UK Privacy Policy for Spinney Marketplace
Last updated: July 2026
This policy text is provided for operational launch and requires independent legal review before final sign-off.
Spinney ("we", "us", "our") operates the Spinney platform at www.spinney.app. Trading name (pre-incorporation). A registered company name and number will be added when incorporation completes — for legal review.
For the UK and EU, Spinney is the data controller for personal data processed to run the platform, including user accounts, community governance, platform safety, and wallet reporting.
Where a purchase is made, the buyer and the listing owner (seller/provider/organiser) may each act as controllers for their own purposes (e.g., fulfilling an order, customer service, tax records).
If you use Rent listing types requiring verification, we may facilitate identity checks via a third-party verification provider (e.g., Stripe Identity). Verification outcomes/status may be stored.
We use your personal data to:
We process personal data under one or more lawful bases, including:
We may share data with:
We do not sell personal data.
A list of sub-processors is published at /subprocessors.
Spinney is UK-first but may use suppliers that process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as the UK International Data Transfer Agreement and EU Standard Contractual Clauses (SCCs) as applicable.
If you are in the EEA, you may lodge a complaint with your local supervisory authority. In the UK, the supervisory authority is the ICO (see section 8).
We retain personal data only as long as necessary for the purposes above. Indicative periods (subject to legal holds and disputes):
| Category | Period | Basis |
|---|---|---|
| Account and profile data | While account is active + 3 years after closure | Contract, legitimate interests (disputes/fraud) |
| Order and transaction records | 7 years from transaction | Legal obligation (tax/accounting) |
| Store staff / employment-related records | Duration of staff relationship + 2 years | Contract, legitimate interests |
| Location data (stores/communities) | While listing/community is active + 1 year | Contract, legitimate interests |
| Marketing consents and newsletter | Until consent withdrawn + 3 years evidence | Consent, legal obligation (PECR) |
| Cookie/consent records | 3 years from consent decision | Legal obligation, legitimate interests (proof of consent) |
| GDPR export files | 30 days from generation | Legal obligation (data subject rights) |
| Audit and security logs | 12 months (configurable retention policies) | Legitimate interests (security), legal obligation |
| Data protection complaints | 3 years from resolution | Legal obligation, legitimate interests |
Depending on your circumstances, you may have rights including:
You can exercise rights via our data rights form, from account settings when logged in, or by emailing dpo@spinney.app.
You have the right to complain to us about how we handle your data using our data protection complaints form. We will acknowledge complaints within 30 days.
You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. If you are in the EEA, you may contact your local data protection authority.
We use technical and organisational measures designed to protect your data, including encryption in transit, access controls, logging, and monitoring.
We use cookies and similar technologies to:
Where required, we present cookie choices and honour them.
Our Data Protection Officer (DPO) is James Perry.
Spinney — Privacy / DPO