Privacy Policy

1. Data Controller

Reefsy is the data controller for the personal data described in this policy. If you have questions about how we handle your data, contact us at privacy@reefsy.co.uk.

2. Personal Data We Collect

We collect the following categories of personal data:

Account Data

• Email address, username
• Profile information: name, bio, avatar, cover image
• Account type (individual or business) and account status

Location Data

• Postcode (used to determine approximate location for local listings)
• City, region, and country derived from postcode lookup via postcodes.io
• Approximate latitude and longitude derived from postcode (not precise GPS)

Business Seller Data

• Business name, registration number, and VAT number
• Business address and phone number
• Verification status

Transaction Data

• Order history: items purchased or sold, quantities, prices, dates
• Shipping addresses provided for deliveries
• Tracking numbers and delivery status
• Commission and payout amounts
• Buyer Protection selections

Payment Data

Payment card details are processed directly by Stripe and are never stored on Reefsy servers. We store only: Stripe account IDs, payment intent references, and transaction amounts. See Stripe's privacy policy at stripe.com/privacy for how they handle your card data.

Communication Data

• Messages exchanged between buyers and sellers on the platform
• Support correspondence
• Forum posts and replies

Claim and Dispute Data

• DOA claim descriptions and evidence (photos and videos you upload)
• Seller responses and counter-evidence
• Admin notes and claim outcomes

Technical and Usage Data

• IP address, browser type, device type, and operating system
• Pages viewed, search queries, and interactions with listings
• Session data and referring URLs

3. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. Here is the basis we rely on for each purpose:

Contract Performance (Article 6(1)(b))

Processing necessary to provide the Reefsy service you have signed up for:

• Creating and managing your account
• Processing orders, payments, and payouts
• Providing the Buyer Protection and claims service
• Facilitating communication between buyers and sellers
• Delivering transactional emails (order confirmations, shipping updates, claim notifications)

Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate business interests, balanced against your rights:

• Fraud detection and prevention (message filtering, suspicious activity monitoring, claim rate tracking)
• Platform safety and abuse prevention
• Improving the platform based on usage patterns
• Listing quality review (including AI-assisted review — see Section 8)
• Content moderation for forum posts and messages

Consent (Article 6(1)(a))

Processing based on your explicit opt-in consent:

• Marketing emails and newsletters
• Analytics cookies (non-essential)

You can withdraw consent at any time by updating your account settings or using the unsubscribe link in any marketing email.

Legal Obligation (Article 6(1)(c))

Processing required by UK law:

• Retaining financial records for tax and accounting purposes (6 years)
• Responding to lawful requests from law enforcement or regulatory bodies
• Reporting suspected fraud or money laundering

4. How We Use Your Data

We use your personal data to:

• Provide and operate the Reefsy marketplace
• Process transactions, manage escrow, and transfer payouts to sellers
• Administer the Buyer Protection programme and resolve claims
• Send transactional communications (order updates, shipping notifications, claim status)
• Send marketing communications if you have opted in
• Detect and prevent fraud, abuse, and policy violations
• Monitor platform safety including message filtering and content moderation
• Improve the platform based on usage data and feedback
• Comply with legal obligations

5. How We Share Your Data

We do not sell your personal data. We share data only in the following circumstances:

Between Buyers and Sellers

When you complete a transaction, the buyer and seller receive information necessary to fulfil the order. Sellers receive the buyer's name and shipping address. Buyers see the seller's username, location, ratings, and DOA rate.

Third-Party Service Providers

We use the following processors to operate the platform. Each processes data only for the purpose described:

• Stripe (stripe.com) — payment processing, seller identity verification, and payouts. Stripe processes card details, bank account information (for sellers), and identity documents. Based in the US with EU/UK data processing.
• Supabase (supabase.com) — database hosting, user authentication, and file storage (including claim evidence). Data hosted in the EU.
• Cloudflare (cloudflare.com) — website hosting, content delivery, and DDoS protection. Processes IP addresses and web traffic globally.
• Resend (resend.com) — transactional and marketing email delivery. Processes email addresses, usernames, and email content. Based in the US.
• Google (Gemini AI) — listing quality review and content moderation. Listing photos and descriptions may be analysed by Google's AI models to assess quality and detect policy violations. Based in the US.
• Postcodes.io — UK postcode validation and geolocation lookup. Processes postcodes only (no personal identifiers). UK-based service.

Legal Requirements

We may disclose data where required by law, court order, or regulatory request, or to protect the rights, safety, or property of Reefsy , our users, or the public.

6. International Data Transfers

Some of our service providers are based in the United States (Stripe, Resend, Google). When your data is transferred outside the UK, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
• UK Extension to the EU-US Data Privacy Framework (where applicable)
• Processor-specific data protection agreements

You can contact us at privacy@reefsy.co.uk for more information about the safeguards in place for any specific transfer.

7. Automated Decision-Making

Reefsy uses automated systems that may affect your experience on the platform:

• Message filtering: Messages are automatically scanned for off-platform payment solicitation and policy violations. Messages matching these patterns may be blocked automatically.
• Seller DOA rate tracking: Your shipping statistics and DOA claim rate are calculated automatically and affect your clawback rate and account standing (see Terms of Service Section 7).
• Buyer claim rate tracking: Your claim history is tracked to detect patterns. High claim rates may be flagged for manual review.
• Suspicious activity scoring: Account activity is scored for fraud risk. High-risk accounts may be flagged for manual review.
• Listing quality review: Listing photos and descriptions may be analysed by AI tools to provide quality suggestions and detect policy violations.
• Content moderation: Forum posts and messages may be analysed by automated tools for policy compliance.

No automated system on Reefsy makes final decisions about account suspension, claim resolution, or payouts without human review. All claim decisions are made by a human admin. If you believe an automated action (such as a blocked message) was incorrect, contact support.

Under UK GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You may request human review of any automated decision by contacting support.

8. Platform Monitoring

Message Monitoring

Messages sent through the Reefsy platform are monitored for compliance with our Terms of Service. Specifically, messages are scanned for attempts to move transactions off-platform (sharing payment details, phone numbers, email addresses, or references to external payment methods). Detected violations may be logged including the original message content, the pattern matched, and the action taken (blocked, warned, or flagged for review).

AI-Assisted Review

Listing photos and descriptions may be sent to Google's Gemini AI for quality assessment and policy compliance checks. This analysis is used to provide quality suggestions to sellers and to detect potential issues such as stock photos or miscategorised items. The AI does not make binding decisions — sellers can accept or reject suggestions.

Fraud Prevention

Reefsy tracks buyer-seller transaction pairs to detect potential collusion. We also maintain suspicious activity records that include risk scores and restriction status. These records are used by our admin team to investigate potential fraud and are not shared with other users.

9. Cookies

We use cookies and similar technologies on Reefsy:

Essential Cookies

Required for the platform to function. These include session cookies, authentication tokens, and CSRF protection tokens. These cannot be disabled.

Analytics Cookies

Used to understand how users interact with the platform and to improve the service. These are only set if you consent to them via the cookie banner.

We do not use advertising or marketing cookies. You can manage your cookie preferences through your browser settings. Disabling essential cookies will prevent the platform from functioning correctly.

10. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Our target retention periods are:

• Account data: retained while your account is active and for up to 3 years after closure (for chargeback and dispute resolution)
• Transaction and financial records: up to 6 years (UK tax and accounting requirements)
• Claim evidence (photos and videos): retained for the duration of the claim process and a reasonable period after resolution
• Messages: retained while your account is active
• Technical logs and analytics: retained for a reasonable period for security and improvement purposes
• Session cookies: deleted when you log out or close your browser
• Marketing consent records: retained as long as the consent is active or for a reasonable period after withdrawal (to demonstrate compliance)

When you request account deletion, we will remove non-essential data within a reasonable timeframe. Data we are legally required to retain (financial records, active dispute data) will be kept for the minimum required period and then deleted.

11. Your Rights Under UK GDPR

You have the following rights regarding your personal data. To exercise any right, email privacy@reefsy.co.uk with your request. We will respond within 30 days (extendable to 90 days for complex requests).

Right of Access

You can request a copy of all personal data we hold about you. We will provide this in a portable, machine-readable format.

Right to Rectification

You can update most of your data directly in your account settings. For data you cannot edit directly, contact us and we will correct it.

Right to Erasure

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it (see Data Retention above). Note that reviews you have left may remain visible but will be anonymised.

Right to Restrict Processing

You can ask us to limit processing of your data to storage only — for example, while we investigate a complaint or if you contest the accuracy of your data.

Right to Data Portability

You can request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.

Right to Object

You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds. You can object to marketing at any time by clicking "Unsubscribe" or updating your account settings.

Rights Related to Automated Decision-Making

You have the right to request human review of automated decisions that significantly affect you. See Section 7 for details of our automated systems.

Right to Complain

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Phone: 0303 123 1113

12. Children's Privacy

Reefsy is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has created an account, please contact us and we will delete the account and associated data.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS/HTTPS), encrypted password storage, row-level security on database tables, CSRF protection, webhook signature verification, and regular security reviews. However, no system is completely secure. If you discover a security vulnerability, please report it responsibly to security@reefsy.co.uk.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours. If the breach is likely to result in a high risk to you, we will notify you directly without undue delay, describing the breach, the data affected, and the steps you can take to protect yourself. Report suspected breaches to privacy@reefsy.co.uk.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

16. Contact Us

For privacy-related questions or to exercise your data rights, contact us at privacy@reefsy.co.uk. Our registered address is available on request.

We have not appointed a Data Protection Officer as we do not meet the threshold for mandatory appointment under Article 37 of UK GDPR. Privacy enquiries are handled by our team and can be directed to the email above.