Legal · Privacy

Privacy Policy

This policy explains what personal data Reluv collects, why we collect it, and what rights you have over it. We have written it in plain English because we think you deserve to understand it without a law degree. It should be read alongside our Terms & Conditions, which govern use of the Platform.

Privacy at a glance. We collect only the personal data needed to run the Reluv marketplace safely: your account details, the information you provide when buying or selling, and limited technical data for fraud prevention. We share data with trusted service providers — such as Stripe (payments) and Sendcloud (shipping) — solely to deliver the service. We never sell your data or use it for advertising. You have rights to access, correct, or delete your data. Full details are below.

Last updated: 14 June 2026

01 —Who we are

The peer-to-peer fashion marketplace at reluv.co.uk is operated by Reluv Ltd (“Reluv”), a company registered in England and Wales under company number 17271596, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For the purposes of UK data protection law, Reluv is the data controller — that means we decide how and why your personal data is processed.

Reluv acts as data controller for account registration, platform activity, and fraud prevention data. For payment processing and certain identity (KYC) checks, Stripe acts as an independent controller or as our processor, as described in its own privacy policy. Where a third-party provider processes your data on our behalf, we put appropriate contractual safeguards in place; we are not responsible for the independent processing activities of providers such as Stripe beyond ensuring those safeguards exist and that the provider processes data in accordance with applicable law.

You can contact us about anything in this policy at privacy@reluv.co.uk.

02 —What data we collect and why

We only collect data that is necessary to run the platform, process transactions, prevent fraud, and meet legal obligations. Here is a plain-English breakdown.

Account registration

Data	Why we collect it	Legal basis
Email address	To create your account, send transactional emails, and let you sign in.	Contract performance
Display name / handle	To identify you publicly on the platform.	Contract performance
Password (hashed)	To authenticate you. We never store your password in readable form.	Contract performance
Signup IP address	To detect fraud and ban evasion at the point of registration.	Legitimate interest
Login IP address	Recorded on each sign-in to help detect account takeover and ban evasion.	Legitimate interest

Selling

Data	Why we collect it	Legal basis
Legal name	Required by Stripe for identity verification (KYC) before payouts are enabled.	Legal obligation / contract performance
Date of birth	Collected by Stripe during identity verification (KYC) and used, where you cross the reporting thresholds, for digital-platform reporting to HMRC (DAC7). Held by Stripe — Reluv does not store your date of birth.	Legal obligation / contract performance
Tax identifier (National Insurance number or UTR)	Where your sales cross the DAC7 reporting thresholds, HMRC requires us to report a tax identifier. It is collected and held by Stripe through its secure hosted flow — Reluv stores only confirmation that it has been provided, never the number itself.	Legal obligation
Home / return address	Used as the shipping origin for return labels.	Contract performance
Bank / payout details	To pay you when a sale is confirmed. Held and processed by Stripe — Reluv does not store raw bank details.	Contract performance
Listing photos and descriptions	To display your items for sale and to record condition evidence if a dispute arises.	Contract performance

Tax reporting (DAC7). UK law requires digital marketplaces to report certain sellers to HMRC each year. If your sales pass the reporting thresholds, we are required to report details including your name, address, date of birth and a tax identifier (your National Insurance number or UTR). To keep this sensitive data safe, your date of birth and tax identifier are collected and held by Stripe through its secure verification flow — Reluv does not store them, and keeps only a record that they have been provided. We use this only to meet our legal reporting obligation.

Buying

Data	Why we collect it	Legal basis
Delivery address	To ship the item to you and generate shipping labels.	Contract performance
Payment card details	To charge you at checkout. Tokenised and held by Stripe — Reluv never sees your full card number.	Contract performance

Platform activity

Data	Why we collect it	Legal basis
Order history	To display your purchase and sales records, and to meet HMRC record-keeping requirements.	Contract performance / legal obligation
Messages between users	To facilitate communication between buyers and sellers, and to provide evidence in dispute resolution.	Contract performance / legitimate interest
Dispute evidence	Photos and descriptions submitted during a resolution are retained to support a fair outcome.	Legitimate interest
Notification preferences	So we only contact you in the ways you have asked us to.	Contract performance

Fraud prevention and safety

Data	Why we collect it	Legal basis
Banned email list	To prevent banned users from re-registering with the same email address.	Legitimate interest
IP addresses (signup + login)	To detect ban evasion, account takeover, and other abusive behaviour, including identifying accounts that share the same connection.	Legitimate interest
Approximate location (country)	Derived from your IP address at signup and login to spot suspicious sign-in patterns. We do not collect precise location.	Legitimate interest

Mobile apps

When you use our mobile applications, we may additionally collect the following. We do not use any of this data for advertising.

Data	Why we collect it	Legal basis
Push notification token + platform	A device token issued by Apple or Google so we can send you transactional notifications (e.g. order and message updates) you have enabled. Deactivated when it stops working or you sign out.	Contract performance
Device and operating system information	Basic device metadata processed to deliver the app reliably and route notifications to the right platform.	Legitimate interest

03 —Legal basis for processing

UK GDPR requires us to have a lawful reason for processing your personal data. We rely on four:

Contract performance — processing that is necessary to operate your account, complete a transaction, arrange shipping, or handle a dispute. Without this data we cannot provide the service.
Legitimate interest — fraud prevention, ban enforcement, IP logging for security, and retaining dispute evidence. We have carried out balancing tests and concluded that our legitimate interests in preventing fraud, ban evasion, and prohibited business selling, and in protecting the safety and integrity of the Platform, are not overridden by the impact on your rights and freedoms in these specific circumstances. You can object to processing on this basis (see section 10).
Legitimate interest — sending you activity notifications for things you have chosen to follow on the Platform, such as letting you know when a shop you follow lists new items. These are part of the following feature you opted into, not marketing, and you can turn them off at any time in your notification settings (or via the unsubscribe link in the email).
Legal obligation — retaining transaction records for HMRC and other applicable UK law. We cannot honour deletion requests for data we are required by law to keep.
Consent — sending you marketing emails (Reluv news, offers and tips), only if you have opted in. This is entirely optional, never required to use Reluv, and you can withdraw it at any time in your notification settings or via the unsubscribe link in any marketing email.

04 —How we use your data

We use the data described in section 2 to:

Create and maintain your account.
Process payments, hold funds securely with Stripe, and release them to sellers.
Generate and manage shipping labels through Sendcloud.
Send transactional emails (order confirmations, dispute updates, shipping notifications) via Resend.
Send transactional push notifications to your device if you use our mobile apps and have notifications enabled.
Notify you about activity you have chosen to follow — for example, a daily email and in-app updates when shops you follow list new items. You can turn these off in your notification settings.
Resolve disputes fairly — we review messages and evidence from both parties.
Detect and prevent fraud, ban evasion, and other abuse of the platform.
Keep Reluv a marketplace for private individuals — we use sales activity and the declaration you give when selling to identify and prevent prohibited business selling.
Meet our legal obligations, including UK tax law and digital-platform reporting to HMRC (DAC7).
Respond to your support requests.
Send you marketing emails (news, offers and tips) — only if you have opted in, and you can unsubscribe at any time.

We only send marketing emails if you opt in, and you can unsubscribe at any time. We do not build advertising profiles, we do not show third-party ads, and we do not sell or rent your data to any third party.

We share data only with the third-party processors listed below, and only to the extent necessary for them to perform their service.

Data	Why we collect it	Legal basis
Stripe	Payment processing, payout disbursement, and seller identity verification (KYC). Stripe acts as a data processor for payment transactions and as an independent data controller for its own KYC obligations.	stripe.com/gb/privacy
Sendcloud	Generating shipping labels and arranging carrier collection/delivery. Receives buyer and seller names, addresses, and contact details.	sendcloud.com/privacy
Resend	Sending transactional emails (e.g. order confirmations). Receives your email address and the content of those emails.	resend.com/legal/privacy-policy
Vercel / hosting	Server-side hosting and CDN delivery. May process request metadata (IP addresses, user agents) in server logs.	vercel.com/legal/privacy-policy

We may also disclose personal data if required to do so by law, court order, or a regulatory authority, or if necessary to protect the rights or safety of Reluv or its users.

06 —International transfers

Reluv is a UK-based service. However, some of our third-party processors (Stripe, Sendcloud, Resend, Vercel) operate infrastructure in the United States and other countries outside the UK and the European Economic Area.

Where your data is transferred outside the UK, we ensure it is protected by appropriate safeguards, which may include:

UK adequacy regulations (for countries the ICO has deemed adequate);
Standard contractual clauses (SCCs) approved by the ICO; or
The processor's participation in a recognised certification framework.

You can contact us at privacy@reluv.co.uk if you would like further information about the specific safeguards in place for any transfer.

07 —How long we keep your data

Data	Why we collect it	Legal basis
Orders and transaction records	Retained for 7 years from the transaction date.	Legal obligation (HMRC / UK tax law)
Messages	Retained while your account is active. Deleted when your account is deleted, unless the message forms part of a dispute or legal hold.	Contract performance / legitimate interest
IP address and derived country logs (signup and login)	Retained for 12 months.	Legitimate interest (fraud prevention)
Push notification tokens	Retained while valid; deactivated when delivery fails or you sign out, and deleted with your account.	Contract performance
Banned email records	Retained indefinitely to prevent re-registration of banned accounts.	Legitimate interest (platform safety)
Account data (general)	Deleted within 30 days of a valid account deletion request, except where a legal hold applies.	Contract performance

When a deletion request is made, we will confirm whether a legal hold applies to any part of your data and, if so, explain what is retained and for how long.

08 —Cookies

We currently use only essential session cookies placed by NextAuth to keep you signed in. These cookies are strictly necessary for the platform to function and do not require your consent under PECR.

We do not currently use any third-party analytics cookies, advertising cookies, or tracking pixels. If we add analytics cookies in the future, we will update this policy and ask for your consent before any such cookie is set.

09 —How we protect your data

We take appropriate technical and organisational measures to protect your personal data. In particular:

All traffic between your device and Reluv is encrypted in transit (HTTPS/TLS), and our databases and file storage are encrypted at rest.
Passwords are stored only as salted one-way hashes — we cannot read them.
Payment card details are tokenised and held by Stripe; they never touch our servers.
Dispute evidence is stored in a private bucket and is accessible only via short-lived signed links.
Access to personal data is restricted to staff who need it to operate the platform and handle disputes.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO and, where required, affected users in accordance with UK GDPR.

10 —Your rights

Under UK GDPR you have the following rights over your personal data:

Access — you can ask for a copy of the personal data we hold about you.
Rectification — you can ask us to correct inaccurate data.
Erasure — you can ask us to delete your data. This right is not absolute: we will explain any legal hold that prevents full deletion.
Portability — you can ask for your data in a structured, machine-readable format so you can transfer it to another service.
Restriction — you can ask us to pause processing of your data while a dispute or investigation is ongoing.
Objection — you can object to processing based on our legitimate interest (for example, IP logging for fraud prevention). We will stop unless we can show a compelling legitimate ground that overrides your interests.

Automated decisions. Some of our fraud-prevention, ban-evasion and safety checks use automated signals — for example, unusual activity or accounts sharing the same connection — and an order may be cancelled automatically if a Seller misses the dispatch deadline. These automated steps flag or pause activity for review; they do not, on their own, make final decisions that significantly affect you. Account suspensions, bans and dispute outcomes always involve a member of our team. If an automated process has affected you, you can ask us to explain it and to have it reviewed by a person by emailing privacy@reluv.co.uk.

To exercise any of these rights, email privacy@reluv.co.uk. We will respond within one month. We may ask you to verify your identity before we action a request.

11 —Children

Reluv is intended for users who are 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@reluv.co.uk and we will delete it promptly.

12 —Changes to this policy

We may update this policy from time to time to reflect changes in how we operate or in applicable law. When we make a material change, we will notify registered users by email and update the “Last updated” date at the top of this page. We encourage you to review the policy periodically.

Continued use of Reluv after a notified change constitutes acceptance of the updated policy. If you do not agree with a change, you can delete your account before it takes effect.

13 —Contact and complaints

If you have a question or concern about how we handle your data, please contact us first — we would like the chance to resolve it directly.

Privacy contact
Reluv Ltd · reluv.co.uk · Company number 17271596
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
privacy@reluv.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office
ico.org.uk
0303 123 1113