Privacy Policy

Data controller

The operator of Desi Closet (an independent UK-based sole trader) is the data controller for personal information collected through desicloset.co.uk.

Email: privacy@desicloset.co.uk

We are in the process of registering with the UK Information Commissioner's Office (ICO) as a data controller. Once issued, our ICO registration number will be published here.

As a sole trader processing personal data on a small scale, we are not required to appoint a Data Protection Officer (DPO). Privacy enquiries reach us directly at the email above.

What we collect

• Account details: name, email, hashed password, optional phone, optional avatar, optional bio.
• Address details when you check out, ship an order, or onboard for payouts.
• Listings, orders, messages and disputes you create on the platform.
• Payment metadata via Stripe (we never see or store your full card number — only the last 4 digits and brand).
• Technical data: IP address, browser, device, and the cookies described below.

Why we use it & lawful bases

• To run the marketplace (performance of a contract — Art. 6(1)(b) UK GDPR).
• To verify accounts and prevent fraud (legitimate interests — Art. 6(1)(f)).
• To meet tax, accounting and consumer-law obligations (legal obligation — Art. 6(1)(c)).
• To send service emails (verification, order updates, dispute outcomes) — performance of contract.

We do not use your data for automated decision-making with legal effect. We do not engage in profiling for marketing purposes.

Who we share with

• Stripe (payments & payouts, including KYC for sellers) — Ireland & United States.
• Resend (transactional email delivery) — United States, EU West region selected for storage.
• ImprovMX (inbound email forwarding for support@desicloset.co.uk) — United States.
• MongoDB Atlas (database hosting) — region: eu-west-2 (London).
• Vercel (web hosting) — United States.
• Any law-enforcement authority when legally required.

We do not sell personal data and we do not share it for third-party advertising.

International transfers

Some processors are based outside the UK (mainly the United States). Where data leaves the UK we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, plus supplementary safeguards offered by each processor (most are ISO-27001 certified and offer regional data residency where possible).

How long we keep it

• Account data: while your account is active, plus 6 months after deletion for fraud-prevention purposes.
• Order & dispute records: 6 years from the transaction date (HMRC record-keeping requirement).
• Payment metadata: 6 years (HMRC / Stripe retention).
• Marketing emails: until you unsubscribe, plus 30 days for suppression-list purposes.

Your rights

Under UK GDPR you can:

• Access your personal data — use the "Download my data" button on your /account page.
• Correct inaccurate data — edit it on your /account page or email us.
• Delete your data (right to erasure) — use "Delete my account" on /account. Some records will be retained for legal compliance as above.
• Restrict processing, port your data, or object to processing — email privacy@desicloset.co.uk.
• Withdraw consent (where consent is the lawful basis) at any time.

We will respond to rights requests within 30 days. If you are not happy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

Cookies

We use the following cookies and similar storage:

All of the above are strictly necessary to operate the marketplace and your account. We do not currently use analytics or advertising cookies. If we add any in future, we will ask for your consent first via the cookie banner.

Changes to this policy

We will update this policy as our practices evolve. Material changes will be notified by email or an in-app banner at least 14 days before they take effect.