1. Who we are
Waevin ("we", "us", "our") is a company registered in England and Wales. We operate the Waevin marketplace at waevin.com. For the purposes of UK data protection law, Waevin is the data controller for all personal data processed through the platform.
Data controller: Waevin
Registered address: England and Wales
ICO registration number: [ICO-NUMBER]
Data protection contact: privacy@waevin.com
We are registered with the Information Commissioner's Office (ICO) as required under UK GDPR. If you have questions about this policy or how we handle your data, please contact us at the email address above.
2. Data we collect
2.1 Account and registration data
When you create an account we collect your email address, chosen username, and hashed password. If you enable two-factor authentication (mandatory for all users), we store the encrypted TOTP secret associated with your account. Plaintext passwords are never stored.
2.2 Identity and seller verification data
Sellers are required to connect a verified UK bank account via Stripe Connect. During this process Stripe collects identity verification information (which may include your name, date of birth, and bank details) directly on their platform under their own privacy policy. We receive only a Stripe account identifier and a limited verification status summary.
2.3 Shipping addresses
Buyers provide a delivery address for each order. This is stored encrypted (AES-256-GCM) at rest and is disclosed to the seller solely to enable dispatch. Sellers provide a return address for shipping label purposes.
2.4 Transaction and payment data
We store a full transaction history for every order: item details, agreed price, Buyer Protection fee, timestamps, shipping tracking numbers, and escrow status. Full payment card numbers are never stored on our servers. Stripe handles all card data and we store only the Stripe Payment Intent and Customer identifiers, together with the last four digits and card brand for display purposes.
2.5 Messages
The platform provides an in-platform messaging system between buyers and sellers for matters relating to specific orders and listings. All message content is stored encrypted (AES-256-GCM) at rest. We do not read message content unless required to resolve a formal dispute.
2.6 Listing data
Sellers upload card images, condition grades, descriptions, and asking prices. Images are stored in AWS S3 (eu-west-2). Listing data is publicly visible and forms part of the marketplace catalogue.
2.7 Device and usage data
We collect standard server logs including IP address, browser user-agent, referring URL, pages visited, and timestamps. This data is used for security, fraud prevention, and operational monitoring. It is not linked to your account for marketing purposes.
2.8 Cookies and similar technologies
We use strictly necessary cookies to operate the platform (session management, CSRF protection, user preferences). We do not currently use analytics or advertising cookies. Full details are set out in our Cookie Policy.
2.9 Dispute and support data
When a dispute is raised, we collect the evidence submitted by both parties (descriptions, photographs, tracking information) and the outcome of the admin decision. This forms part of our permanent dispute record.
3. Legal basis for processing
Under UK GDPR we must have a lawful basis for each type of processing activity. The table below sets out which basis applies to each activity.
| Processing activity | Lawful basis (UK GDPR) |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing escrow | Contract performance (Art. 6(1)(b)) |
| Sharing shipping address with seller | Contract performance (Art. 6(1)(b)) |
| Fraud prevention and platform security | Legitimate interests (Art. 6(1)(f)) — detecting and preventing fraud |
| Storing transaction records | Legal obligation (Art. 6(1)(c)) — HMRC financial record-keeping |
| Resolving disputes | Legitimate interests (Art. 6(1)(f)) — operating a fair marketplace |
| Sending transactional emails (order confirmations, dispute updates) | Contract performance (Art. 6(1)(b)) |
| Sending service announcements and policy change notices | Legitimate interests (Art. 6(1)(f)) — keeping users informed |
| Server log and usage data for security monitoring | Legitimate interests (Art. 6(1)(f)) — protecting platform integrity |
| Storing dispute records for six years | Legal obligation (Art. 6(1)(c)) — potential legal proceedings |
| Optional marketing communications | Consent (Art. 6(1)(a)) — withdrawable at any time |
Where we rely on legitimate interests, we have conducted a balancing test to confirm our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests; see Section 9.
4. How we use your data
4.1 Operating the marketplace
Your account data is used to authenticate you, maintain your session, display your listings and order history, and enable communication between buyers and sellers. Without this processing the platform cannot function.
4.2 Processing transactions
When you make or receive a payment, we pass the necessary data to Stripe to create a Payment Intent, hold funds in escrow, and release or refund them according to the outcome of the transaction. Your shipping address is disclosed to the seller solely for dispatch purposes and is not retained by them beyond the order.
4.3 Fraud prevention
We analyse transaction patterns, account behaviour, device data, and IP addresses to detect and prevent fraud, counterfeit listings, and abuse of the Buyer Protection scheme. Where fraud is suspected we may freeze accounts and escrow balances pending investigation.
4.4 User communications
We send transactional emails (order confirmations, dispatch notifications, escrow releases, dispute updates, password resets, and security alerts) via Resend. These are necessary for the service and cannot be opted out of while you hold an active account. We may also send platform announcements and policy change notifications.
4.5 Legal compliance
We retain financial and transaction records for seven years in compliance with HMRC requirements. We may disclose data to law enforcement or regulatory bodies where required by applicable UK law.
4.6 Platform improvement
Aggregated, anonymised data about platform usage (such as popular card categories or typical listing durations) may be used internally to improve the service. This data cannot identify you individually.
5. Data sharing
We do not sell your personal data. We do not share your personal data with advertisers or use it for targeted advertising. We share data only with the following categories of processor or third party, and only to the extent strictly necessary:
Stripe processes payment card data, manages Stripe Connect accounts for sellers, and handles fraud detection on payment transactions. Stripe acts as an independent data controller for card data and as our processor for platform payments. Stripe is certified to PCI DSS Level 1. Their privacy policy is available at stripe.com/gb/privacy.
Our database and application infrastructure runs on AWS in the eu-west-2 (London) region, managed through Supabase. All data remains on UK infrastructure at all times. Supabase acts as our processor under a Data Processing Agreement.
We use Resend to deliver transactional emails. Resend receives the recipient email address and email content for each message sent. They act as our processor and do not use this data for any other purpose.
When you complete a transaction as a buyer, your delivery address is shared with the seller solely to enable dispatch. When you list as a seller, your username and seller rating are publicly visible. No further personal data is disclosed between users.
We may disclose personal data to the police, HMRC, the ICO, or other competent UK authorities where we are legally required to do so, or where disclosure is necessary to prevent or detect crime.
6. International transfers
All personal data collected and stored by Waevin is held exclusively on UK infrastructure (AWS eu-west-2, London region). We do not transfer your personal data outside the United Kingdom.
Stripe and Resend are US-based companies. Where these processors handle your data, they do so under Standard Contractual Clauses or equivalent UK International Data Transfer Agreements (IDTAs) that provide adequate protection under UK GDPR. Stripe is additionally certified under the UK-US Data Bridge.
You may request a copy of the relevant transfer mechanisms by emailing privacy@waevin.com.
7. Retention periods
We keep your data only for as long as is necessary for the purpose for which it was collected, or as required by law.
| Data category | Retention period | Reason |
|---|---|---|
| Account data (profile, credentials) | Active account + 2 years after closure | Contractual and fraud prevention |
| Transaction records (orders, payments, fees) | 7 years from transaction date | HMRC financial record-keeping obligation |
| Shipping addresses | Active account + 2 years | Dispute resolution and legal claims |
| Messages between users | 2 years from message date | Dispute resolution support |
| Dispute records and admin decisions | 6 years from dispute closure | Limitation period for legal claims |
| Server logs (IP address, usage data) | 90 days | Security and fraud monitoring |
| Marketing consent records | Until withdrawn + 3 years | Demonstrating lawful basis |
Following account closure, your public listing data is removed from the marketplace. Certain data may be retained in anonymised or aggregated form beyond these periods for statistical purposes, in a form that cannot identify you.
8. Security
We implement appropriate technical and organisational measures as required by Article 32 UK GDPR. Our current measures include:
- ✓AES-256-GCM encryption for all personal data stored at rest, including addresses, messages, and account data.
- ✓HTTPS (TLS 1.2 minimum) for all data in transit between your browser and our servers.
- ✓Mandatory time-based one-time password (TOTP) multi-factor authentication for all user accounts. There is no opt-out.
- ✓All data held exclusively in AWS eu-west-2 (London), a UK datacentre, with no data leaving the UK.
- ✓Role-based access controls limiting staff access to personal data to those with a documented business need.
- ✓Regular security reviews and dependency updates.
- ✓Bcrypt password hashing — plaintext passwords are never stored or transmitted.
- ✓Stripe PCI DSS Level 1 compliance for all card data — card numbers never reach our servers.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and will report to the ICO within 72 hours as required by UK GDPR.
9. Your rights under UK GDPR
Quick summary
UK GDPR gives you eight rights over your personal data. To exercise any of them, email us at privacy@waevin.com with the subject line GDPR Request [Right] (for example, "GDPR Request Access"). We will acknowledge your request within 5 working days and respond in full within 30 calendar days. We may ask you to verify your identity before processing the request.
Right of access (Article 15)
You can ask us for a copy of all personal data we hold about you. We will provide this in a structured, commonly used format free of charge.
Right to rectification (Article 16)
If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. You can update most profile data directly in your account settings.
Right to erasure (Article 17)
You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it (for example, transaction records required by HMRC) or a legitimate interest that overrides your request (for example, fraud prevention during an open investigation).
Right to restriction of processing (Article 18)
You can ask us to stop using your data in certain ways while a dispute about its accuracy or our right to process it is resolved.
Right to data portability (Article 20)
Where we process your data by automated means on the basis of contract or consent, you can ask us to provide it in a machine-readable format so you can transfer it to another service.
Right to object (Article 21)
You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your rights, or unless the processing is necessary for legal claims.
Rights relating to automated decision-making (Article 22)
We do not make decisions with legal or similarly significant effects on you using solely automated processing. Fraud flags are reviewed by a human administrator before any account action is taken.
Right to withdraw consent (Article 7(3))
Where we rely on your consent (for example, optional marketing emails), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Step-by-step: how to make a request
- Email privacy@waevin.com
- Use the subject line: GDPR Request [Right] (e.g. "GDPR Request Erasure")
- Include your registered email address and a brief description of your request
- We may ask you to verify your identity by confirming details only you would know
- We will respond within 30 calendar days. Complex requests may take up to 90 days; we will tell you in advance if this applies.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. You may also seek a judicial remedy in the courts of England and Wales.
10. Children
Waevin is intended solely for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. By creating an account you confirm that you are at least 18 years old.
If we become aware that an account belongs to a person under 18, we will close the account immediately and delete all associated personal data without notice. If you believe a person under 18 has registered on our platform, please contact us at privacy@waevin.com.
11. Policy changes
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The "Last updated" date at the top of this page will always reflect the most recent version.
For material changes (changes that affect how we collect, use, or share your data, or that affect your rights), we will send you an email notification at least 14 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.
For minor or administrative changes (such as correcting a typographical error or updating a contact address), we will update the policy without advance notice.
12. Contact us
If you have any questions, concerns, or requests relating to this Privacy Policy or to your personal data, please contact our data protection team:
Email: privacy@waevin.com
Subject line for GDPR requests: GDPR Request [Right]
Response time: Within 30 calendar days
To contact the regulator: ico.org.uk or 0303 123 1113