Privacy & GDPR Centre

When you register, we collect:

• Your name and email address
• A hashed (never plain-text) password
• Your billing and shipping address(es)
• Your phone number, if you choose to add one

Sellers also provide bank or payment account details so we can transfer payouts. This is processed securely and never stored in plain text.

Yes. Like most websites, we automatically collect certain technical data when you visit, including:

• Your IP address and approximate location (country/city)
• Browser type and operating system
• Pages visited and time spent on each
• Referring URL (e.g. which search engine or site led you here)

This data is collected via cookies and analytics tools. See the Cookies section for full details and how to opt out.

When you place an order, we record:

• Items purchased, quantities and prices
• Payment method type (e.g. Visa ending in 4242) — we never store full card numbers
• Delivery address and tracking information
• Any messages exchanged with the seller about the order

Full card details are handled exclusively by our payment processor and are never stored on our servers.

Under UK GDPR, we must have a lawful basis for every type of processing. We rely on:

• Contract performance — to fulfil your orders, manage your account and communicate with sellers on your behalf
• Legal obligation — to retain financial records for HMRC and comply with consumer law
• Legitimate interests — to prevent fraud, secure our platform, and improve our service
• Consent — for marketing emails and non-essential analytics cookies (you can withdraw this at any time)

Only if you've opted in. We may send you:

• New listings and promotions matching your saved searches or favourites
• Seller announcements from shops you follow
• Platform news and feature updates (you can opt in/out individually)

You can unsubscribe from any marketing email at any time using the link at the bottom of the email, or via Account → Notifications in your dashboard.

We use automated systems to detect fraud and flag suspicious activity (e.g. unusual login locations). These checks may temporarily restrict an account. If your account is restricted as a result, you have the right to request human review — contact our support team and we will manually review the decision within 5 working days.

Yes. You can make a Subject Access Request (SAR) at any time. We will provide a copy of all personal data we hold about you, free of charge, within 30 days.

Some data may be redacted where disclosure would affect the rights of another person (e.g. a seller's private messages to us about your order). We will explain any such redactions clearly.

Yes — this is your "right to be forgotten". You can request deletion of your account and personal data. We will erase your data within 30 days, except where we are legally required to keep it.

What we must keep: Transaction records (invoices, VAT data) must be retained for 7 years under UK tax law. These will be anonymised as far as legally possible.

Sellers: If you have an active shop with outstanding payouts or open disputes, your account cannot be fully deleted until these are resolved. We will guide you through the process.

Yes. You can update most personal data yourself in Account → Settings. For data you cannot edit directly (such as historical order records), contact us and we will correct inaccuracies promptly.

Yes. You can request a machine-readable export (JSON or CSV) of the data you have provided to us and which we process on the basis of contract or consent. This includes your profile, purchase history, saved items, and messages.

Request a data export via our DPO contact form or at Account → Settings → Download my data.

You can object to processing carried out on the basis of legitimate interests or for direct marketing. For direct marketing, we will always stop immediately. For other processing, we will assess whether our legitimate interests override your right and respond within 30 days.

In certain circumstances (e.g. you've contested the accuracy of data while we verify it), you can ask us to restrict processing. We'll keep the data but only process it for limited purposes (storage, legal claims, or with your consent) until the restriction is lifted.

We use three categories of cookie:

You can update your cookie preferences at any time:

• Click the Cookie Settings link in the footer of any page
• Go to Account → Privacy Settings if you're logged in
• Clear cookies in your browser settings (this resets all preferences)

Withdrawing consent does not affect the lawfulness of processing carried out before your withdrawal.

Only with your consent for marketing/analytics cookies. Third-party scripts currently on the site may include Google Analytics and Meta Pixel. Each third party's data use is governed by their own privacy policy. Our full list of data processors is available on request via our DPO.

No. We never sell your personal data. We only share it when strictly necessary to deliver our service or comply with the law.

Your delivery address is shared only with the seller who fulfilled your order, so they can ship your item. Sellers are bound by our seller agreement and UK GDPR to process this data solely for fulfilment.

Your address is not displayed publicly on your profile.

We work with the following categories of processor, all under a data processing agreement:

• Payment processors — handle card data securely (PCI DSS compliant)
• Cloud hosting providers — store our databases and files
• Email / transactional SMS providers — send order confirmations and account notifications
• Fraud detection services — analyse transactions for suspicious patterns
• Analytics platforms — only where you've consented to analytics cookies

For a full list of processors, email privacy@ratch.uk.

Some of our processors operate servers in the US or EEA. Where data is transferred outside the UK, we ensure one of the following safeguards is in place:

• An ICO adequacy decision for the destination country
• UK International Data Transfer Agreements (IDTAs)
• UK-approved binding corporate rules

We hold your account data for as long as your account is active. If you delete your account (or we close it), your personal profile data is erased within 30 days.

Inactive accounts (no login for 3 years) receive an email reminder before we begin deletion. We will always give you 30 days' notice.

Financial and transaction records (invoices, payment records) must be retained for 7 years to comply with HMRC requirements, even after account deletion. These records are anonymised as much as the law permits.

Support tickets are retained for 3 years to enable us to assist with follow-up queries and identify recurring issues. Complaints and any associated decisions are retained for 6 years in case of legal proceedings.

If you are unhappy with how we've handled a privacy request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority.

• Website: ico.org.uk/make-a-complaint
• Phone: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always prefer the chance to resolve your concern directly first — please contact us before escalating to the ICO.

Yes. Our full legal Privacy Policy is available at Privacy Policy. This Privacy Centre is designed to answer common questions in plain English — the full policy is the authoritative legal document.