Privacy Policy

1. About this privacy notice

This Privacy Policy explains how Bundlr collects, uses, stores, and shares personal data when you use our website and services. It covers data we collect when you browse the site, create an account, list or trade items, message other users, upload content, pay through the platform, receive payouts, contact support, or take part in trust and safety processes.

We have written this notice to be clear and practical. It is designed for a UK-first service and should be read alongside the rest of our site and product flows.

2. The kinds of data we collect

• Account and profile data, such as your email address, username, avatar, bio, preferences, and account status.
• Identity and login data, such as authentication identifiers, password reset and security workflow information, and session status.
• Trading and marketplace data, such as listings, inventory, want lists, offers, counter-offers, deal history, pricing context, reviews, and reputation metrics.
• Payment-linked data, such as Stripe customer or connected account references, payment status, subscription status, fee information, and payout eligibility.
• Shipping data, such as saved addresses, names, labels, tracking events, carrier updates, and dispatch or delivery status.
• Messages and communication data, including conversation content, read receipts, support requests, contact form submissions, access requests, and email notifications.
• Trust and safety data, such as dispute details, uploaded evidence, fraud indicators, moderation decisions, suspension records, and related operational notes.
• Technical and usage data, such as browser type, device information, IP-related logs, app events, timestamps, and security logs.
• Uploaded content, such as listing photos, avatars, message attachments, or dispute evidence.

3. How we collect data

We collect personal data in a few different ways:

• Directly from you when you create an account, fill in profile or shipping details, upload content, send messages, or contact us.
• From your use of the service when you browse, trade, negotiate, ship, receive notifications, or open disputes.
• From counterparties involved in the same transaction, for example when another user provides delivery details, messages, reviews, or dispute evidence that relates to you.
• From service providers that support login, payments, shipping, storage, communications, security, and hosting.
• From automated logs and security tools that help us detect abuse, protect accounts, and operate the platform.

4. Our lawful bases for using personal data

Under UK data protection law, we rely on one or more lawful bases depending on the situation:

• Contract: to create and manage accounts, operate trades, process payments, support shipping, and provide the service you ask us to provide.
• Legitimate interests: to improve the product, keep users safe, prevent fraud, moderate content, investigate disputes, secure the platform, and communicate about service operations.
• Legal obligation: to comply with legal requests, financial rules, tax requirements, anti-fraud duties, and record-keeping obligations.
• Consent: where we specifically ask for it, for example in limited optional contexts where consent is the appropriate basis. Where we rely on consent, you can withdraw it later.

5. How we use personal data

• To create and manage your account and authenticate logins.
• To let users browse, list, negotiate, message, pay, ship, track, review, and complete trading card transactions.
• To manage payment holds, releases, payouts, refunds, subscriptions, and fee calculations.
• To generate shipping workflows, labels, tracking updates, address handling, and dispatch reminders.
• To send service messages, transaction notifications, security alerts, support responses, and operational emails.
• To investigate suspicious activity, detect fraud, reduce abuse, moderate content, enforce our terms, and resolve disputes.
• To analyse, test, maintain, and improve the performance, security, and reliability of the platform.
• To comply with legal, regulatory, accounting, tax, and law-enforcement obligations.

6. Browser storage, cookies, and similar technologies

Bundlr uses a small number of browser storage and session tools to keep the service working. For example, the web app stores authentication state in local storage using the key bundlr_auth and sets a bundlr_access_token cookie so protected parts of the app can recognise that a signed-in session exists.

We use these tools mainly for account access, session continuity, security, and service operation rather than for broad advertising tracking. Your browser may allow you to clear local storage or block cookies, but some parts of Bundlr may stop working properly if you do.

7. When we share personal data

We share personal data only where needed to run, secure, and support the service.

• With counterparties to your transactions, for example names, usernames, messages, delivery information, tracking, reviews, or dispute materials that need to be seen by the other side.
• With payment and payout providers such as Stripe, including connected account flows where relevant.
• With authentication and security providers such as AWS Cognito.
• With shipping and logistics providers such as Shippo and the carriers used through those services.
• With communications providers such as Mailgun when sending operational emails or support-related messages.
• With infrastructure and storage providers that host application data, uploaded files, logs, and related systems, including services such as Cloudflare R2, MongoDB, and Redis.
• With professional advisers, auditors, insurers, law enforcement, regulators, or courts where reasonably necessary or legally required.
• As part of a sale, merger, financing, restructuring, or transfer of all or part of our business, subject to appropriate confidentiality and legal protections.

We do not sell your personal data.

8. International transfers

Some of our providers may process personal data outside the UK. Where that happens, we take steps designed to protect the data, such as using providers that offer appropriate contractual safeguards, security measures, and transfer mechanisms recognised under applicable law.

9. Retention

We keep personal data for as long as reasonably needed for the purposes described in this policy. The right retention period depends on the type of data and why we need it.

• Account and profile data may be kept while your account remains active and for a period after closure where needed for security, support, and legal reasons.
• Transaction, payment, shipping, message, and dispute records may be kept longer because they are often needed to resolve issues, prevent fraud, handle chargebacks, and meet accounting or legal obligations.
• Technical logs and short-term operational records may be kept for shorter periods unless they are needed for an active investigation or legal requirement.

We may anonymise certain data or retain limited records where needed to enforce our terms, prevent repeat abuse, and comply with law.

10. Security

We use technical and organisational measures designed to protect personal data from unauthorised access, loss, misuse, or alteration. No online service can promise absolute security, so you should also protect your own account credentials, devices, and email access.

11. Your rights

Depending on your circumstances and applicable law, you may have rights to ask for access to your personal data, correction of inaccurate data, deletion, restriction of processing, objection to certain processing, data portability, and withdrawal of consent where consent is the basis we rely on.

Some of these rights are not absolute and may depend on the context, including our need to keep data for security, fraud prevention, open transactions, legal compliance, or other legitimate reasons.

To exercise a privacy right or ask a data question, contact us via the contact page.

12. Children and minors

Bundlr is intended for people who can lawfully use marketplace and payment services. We do not knowingly build the service for young children or intentionally collect personal data from them. If you believe a child has provided personal data to us inappropriately, please contact us so we can review and take appropriate steps.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the product, our providers, legal requirements, or how we process data. The latest version will appear on this page with the updated date.

14. Contact and complaints

If you have questions about this Privacy Policy or how we handle personal data, contact us through the contact page.

If you are in the UK and are not satisfied with our response, you may also complain to the Information Commissioner's Office (ICO), although we would appreciate the chance to address your concern first.