1. Overview

This policy explains how Sellexa Limited (company number NI735255, registered office Apartment 2 187, West Circular Close, 187 West Circular Road, Belfast, Northern Ireland, BT13 3QF) handles your personal data when you use sellexa.app. We comply with the UK GDPR and the Data Protection Act 2018.

2. Snapshot (UK GDPR Art. 13 transparency table)

3. What we collect

3.1 Account data (all users)

• Name, email, password hash, optional profile picture and bio.
• Buyer delivery addresses you save; phone number where you choose to provide one.

3.2 Seller-only data

• Business trading name, registered address, VAT/UTR (where applicable).
• KYC: identity verification handled by Stripe Connect; we receive only the verification status and a high-level summary.
• Bank-account details: held by Stripe; we never see the account number.
• WhatsApp number (mandatory at onboarding for order notifications).

3.3 Order and transaction data

• Items ordered, prices, quantities, taxes, shipping cost, delivery address.
• Stripe payment-intent IDs, charge IDs, refund IDs (no card numbers).
• Sendcloud parcel IDs, label URL, tracking events.
• Ledger entries (commission, payout, refund), retained 7 years per HMRC and Companies Act 2006.

3.4 Messaging data

• Order-scoped messages between buyer and seller. The original message body is retained for moderation audit (admin-visible only) even where our contact-info filter strips parts before delivery.
• Notifications outbox: WhatsApp template sends, email sends, status callbacks (12-month retention for delivery diagnostics).

3.5 Device and log data

• IP address, browser, OS, approximate location (city level, derived from IP).
• Pages viewed, search queries, click-through, error logs.

4. Why we use it (lawful bases)

• Performance of contract (Art. 6(1)(b)), running your account, processing orders, sharing buyer name + delivery address with seller and carrier for fulfilment, processing refunds, providing payouts.
• Legal obligation (Art. 6(1)(c)), HMRC DAC7 reporting, Companies Act record retention, responding to lawful enforcement requests, Modern Slavery Act due diligence.
• Legitimate interests (Art. 6(1)(f)), fraud prevention, abuse and contact-info filtering in messages, security logging, debugging, basic site analytics, defending claims. We balance these against your privacy and you can object.
• Consent (Art. 6(1)(a)), non-essential cookies and any future marketing emails. You can withdraw consent at any time.

5. The buyer → seller → carrier data flow

When you place an order, the lawful basis is "performance of contract" (UK GDPR Art. 6(1)(b)). To fulfil that contract:

• Your name and delivery address are shared with the seller and the carrier (via Sendcloud).
• Your email and phone number are NOT shared with the seller. All buyer↔seller communication runs through in-app messaging on the order page.
• Sellexa retains the order record (including the address used at the time of purchase) for 7 years for tax and accounting purposes.

Once the seller receives the address for fulfilment, the seller becomes an independent controller of that data and must comply with their own UK GDPR obligations under the Seller Agreement §12.

6. Who processes your data on our behalf

• Stripe Payments UK Ltd / Stripe Inc., payment processing, KYC, payouts. UK Addendum to EU SCCs in place for transfers to the US.
• Sendcloud B.V. (Netherlands), delivery rate quotes, label generation, tracking webhooks. Transfers under UK adequacy.
• Supabase Inc., database, authentication, file storage, realtime. EU region (eu-west-2). UK adequacy + SCCs where applicable.
• Meta Platforms Ireland Ltd / WhatsApp LLC, order-related WhatsApp notifications via the WhatsApp Cloud API. UK Addendum to EU SCCs.
• Resend Inc. (US), transactional email delivery. UK Addendum to EU SCCs.
• Netlify Inc. (US), application hosting and CDN. UK Addendum to EU SCCs.

Each processor is bound by a written data-processing agreement requiring confidentiality, appropriate security measures, and onward-transfer controls.

7. Other sharing

• Other users: public profile fields (display name, profile picture, shop content) are visible on the platform.
• HMRC: seller information is reported annually under DAC7.
• Law enforcement and regulators: only where we are legally required (court order, properly served notice).
• Corporate transactions: in the event of a merger or sale, data may transfer to the acquirer subject to this policy.

We do not sell, rent, or trade your personal data for marketing.

8. How long we keep it

• Active accounts: until you ask us to delete or until 24 months of inactivity.
• Order records and ledger entries: 7 years from the order date (HMRC + Companies Act 2006).
• Messages (including original body for moderation): 24 months.
• Notifications outbox: 12 months for delivery diagnostics.
• KYC records: 5 years after account closure (anti-money-laundering retention norm).
• Server logs: 12 months.
• Marketing preferences and any consent we have collected: until you withdraw consent.

9. Security

We use TLS encryption in transit, encryption at rest for our database, role-based access control (Supabase RLS), least-privilege service accounts, and audit logging. We test for common web vulnerabilities. No system is completely secure, please use a strong unique password and report any suspicious activity to support@sellexa.app.

We will notify the ICO of any qualifying personal-data breach within 72 hours and will notify affected users where the breach is likely to result in a high risk to their rights and freedoms.

10. Your rights

Under the UK GDPR you can:

• Access a copy of the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase personal data where the lawful basis no longer applies (subject to legal retention obligations).
• Restrict our processing while a query is resolved.
• Port data you provided in a structured, machine-readable format.
• Object to processing based on legitimate interests, including any direct marketing.
• Withdraw consent for any consent-based processing at any time.
• Not be subject to a decision based solely on automated processing that significantly affects you (we do not currently make such decisions).

Email support@sellexa.app to exercise any right. We respond within one calendar month and may ask for ID verification.

11. Complaining to the ICO

If you are unhappy with how we handle your personal data, please raise it with us first via the Complaints Policy. You also have the right to complain to the Information Commissioner's Office (the UK supervisory authority):

12. Cookies

We use a small number of essential cookies. Full detail in the Cookie Policy.

13. Children

Sellexa is not aimed at children under 16. If you believe a child has registered, contact us and we will close the account and delete the data.

14. Changes to this policy

We will update this policy when our processing changes. Material changes will be notified in-app and by email at least 14 days before they take effect.