Skip to content
Legal

Privacy Policy

UK Privacy Policy for Spinney Marketplace

Last updated: July 2026

This policy text is provided for operational launch and requires independent legal review before final sign-off.

1. Who we are

Spinney ("we", "us", "our") operates the Spinney platform at www.spinney.app. Trading name (pre-incorporation). A registered company name and number will be added when incorporation completes — for legal review.

For the UK and EU, Spinney is the data controller for personal data processed to run the platform, including user accounts, community governance, platform safety, and wallet reporting.

Where a purchase is made, the buyer and the listing owner (seller/provider/organiser) may each act as controllers for their own purposes (e.g., fulfilling an order, customer service, tax records).

2. What data we collect

Account data

  • Email, verification status
  • Profile info (name/display name, avatar)
  • Date of birth and 18+ eligibility status

Platform activity

  • Stores you create, communities you create/join, listings you create
  • Orders/reservations/contributions and related status history (timeline events)
  • Reviews you leave/receive

Messages

  • Enquiry and order-thread messages (no general DMs)

Device and usage data

  • IP address, device identifiers, log data, analytics events (see Cookies section)

Location and employment data

  • Store and community addresses or map coordinates you provide (precise geolocation where enabled)
  • Store staff records when you invite team members (name, email, role)

Identity verification (rentals)

If you use Rent listing types requiring verification, we may facilitate identity checks via a third-party verification provider (e.g., Stripe Identity). Verification outcomes/status may be stored.

3. How we use your data (purposes)

We use your personal data to:

  • Create and manage accounts, authenticate users
  • Provide stores, communities, listings and moderation workflows
  • Process transactions, allocate fees, handle refunds and disputes
  • Provide notifications and customer support
  • Prevent fraud, enforce policies, and maintain platform security
  • Meet legal and regulatory obligations

4. Lawful bases (UK GDPR)

We process personal data under one or more lawful bases, including:

  • Contract: to provide the platform features you request (account, orders, wallet reporting)
  • Legitimate interests: to prevent fraud, secure the platform, and improve reliability
  • Legal obligation: to comply with applicable laws (e.g., accounting, dispute handling where required)
  • Consent: where required for cookies/marketing (see Cookies)

5. Sharing your data

We may share data with:

  • Payment processors (e.g., Stripe) to process payments and payouts
  • Infrastructure providers (hosting, storage, email delivery, monitoring)
  • Community moderators (limited visibility inside their community for moderation actions)
  • Law enforcement/regulators when legally required

We do not sell personal data.

A list of sub-processors is published at /subprocessors.

6. International transfers

Spinney is UK-first but may use suppliers that process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as the UK International Data Transfer Agreement and EU Standard Contractual Clauses (SCCs) as applicable.

If you are in the EEA, you may lodge a complaint with your local supervisory authority. In the UK, the supervisory authority is the ICO (see section 8).

7. Retention

We retain personal data only as long as necessary for the purposes above. Indicative periods (subject to legal holds and disputes):

CategoryPeriodBasis
Account and profile dataWhile account is active + 3 years after closureContract, legitimate interests (disputes/fraud)
Order and transaction records7 years from transactionLegal obligation (tax/accounting)
Store staff / employment-related recordsDuration of staff relationship + 2 yearsContract, legitimate interests
Location data (stores/communities)While listing/community is active + 1 yearContract, legitimate interests
Marketing consents and newsletterUntil consent withdrawn + 3 years evidenceConsent, legal obligation (PECR)
Cookie/consent records3 years from consent decisionLegal obligation, legitimate interests (proof of consent)
GDPR export files30 days from generationLegal obligation (data subject rights)
Audit and security logs12 months (configurable retention policies)Legitimate interests (security), legal obligation
Data protection complaints3 years from resolutionLegal obligation, legitimate interests

8. Your rights

Depending on your circumstances, you may have rights including:

  • Access, rectification, erasure
  • Restriction, objection
  • Data portability
  • Withdraw consent (where applicable)

You can exercise rights via our data rights form, from account settings when logged in, or by emailing dpo@spinney.app.

You have the right to complain to us about how we handle your data using our data protection complaints form. We will acknowledge complaints within 30 days.

You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. If you are in the EEA, you may contact your local data protection authority.

9. Security

We use technical and organisational measures designed to protect your data, including encryption in transit, access controls, logging, and monitoring.

10. Cookies and similar technologies

We use cookies and similar technologies to:

  • Keep you signed in
  • Remember preferences
  • Understand platform performance

Where required, we present cookie choices and honour them.

11. Data Protection Officer & contact

Our Data Protection Officer (DPO) is James Perry.

Spinney — Privacy / DPO

dpo@spinney.app