This Privacy Policy explains how Nabbed ("we", "us", "our") collects, uses, and protects your personal data when you use the Nabbed platform. We are committed to protecting your privacy and handling your data in an open and transparent manner.
1. Data Controller
The data controller for your personal data is Nabbed. You can contact us about data protection matters at: team@nabbedarchive.com. We will respond to all enquiries within 30 days.
2. Data We Collect
We collect the following categories of personal data:
- Account information: Email address, username, display name, profile bio, and profile picture.
- Authentication data: Your password is hashed using industry-standard cryptographic methods by Supabase Auth. We never store or access your plaintext password.
- Shipping addresses: Names, addresses, and postcode/country data you save for order delivery.
- Transaction data: Records of purchases, sales, Nabs top-ups, and order history.
- Content you create: Product listings, photos you upload, comments, messages, wanted posts, and collections.
- Activity data: Likes, reposts, follows, searches, and pages you visit (for platform improvement purposes).
- Device and technical data: IP address (used for rate limiting and fraud prevention), browser type, and session tokens. We do not use analytics trackers or fingerprinting.
- Payment data: Stripe processes your card details on our behalf. We never see, store, or have access to your full card number, CVV, or payment instrument details.
3. How We Use Your Data
We use your data to:
- Create and manage your account and authenticate you securely.
- Process purchases, sales, Nabs transactions, and order fulfilment.
- Enable communication between buyers and sellers.
- Display your profile, listings, and activity to other users as part of the platform's social features.
- Prevent fraud, abuse, and security threats.
- Improve the platform based on usage patterns (aggregated, non-identifiable where possible).
- Comply with our legal obligations.
- Respond to support enquiries.
4. Legal Bases for Processing
- Contract: Processing necessary to provide you with the service (account management, transaction processing, messaging).
- Legitimate interest: Fraud prevention, platform security, analytics, and service improvement, weighed against your privacy rights.
- Legal obligation: Retaining transaction records for tax and legal compliance purposes.
- Consent: Where we rely on consent (e.g. optional features), you may withdraw it at any time without affecting the lawfulness of prior processing.
5. Third-Party Services
We share data with these trusted third-party processors:
- Supabase: Database and authentication provider. Your data is stored on Supabase infrastructure hosted in the EU (Ireland). Supabase is SOC 2 Type II compliant. Privacy policy.
- Stripe: Payment processing. Stripe is PCI DSS Level 1 certified. Card data never touches our servers. Privacy policy.
- Vercel: Web hosting and infrastructure. Your requests pass through Vercel's global edge network. Privacy policy.
- Cloudflare: DNS and DDoS protection. IP addresses may be processed by Cloudflare in transit. Privacy policy.
We do not sell your personal data to any third party and do not share it for advertising purposes.
6. Cookies
Nabbed uses only essential cookies required for the platform to function. These are session cookies set by Supabase Auth to keep you logged in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. You can clear session cookies at any time via your browser settings, which will log you out.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion, except where legal retention is required.
- Transaction records: Retained for 7 years from the date of transaction to comply with UK tax law (HMRC requirements).
- Messages: Retained while your account is active. Deleted with your account.
- IP logs used for rate limiting: Retained in memory only and not persisted to disk beyond the relevant session.
8. Your Rights under UK GDPR and EU GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data, subject to legal retention obligations.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to restriction: Request that we restrict processing of your data in certain circumstances.
- Right to object: Object to processing based on legitimate interest.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been processed unlawfully: ico.org.uk.
9. Exercising Your Rights
To exercise any of the above rights, or to raise a data protection concern, email us at team@nabbedarchive.comwith the subject line "Data Request". We will respond within 30 days. We may ask you to verify your identity before actioning your request.
10. International Transfers
- Supabase: Data stored in the EU (Ireland). No international transfer.
- Stripe: Headquartered in the US. Transfers are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.
- Vercel: Global CDN. Covered by Standard Contractual Clauses for any data processed outside the EEA/UK.
11. Children
Nabbed is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child's data has been submitted, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. Continued use of Nabbed after the effective date of changes constitutes acceptance of the updated policy. You can always view the latest version on this page.