Privacy Policy

Last updated: 10 March 2026

This policy explains what personal data Kiddlo collects, why we collect it, how we use it, and your rights under UK GDPR.

1. About this Privacy Policy

This Privacy Policy explains how Kiddlo Ltd ("Kiddlo", "we", "us", "our") collects, uses, shares, and protects your personal data when you use our website and marketplace at kiddlo.co.uk. It applies to all users — buyers, sellers, and visitors — and should be read alongside our Terms of Service and Cookie Policy. Kiddlo is committed to handling your personal data responsibly and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data controller

Kiddlo Ltd is the data controller for personal data collected through the Kiddlo platform. This means we determine the purposes and means of processing your personal data. If you have any questions or concerns about how we handle your data, contact our Data Protection contact at:

  • Email privacy@kiddlo.co.uk
  • Post Kiddlo Ltd — Data Protection, United Kingdom

3. What personal data we collect

We collect personal data in the following categories depending on how you use our platform:

  • Account data When you register, we collect your name, email address, username, and password (stored as a hashed value — we never see your plain-text password).
  • Profile data Information you choose to add to your profile: display name, profile photo, biography, and general location (town/city level — we do not collect precise GPS coordinates).
  • Listing data Details of items you list for sale: titles, descriptions, photographs, category, condition, price, and the town/city associated with the listing.
  • Transaction data Records of purchases and sales you make, including item price, fees, transaction status, and timestamps. Payment card details are processed and stored exclusively by Stripe — Kiddlo never has access to full card numbers.
  • Communications data Messages exchanged between buyers and sellers through Kiddlo's in-app messaging system. We retain these to facilitate transactions and resolve disputes.
  • Device and usage data Your IP address, browser type and version, operating system, pages visited, time spent on pages, search queries, and referring URLs. This data is collected automatically to operate and improve the platform.
  • Support data Information you provide when contacting our support team, including the content of your messages and any attachments.
  • Verification data If you apply for Verified status, we may collect additional identity information to confirm your identity. This is processed securely and in accordance with our verification procedures.

4. How we use your personal data

We process your personal data only where we have a lawful basis to do so. The table below sets out our purposes and the lawful basis we rely on for each:

  • Providing the platform (Contract) Creating and managing your account, enabling you to list and purchase items, processing payments, facilitating communications between buyers and sellers, and operating Buyer Protection — all necessary to fulfil our contract with you.
  • Safety and fraud prevention (Legitimate interests / Legal obligation) Detecting and preventing fraud, abuse, and illegal activity; verifying identity where required; and complying with our legal obligations under the Proceeds of Crime Act 2002 and other applicable legislation.
  • Improving the platform (Legitimate interests) Analysing how users interact with the platform, diagnosing technical issues, and developing new features. We rely on our legitimate interest to improve our services, balanced against your privacy rights.
  • Marketing communications (Consent) Sending you promotional emails, newsletters, and product updates. We will only do this with your explicit consent and you can withdraw consent at any time by clicking 'unsubscribe' in any marketing email or updating your notification settings.
  • Transactional communications (Contract / Legitimate interests) Sending you notifications about your listings, purchases, messages, and account activity. These are essential service communications and cannot be opted out of while your account is active.
  • Legal compliance (Legal obligation) Retaining records as required by tax law, responding to lawful requests from law enforcement or regulatory bodies, and exercising or defending legal claims.
  • Dispute resolution (Legitimate interests / Contract) Reviewing transaction records, messages, and listing data to investigate and resolve disputes raised under Buyer Protection or otherwise.

5. How we share your personal data

We do not sell your personal data. We share it only in the following limited circumstances:

  • Other users Your public profile (username, display name, profile photo, general location, and listings) is visible to other Kiddlo users. Your email address and precise location are never shared with other users.
  • Stripe (payment processing) We share transaction data with Stripe, Inc. to process payments. Stripe acts as an independent data controller for payment data and their privacy policy applies to data they process. Stripe is certified to PCI DSS Level 1.
  • Supabase (infrastructure) Our database and authentication infrastructure is provided by Supabase, Inc. Data is stored on servers within the UK/EEA under appropriate data processing agreements.
  • Vercel (hosting) The Kiddlo website is hosted on Vercel's infrastructure. Vercel processes request logs and performance data under a data processing agreement.
  • Resend (email delivery) Transactional and marketing emails are sent via Resend. They process your email address and the content of emails sent to you on our behalf.
  • Law enforcement and regulators We may disclose personal data to the police, HMRC, the Information Commissioner's Office (ICO), or other authorities where required by law, court order, or to protect the rights and safety of users or third parties.
  • Business transfers If Kiddlo is acquired, merged with, or its assets are transferred to another entity, your personal data may be transferred as part of that transaction. We will notify you before any such transfer and your rights under UK GDPR will continue to apply.

6. International data transfers

Some of our third-party service providers (including Stripe and Vercel) may process data outside the UK and EEA. Where this occurs, we ensure adequate safeguards are in place, such as:

  • UK adequacy regulations Transfers to countries designated as adequate by the UK Government under the UK GDPR.
  • Standard Contractual Clauses (SCCs) UK International Data Transfer Agreements (IDTAs) or equivalent approved transfer mechanisms where the destination country has not received an adequacy designation.
  • Binding Corporate Rules Where applicable for transfers within a multinational corporate group approved by the ICO.

7. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out in this policy and to comply with our legal obligations:

  • Account data Retained for the duration of your account and for up to 3 years after closure to handle any post-closure disputes or legal claims.
  • Transaction records Retained for 7 years to comply with HMRC requirements and financial regulations.
  • Messages Retained for up to 2 years after the related transaction is completed or closed, to support dispute resolution.
  • Usage and device data Anonymised or deleted within 26 months of collection.
  • Marketing preferences Retained indefinitely to honour opt-out requests and prevent inadvertent re-contact. The marketing data itself is deleted if you close your account.
  • Support communications Retained for 3 years to maintain a record of support history and for staff training.

8. Your rights under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@kiddlo.co.uk. We will respond within one calendar month of receipt (extendable to three months for complex requests).

  • Right of access Request a copy of the personal data we hold about you (a Subject Access Request). We will provide this free of charge in a commonly used electronic format.
  • Right to rectification Ask us to correct inaccurate or incomplete personal data. You can also update most profile information directly in your account settings.
  • Right to erasure ('right to be forgotten') Request deletion of your personal data where it is no longer necessary, you withdraw consent (where consent was the basis), or you object and we have no overriding legitimate interest. Note that we may need to retain certain data to comply with legal obligations.
  • Right to restrict processing Ask us to limit how we use your data — for example, while we verify the accuracy of a disputed record.
  • Right to data portability Receive a copy of personal data you have provided to us in a structured, commonly used, machine-readable format, and (where technically feasible) to have it transmitted directly to another controller.
  • Right to object Object at any time to processing based on our legitimate interests, including profiling. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for legal claims.
  • Rights related to automated decision-making We do not currently make solely automated decisions that have a legal or similarly significant effect on you. If this changes, we will update this policy and provide you with appropriate rights.
  • Right to withdraw consent Where we rely on your consent to process data (e.g. marketing emails), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at privacy@kiddlo.co.uk so we have the opportunity to resolve your concern. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website ico.org.uk
  • Helpline 0303 123 1113
  • Post ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10. Children's privacy

Kiddlo is a platform for adults aged 18 and over. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it promptly. If you believe a child has created an account or provided personal data to Kiddlo, please contact us immediately at privacy@kiddlo.co.uk.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss, or destruction. These measures include:

  • Encryption in transit All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). Unencrypted connections are redirected automatically.
  • Encryption at rest Sensitive data including passwords (hashed with bcrypt) and payment data (held by Stripe under PCI DSS Level 1) is encrypted at rest.
  • Access controls Access to production systems and personal data is restricted to authorised personnel only, on a need-to-know basis, with multi-factor authentication required.
  • Security monitoring We monitor our systems for suspicious activity and conduct periodic security reviews.
  • Incident response In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.

12. Links to third-party sites

Kiddlo may contain links to external websites. This Privacy Policy does not apply to those sites and we are not responsible for their privacy practices. We encourage you to read the privacy policy of any site you visit.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legislation, our data practices, or services. When we make material changes, we will notify you by email and/or by posting a prominent notice on the platform at least 14 days before the changes take effect. The "last updated" date at the top of this page shows when the policy was most recently revised. Your continued use of Kiddlo after the effective date constitutes acceptance of the updated policy.

14. Contact us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data:

  • Email privacy@kiddlo.co.uk
  • Post Kiddlo Ltd — Data Protection, United Kingdom