Privacy Policy
Table of Contents
🔒 Your privacy matters to us. This policy explains exactly what personal data WishThrift collects, why we collect it, and the full rights you have over it. We never sell your personal data to third parties.
1. Who We Are
WishThrift (“we”, “us”, “our”) operates the peer-to-peer fashion resale marketplace at wishthrift.com. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), WishThrift is the data controller of your personal data.
If you have any questions about this Privacy Policy or how we handle your data, please contact us at privacy@wishthrift.com.
2. Data We Collect
2.1 Data You Provide Directly
| Data Type | When Collected | Examples |
|---|---|---|
| Account data | On registration | Name, email address, password (hashed), date of birth |
| Profile data | When you set up your profile | Username, profile photo, bio, location (city/postcode) |
| Listing data | When you create a listing | Item photos, description, price, brand, condition, size |
| Transaction data | When you buy or sell | Order details, delivery address, tracking numbers |
| Communications | When you message other users or contact support | Messages, dispute submissions, support emails |
| Payment data | At checkout | Processed entirely by Stripe — WishThrift does not store card numbers |
2.2 Data We Collect Automatically
| Data Type | Purpose |
|---|---|
| IP address | Security, fraud prevention, approximate location |
| Browser type & version | Platform optimisation |
| Pages visited & time on site | Analytics, improving the platform |
| Device type & OS | Mobile optimisation |
| Referral source | Understanding how users find us |
| Cookies & local storage | Session management, preferences (see Section 6) |
2.3 Data We Do Not Collect
We do not collect or store full payment card numbers, CVV codes, or bank account details. All payment processing is handled directly by Stripe under their own privacy policy.
3. How We Use Your Data
- Account management: creating and managing your account, authenticating your identity
- Marketplace operations: displaying listings, facilitating transactions, processing payments via Stripe
- Communication: sending order confirmations, shipping notifications, dispute updates, and support responses
- Safety & fraud prevention: detecting and preventing fraud, counterfeit listings, and abuse
- Platform improvement: analysing usage to improve features, performance, and user experience
- Legal compliance: complying with applicable laws, tax obligations, and responding to legal requests
- Marketing (with consent only): sending promotional emails, new feature announcements — only if you opt in
4. Legal Basis for Processing (GDPR)
Under UK/EU GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance |
| Processing transactions & escrow | Contract performance |
| Sending transactional emails (orders, disputes) | Contract performance |
| Fraud detection & platform security | Legitimate interests |
| Analytics & platform improvement | Legitimate interests |
| Legal compliance (tax, law enforcement) | Legal obligation |
| Marketing & promotional emails | Consent (opt-in only) |
| Non-essential cookies | Consent |
You have the right to object to processing based on legitimate interests. See Section 9 for how to exercise your rights.
5. Who We Share Data With
We do not sell your personal data. We share data only with the following categories of third parties, and only as necessary:
5.1 Stripe (Payment Processing)
Payment data is processed by Stripe, Inc. Stripe receives your name, email, billing address, and payment card information. Stripe operates under their own privacy policy at stripe.com/privacy. WishThrift does not store or access full payment card details.
5.2 Hosting & Infrastructure
Our platform is hosted by Hostinger. Server infrastructure may process your data to deliver the platform service. Hosting providers are bound by data processing agreements.
5.3 Analytics
We may use privacy-respecting analytics tools to understand how the platform is used. These tools process anonymised or aggregated data only.
5.4 Other Users (Necessary for Transactions)
When you buy or sell, your username, profile information, and delivery address (for shipped orders) are shared with the other party in the transaction as necessary to complete it.
5.5 Legal Requests
We may disclose your data to law enforcement or regulatory authorities where required by law, court order, or to protect the rights, property, or safety of WishThrift, our users, or others.
6. Cookies & Tracking
We use cookies and similar technologies to operate the platform and improve your experience. For full details, see our Cookie Policy.
Essential Cookies
Required for the platform to function (login sessions, cart, security). These cannot be disabled without breaking the site.
Analytics Cookies
Used to understand how users interact with the platform. Requires your consent and can be declined via our cookie banner.
Marketing Cookies
Used to show relevant ads on other platforms. We do not currently use advertising cookies. If we introduce them in future, we will request your consent first.
You can manage your cookie preferences at any time via the cookie settings link in the footer, or by clearing cookies in your browser settings.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | For the life of your account + 2 years after deletion |
| Transaction records | 7 years (UK tax and legal compliance requirements) |
| Support communications | 3 years from last contact |
| Dispute records | 3 years from resolution |
| Analytics data | 13 months (rolling) |
| Marketing opt-ins | Until you withdraw consent or close your account |
When data is no longer required, it is securely deleted or anonymised.
8. International Transfers
WishThrift is based in the United Kingdom. If you access the Platform from outside the UK or EU, your data may be transferred to and processed in the UK.
Where we transfer data to third parties outside the UK/EU (such as Stripe, which operates in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions as applicable.
9. Your Rights
Under UK/EU GDPR, you have the following rights over your personal data. To exercise any right, contact privacy@wishthrift.com. We will respond within 30 days.
📄 Right of Access
Request a copy of all personal data we hold about you (Subject Access Request).
✏️ Right to Rectification
Ask us to correct inaccurate or incomplete data we hold about you.
🗑️ Right to Erasure
Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
⏸️ Right to Restrict
Ask us to limit processing of your data in certain circumstances.
📦 Right to Portability
Receive your data in a structured, machine-readable format to transfer to another provider.
🚫 Right to Object
Object to processing based on legitimate interests, including direct marketing.
📧 Withdraw Consent
Withdraw consent for marketing emails or non-essential cookies at any time.
⚖️ Right to Complain
Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.
10. Children’s Privacy
WishThrift is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has created an account, please contact us at privacy@wishthrift.com and we will delete the account and associated data promptly.
11. Security
We take data security seriously and implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:
- SSL/TLS encryption for all data in transit
- Hashed and salted passwords (we cannot see your password)
- Regular security updates and monitoring
- Access controls limiting who can access personal data internally
- Payment data handled exclusively by Stripe (PCI DSS compliant)
No system is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or prominent notice on the Platform. The “last updated” date at the top of this page shows when the policy was last revised.
Your continued use of the Platform after changes constitutes acceptance of the updated policy.
13. Contact & Complaints
For any privacy-related questions, data requests, or concerns:
- Privacy email: privacy@wishthrift.com
- General: hello@wishthrift.com
- Web: wishthrift.com/contact
If you are based in the UK and are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
If you are based in the EU, you may contact your local Data Protection Authority (DPA).