Privacy Policy

Placeholder pending legal review. The constitutional principle binding us: user data is not monetizable, by architecture, not by policy.

What we collect

The minimum required to operate the platform:

• Account: email, full name, password hash (via Supabase Auth).
• Profile: avatar URL, role (buyer/seller/admin), verified status.
• Seller: store name, store slug, Stripe Connect account ID for payouts, KYC status (managed by Stripe).
• Orders: items, amounts, Stripe payment intent ID, consent timestamp for digital content.
• Messages and disputes: content between buyer and seller, plus any evidence either party uploads.

Our commitments

• Your data is yours. We do not sell it. We do not rent it. We do not share it with advertisers.
• We do not build behavioral profiles of you for resale, retargeting, or manipulation.
• We do not track you across other websites.
• What we surface in the catalog is based on what serves you, not on what generates more revenue for us.
• You can export everything we hold about you, in standard formats, at any time.
• You can delete your account and your data, at any time, without negotiation.

Your rights (UK GDPR + EU GDPR)

• Access: ask for everything we hold about you.
• Portability: export your data in standard formats (JSON, CSV).
• Deletion: delete your account and your data.
• Rectification: correct anything that is wrong.

To exercise these rights, write to allaffordable.shop@gmail.com. We respond within 30 days.

Third parties

• Supabase (database, auth, storage) — UK/EU regions, DPA in place.
• Vercel (hosting, edge functions) — US company, Standard Contractual Clauses.
• Stripe (payments, KYC) — payment processor.
• Email provider (TBD: Resend or SendGrid) for transactional emails.

Data breach

If a breach affects your personal data, we notify the ICO within 72 hours and you as soon as we are able. We publish a post-mortem and document remediation in our Trace.

Changes

Material changes are announced with at least 30 days notice on the platform.