Privacy Policy
Last updated: 26 April 2026
This policy applies to all users of , including shoppers, registered account holders, and vendors selling on the platform.
1. Who We Are
("we", "us", "our") is an online multi-vendor marketplace operating at shoppa.uk. We act as the operator of the platform and as merchant of record for all transactions conducted through it.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller in respect of personal data collected from shoppers and account holders. Independent vendors operating stores on our platform are separate data controllers in respect of their own business data, though we process certain data on their behalf as a data processor.
You can contact our data controller at: [email protected]
2. Personal Data We Collect and Why
We collect and process personal data under the following lawful bases:
2.1 Account Registration
- Name and email address — to create and identify your account (lawful basis: contract)
- Password (hashed) — stored as an irreversible bcrypt hash; we cannot recover your plaintext password (lawful basis: contract)
- IP address at registration — recorded to assist with fraud detection, account security, and abuse prevention (lawful basis: legitimate interests)
- Email verification status and timestamp — to confirm you own the email address provided (lawful basis: contract)
2.2 Orders and Transactions
- Delivery name and address — required to fulfil your order (lawful basis: contract)
- Order history and line items — retained as transaction records (lawful basis: contract; legal obligation for financial records)
- Order reference numbers — for tracking and dispute resolution (lawful basis: contract)
- Stripe payment intent ID and charge ID — references to your Stripe transaction; we do not store card numbers, CVVs, or full payment details. All payment data is held by Stripe, Inc. under their own privacy policy (lawful basis: contract)
- Guest checkout email address — if you check out without registering, your email is used solely to send your order confirmation and to allow you to claim the order later if you create an account (lawful basis: contract)
2.3 Communications
- Support messages and enquiries — messages you send to us or to vendors through the platform messaging system are stored to facilitate the conversation and to resolve disputes (lawful basis: contract; legitimate interests)
- Restock notification email — if you request to be notified when an out-of-stock product returns, we store your email address solely for that purpose and delete it once notified (lawful basis: consent)
2.4 Security and Fraud Prevention
- IP address on registration and login — stored against your
account and checked against an internal blacklist on each request. Where
Cloudflare is active, the real visitor IP is obtained via the
CF-Connecting-IPheader. IP addresses may be blocked where abuse, fraud, or terms violations are detected (lawful basis: legitimate interests) - IP blacklist log — blocked IPs are retained on an internal blocklist indefinitely unless manually removed by an administrator (lawful basis: legitimate interests)
- CSRF tokens — per-session tokens stored in your browser session to prevent cross-site request forgery attacks (lawful basis: legitimate interests)
2.5 Vendor Data (Sellers on the Platform)
- Business name, biography, and store details — displayed publicly on vendor store pages (lawful basis: contract)
- Notification email addresses — vendors may add additional verified email addresses to receive order notifications; each address is verified via a confirmation link before activation (lawful basis: contract)
- Stripe Connect account ID — the identifier for the vendor's connected Stripe Express account, used to route payouts. No full banking details are stored by us; these are held by Stripe (lawful basis: contract)
- Platform fee rate — the agreed percentage deducted from each sale prior to payout (lawful basis: contract)
3. Cookies and Session Data
We use the following cookies and session mechanisms:
| Cookie / Storage | Purpose | Type | Duration |
|---|---|---|---|
| PHPSESSID | Keeps you logged in; stores your session state including cart contents | Essential | Session (until browser close or logout) |
| Cart (localStorage) | Retains cart items between page loads for guest users | Essential | Until manually cleared |
| Stripe.js cookies | Set by Stripe during payment processing for fraud detection | Third-party (Stripe) | Per Stripe's privacy policy |
| Cloudflare cookies | Set by Cloudflare for DDoS protection and performance | Third-party (Cloudflare) | Per Cloudflare's privacy policy |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not sell your browsing data or behavioural data to any party.
4. Third-Party Services and Data Sharing
We share data with the following trusted third-party processors only to the extent necessary to operate the platform:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing; vendor payouts via Stripe Connect | Payment data; vendor identity for KYC/AML compliance |
| Brevo (Sendinblue) | Transactional email delivery | Recipient email address and message content |
| Amazon Web Services (Lightsail) | Cloud hosting and server infrastructure | All platform data is stored on AWS servers (London region) |
| Cloudflare, Inc. | DDoS protection, CDN, and SSL termination | IP addresses and request metadata pass through Cloudflare's network |
We do not sell, rent, or trade your personal data to any third party for marketing purposes. We will disclose personal data to law enforcement or regulatory authorities where required to do so by law.
5. Data Retention
| Data type | Retention period | Reason |
|---|---|---|
| Order and financial records | 7 years from transaction date | UK tax law and accounting obligations (Companies Act 2006; HMRC) |
| Account personal data | Until account deletion, then immediately anonymised | Contract; GDPR Art. 17 |
| Support messages | 3 years from last activity | Dispute resolution; legitimate interests |
| IP addresses (registration) | Duration of account, then deleted on account erasure | Security; fraud prevention |
| IP blacklist entries | Indefinitely, subject to manual review | Security; abuse prevention |
| Restock notification emails | Until notification is sent or product is delisted | Consent; no longer required thereafter |
When you delete your account, all personally identifiable fields (name, email, address, IP address) are permanently replaced with anonymised placeholders. Order records are retained in anonymised form as required by law. You cannot be re-identified from the anonymised data.
6. Your Rights Under UK GDPR
As a data subject under the UK GDPR and the Data Protection Act 2018, you have the following rights. We will respond to any request within one calendar month.
- Right of access (Article 15) — you may request a copy of all personal data we hold about you. You can download a structured copy directly from your account dashboard .
- Right to rectification (Article 16) — you may correct inaccurate data at any time via your profile settings. Email address changes require re-verification.
- Right to erasure (Article 17) — you may delete your account and personal data from your profile page. Financial records are retained in anonymised form as required by law.
- Right to restriction of processing (Article 18) — you may request that we restrict processing of your data in certain circumstances.
- Right to data portability (Article 20) — the data export from your dashboard is provided in JSON format for portability.
- Right to object (Article 21) — you may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to lodge a complaint — if you are unsatisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of the above rights, contact us at [email protected] .
7. Children's Privacy
is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it.
8. International Data Transfers
Our primary server infrastructure is located in the United Kingdom (AWS London region). Some data may pass through systems operated by Stripe and Cloudflare, which are US-based companies. Both maintain appropriate safeguards under the UK-US Data Bridge and Standard Contractual Clauses as applicable.
9. Security Measures
We implement the following technical and organisational measures to protect your personal data:
- All data in transit is encrypted via TLS/SSL (HTTPS enforced site-wide)
- Passwords are stored as bcrypt hashes (cost factor 12); plaintext passwords are never stored or transmitted
- All forms are protected by CSRF tokens to prevent cross-site attacks
- IP-based access controls with an automated and manually managed blacklist
- Payment processing is entirely delegated to Stripe — card data never touches our servers
- Database access is restricted to the application user with minimum necessary privileges
- Email address changes require verification to the new address before taking effect
- Vendor notification email addresses require independent verification before use
Despite these measures, no system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the ICO as required under Article 33 of the UK GDPR.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Where changes are material, we will notify registered users by email.
11. Contact Us
For any privacy-related queries, requests, or complaints:
Email: [email protected]
ICO Registration: [To be completed upon ICO registration]
If you are not satisfied with our response, you may contact the ICO at Wycliffe House, Water Lane, Wilmslow, SK9 5AF, or at ico.org.uk/concerns.