1. Data Controller Information

2. Information We Collect

Under the UK GDPR, we collect and process the following categories of personal data:

2.1 Information You Provide Directly

• Account Information: Username, email address, password (encrypted), date of birth (to verify age 18+)
• Profile Information: Display name, profile picture, bio, location (optional)
• Listing Information: Item descriptions, photos, pricing, condition details
• Communication Data: Messages between users, support inquiries
• Transaction Data: Sale history, swap agreements, deal records
• Payment Information: Subscription payment details (processed securely by third-party payment processors)

2.2 Information Collected Automatically

• Usage Data: Pages viewed, items browsed, search queries, time spent on platform
• Device Information: IP address, browser type, operating system, device identifiers
• Location Data: Approximate location based on IP address (for local marketplace functionality)
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies (see our Cookie Policy)

3. Legal Basis for Processing (UK GDPR Article 6)

We process your personal data under the following legal bases:

• Consent (Article 6(1)(a)): Marketing communications, optional cookies, profile visibility preferences
• Contract (Article 6(1)(b)): Account creation, listing items, facilitating transactions, providing platform services
• Legal Obligation (Article 6(1)(c)): Age verification (18+), fraud prevention, compliance with UK law
• Legitimate Interests (Article 6(1)(f)): Platform security, preventing abuse, improving user experience, analytics

4. How We Use Your Information

• Provide, maintain, and improve the Platform
• Process transactions and send related notifications
• Send technical notices, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Monitor and analyze usage patterns and trends
• Detect, investigate, and prevent fraudulent transactions and illegal activities
• Personalize and improve your experience on the Platform
• Send marketing communications (with your explicit consent, which you can withdraw at any time)

5. Information Sharing and Disclosure

We do NOT sell your personal data to third parties. We may share your information in the following circumstances:

• With Other Users: Your public profile, listings, and messages are visible to other platform users
• Service Providers: Hosting providers (Vercel), database services (Supabase), email services (with data processing agreements in place)
• Legal Requirements: When required by UK law, court order, or to protect rights and safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with prior notice to users)

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data retained while your account remains active
• Closed Accounts: Most data deleted within 30 days of account closure
• Legal Requirements: Some data retained for 6 years to comply with UK legal obligations (e.g., financial records)
• Backup Systems: Data may remain in backup systems for up to 90 days after deletion

7. International Data Transfers

Your data is primarily stored and processed within the UK/EU. If we transfer data outside the UK/EU, we ensure adequate safeguards are in place through:

• UK GDPR-compliant Standard Contractual Clauses (SCCs)
• UK adequacy decisions for approved countries
• EU-US Data Privacy Framework (for US service providers)

8. Data Security

We implement industry-standard security measures to protect your personal data:

• End-to-end encryption for passwords (bcrypt hashing)
• HTTPS/SSL encryption for all data transmissions
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Secure database hosting with row-level security policies

However, no internet transmission is ever fully secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights:

• Right to Access (Article 15): Request a copy of your personal data we hold
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing or optional data processing at any time
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO)

How to Exercise Your Rights

To exercise any of these rights, please contact us at cofoedu@gmail.com with the subject line "GDPR Data Subject Request". We will respond within 30 days as required by UK GDPR.

10. Children's Privacy

Our Platform is NOT intended for individuals under 18 years of age. We do not knowingly collect personal data from children. All users must confirm they are 18+ during registration. If we discover we have inadvertently collected data from a child, we will delete it immediately.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies as detailed in our Cookie Policy. You have the right to accept or reject non-essential cookies through our cookie consent banner.

12. Automated Decision-Making

We do NOT use automated decision-making or profiling that significantly affects you. Any algorithmic recommendations (e.g., suggested items) can be overridden by manual browsing.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on the Platform for 30 days
• Updated "Last Updated" date at the top of this policy

14. Contact Us