Rare Kind
Log inSign up
Draft. This document has not been reviewed by a solicitor or DPO. Review before public launch.

Legal

Privacy policy

Last updated: 19 April 2026

This policy explains how Simpson's Ventures Ltd, trading as Rare Kind (we), collects and uses personal data when you use Rare Kind (the Service). We are a company registered in England and Wales (company number 17169404, registered office: 61 Bridge Street, Kington, HR5 3DJ, United Kingdom) and we are the data controller for the information described below.

1. Data we collect

  • Account data — email address, username, and optionally a display name, provided at signup.
  • Profile data — anything you upload to your profile: avatar, bio, default address (optional).
  • Listing data — photos, titles, descriptions, prices, weights, and postage options you provide when listing.
  • Transaction data — the fact that you bought or sold an item, the price, your shipping address (collected by Stripe at checkout), tracking number, and the status history of the order. Shipping addresses are shown to the seller of that order only.
  • Payment metadata— we do not see your card details. Stripe provides us with a payment intent ID and, after the charge clears, the Stripe fee charged to us. Sellers' banking details are held by Stripe, never by us.
  • Support and dispute correspondence — any messages you send to us or to other users via dispute forms.
  • Technical data — IP address, browser info, and timestamps of auth attempts (used for rate limiting).

2. Why we use it and our legal basis

  • To provide the Service (account creation, listings, purchases, payouts) — performance of a contract (UK GDPR Article 6(1)(b)).
  • To prevent fraud and abuse (rate limiting, suspensions) — our legitimate interests (Article 6(1)(f)).
  • To send transactional email (order confirmations, dispatch notices, dispute updates) — performance of a contract.
  • To meet our tax and accounting obligations (retaining transaction records) — legal obligation (Article 6(1)(c)).
  • To resolve disputes and defend legal claims — legitimate interests.

3. Who we share it with

  • Stripe Payments UK Limited— processes card payments and handles seller onboarding (KYC, bank account verification, payouts). Stripe is an independent controller for payment-related data. See Stripe's privacy policy.
  • Supabase (Supabase, Inc.) — our database and authentication provider. Acts as our processor.
  • Resend (Resend, Inc.) — delivers transactional emails on our behalf. Acts as our processor.
  • Other users— buyers and sellers see each other's username and the other party's shipping address on paid orders. Sellers see the buyer's ship-to address only.
  • Law enforcement and regulators — where required by law or court order.

4. International transfers

Stripe, Supabase, and Resend process some data in the United States. Where we transfer personal data outside the UK we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

5. How long we keep it

  • Account data — for as long as your account is open, plus 30 days after closure unless legal or fraud reasons require longer.
  • Transaction and tax records — 7 years, to meet HMRC requirements.
  • Rate-limit logs — 24 hours.
  • Stripe webhook events — retained indefinitely for reconciliation and audit.
  • Audit log (admin actions on disputes, refunds) — retained indefinitely as tamper-evident evidence.

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you and obtain a copy.
  • Correct inaccurate data, or complete incomplete data.
  • Erase personal data where the legal basis no longer applies, subject to our overriding obligations (e.g. tax retention of transaction records).
  • Restrict or object to processing.
  • Receive a portable copy of data you provided to us.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) — ico.org.uk.

To exercise these rights, email privacy@joinrarekind.co.uk.

7. Security

We use row-level security at the database layer, TLS in transit, server-only access to service credentials, and bucketed signed uploads for images. No system is perfect; if you believe your account has been compromised, contact us at the address above.

8. Cookies

See our Cookie policy for the specific cookies we use.

9. Changes to this policy

We may update this policy. Material changes will be notified by email or in-app notice at least 14 days in advance.

We use strictly necessary cookies to keep you signed in and take payments. Read our cookie policy.