US Data Privacy Framework, that framework may also apply.
You can contact us at privacy@reluv.co.uk if you would like further information about the specific safeguards in place for any transfer.
07 —How long we keep your data
| Data | How long we keep it | Legal basis |
|---|---|---|
| Orders and transaction records | Retained for 7 years from the transaction date. | Legal obligation (HMRC / UK tax law) |
| Messages, reviews and support messages | Kept while your account is active. When you delete your account, your identifying details are anonymised within 30 days. The content you created — direct messages, review comments and messages to our support team — is then retained for up to 150 days so that we can resolve a late dispute, respond to a card chargeback, or investigate fraud, abuse or a safety matter, and so that we can establish, exercise or defend legal claims; after that period it is deleted or irreversibly anonymised. We keep it for longer only where an active dispute, investigation or other legal hold requires it, and only for as long as that requires. During the retention period this content is not hidden: your messages remain visible to the other person in that conversation, and any published review remains part of the recipient's feedback — in each case shown against an anonymised account rather than your name. | Legitimate interests (fraud prevention, platform safety and integrity); and establishment, exercise or defence of legal claims (UK GDPR Art. 17(3)(e)), and compliance with legal obligations where applicable. |
| IP address and derived country logs (signup and login) | Retained for 12 months. | Legitimate interest (fraud prevention) |
| Push notification tokens | Retained while valid; deactivated when delivery fails or you sign out, and deleted with your account. | Contract performance |
| Banned email records | Retained indefinitely to prevent re-registration of banned accounts. | Legitimate interest (platform safety) |
| Account data (identity) | Your identifying profile data — such as your name, email address, contact details and login credentials — is erased, or irreversibly anonymised, within 30 days of a valid account deletion request, except where a legal hold applies. After erasure, some non-identifying content you created is retained only for the limited periods, and only for the purposes, set out elsewhere in this table. | Contract performance; legitimate interests for any limited post-deletion retention. |
| Listing screening records | We do not retain the images used for screening. We keep the screening assessment (flags, confidence, internal notes and any moderator decision) for 12 months to validate and improve the system and to maintain an audit trail of moderation decisions, after which we delete or aggregate it. | Legitimate interest |
When a deletion request is made, we will confirm whether a legal hold applies to any part of your data and, if so, explain what is retained and for how long.
08 —Cookies
We currently use only essential session cookies placed by NextAuth to keep you signed in. These cookies are strictly necessary for the platform to function and do not require your consent under PECR.
09 —How we protect your data
We take appropriate technical and organisational measures to protect your personal data. In particular:
- All traffic between your device and Reluv is encrypted in transit (HTTPS/TLS), and our databases and file storage are encrypted at rest.
- Passwords are stored only as salted one-way hashes — we cannot read them.
- Payment card details are tokenised and held by Stripe; they never touch our servers.
- Dispute evidence is stored in a private bucket and is accessible only via short-lived signed links.
- Access to personal data is restricted to staff who need it to operate the platform and handle disputes.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO and, where required, affected users in accordance with UK GDPR.
10 —Your rights
Under UK GDPR you have the following rights over your personal data:
- Access — you can ask for a copy of the personal data we hold about you.
- Rectification — you can ask us to correct inaccurate data.
- Erasure — you can ask us to delete your data, and you can delete your account yourself at any time in the app (Settings → Security) or by emailing privacy@reluv.co.uk. When you delete your account, we erase or irreversibly anonymise your identifying data within 30 days, as set out in “How long we keep it”, except where a legal hold applies. This right is not absolute: we will explain any legal hold that prevents full deletion.
- Portability — you can ask for your data in a structured, machine-readable format so you can transfer it to another service.
- Restriction — you can ask us to pause processing of your data while a dispute or investigation is ongoing.
- Objection — you can object to processing based on our legitimate interest (for example, IP logging for fraud prevention). We will stop unless we can show a compelling legitimate ground that overrides your interests.
Automated decisions. Some of our fraud-prevention, ban-evasion and safety checks use automated signals, and we use automated tools to help screen listings; an order may also be cancelled automatically if a Seller misses the dispatch deadline. These automated steps flag or pause activity for review — they do not, on their own, make decisions that significantly affect you. Any decision to remove or suspend a listing, to suspend or ban an account, or to resolve a dispute is reviewed and decided by a member of our team. Where we take such action you will receive a statement of reasons and can ask us to review the decision, make representations and obtain human intervention — by raising a support ticket (your removal notice includes a reference code) or by emailing privacy@reluv.co.uk.
To exercise any of these rights, email privacy@reluv.co.uk. We will respond within one month. We may ask you to verify your identity before we action a request.
11 —Children
Reluv is intended for users who are 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@reluv.co.uk and we will delete it promptly.
12 —Changes to this policy
We may update this policy from time to time to reflect changes in how we operate or in applicable law. When we make a material change, we will notify registered users by email and update the “Last updated” date at the top of this page. We encourage you to review the policy periodically.
Continued use of Reluv after a notified change constitutes acceptance of the updated policy. If you do not agree with a change, you can delete your account before it takes effect.
13 —Contact and complaints
If you have a question or concern about how we handle your data, please contact us first — we would like the chance to resolve it directly.
Reluv Ltd · reluv.co.uk · Company number 17271596
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
privacy@reluv.co.uk
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
© 2026 Reluv · reluv.co.uk · Privacy Policy