Skip to content

Legal

Privacy Policy

Privacy Policy

Last updated: 1 June 2026

Data controller

ExoMarket Ltd (company number 12345678)
Registered office: 123 Example Street, London, EC1A 1AA, United Kingdom
Privacy contact: privacy@exomarket.example

This ExoMarket Privacy Policy explains how we collect, use, share, and protect your personal information when you use our services. In this Policy, “we,” “us,” and “our” mean ExoMarket Ltd. Your use of ExoMarket (website, apps, accounts) means you agree to the practices described here.

Information We Collect

  • Account Information: When you register, we collect your name, email, and authentication credentials (magic-link sign-in). We also record your IP address and user agent for security. Session tokens and login data are stored securely. If you set up a user profile or seller shop, we collect any additional details you provide (store name, location, “About” info, profile photo).

Signup transparency and acknowledgments

Before account creation is completed, we show a Marketplace & Data Use Notice and require you to actively confirm:

  1. Agreement to these Terms and this Privacy Policy; and
  2. Understanding that your listings, images, and associated data may be used for analytics, research, and commercial data products, including machine learning datasets.

We store on your profile: acceptance time and policy version (SHA-256 content hash) for the Terms of Service (terms_consent_accepted_at, terms_policy_version), the same for this Privacy Policy (privacy_consent_accepted_at, privacy_policy_version), and a separate timestamp when you acknowledge marketplace and data use (data_use_acknowledged_at).

  • Profile & Store Data: If you run a storefront, we collect optional address/contact info you enter (for display to buyers or for shipping templates). We also collect any countries you indicate you export to. You may add social media links or a personal policy in your store; these are stored and publicly visible. All profile and store data is owned by you, but hosted on our servers.

  • Listings (Ads): For each listing you create, we store the title, description, price, quantity, category, taxonomic information, and location. We also store photos you upload (in our media storage) and any flags (e.g. if it’s an example photo). Listing data is publicly viewable on the site. We may also log when listings are viewed. Note: All listing info is provided by users; we do not independently verify species or origin data.

  • Sales & Fulfillment: When a sale occurs in the app, we record the sale details: buyer & seller usernames (as text), animal details, agreed price and quantity, delivery method (shipping or pickup), shipping address (if any), and sale status (pending, accepted, completed). We also store any tracking numbers or timestamps that you or the seller add.

  • Payment History: ExoMarket allows both parties to enter payment information (amounts, method, reference number, notes) as a record. We store these notes, but we do not process or verify payments. The payment history is user-entered bookkeeping only. (Be aware: people sometimes include extra personal data in notes; that is stored as provided.)

Messages

Buyers and sellers may exchange messages through ExoMarket. We store message content, timestamps, delivery status, read receipts, attachments, and related metadata.

For encryption, staff access, scam and payment-instruction risks, and your responsibilities when messaging, see the Messaging Privacy section in our Terms of Service.

  • Reviews and Notes: After transactions, users can leave reviews (rating, comment) which we store and may display on profiles. We also let users write private notes about trading partners (for their own reference); such notes are only visible to the author (these will appear in an exported data bundle if requested).

  • Shopping Cart & Features: We track in-progress actions like items in a “saved search” or “favorites” for your account. We also collect analytics: page views, click events, and app usage data (via PostHog) to improve our service. Errors and performance issues are logged (via Sentry) for debugging.

  • Cookies and Tracking: We use cookies to keep you logged in and remember preferences (e.g. site layout). We use session cookies to enable core functions. Third-party analytics cookies (PostHog) track usage patterns. We also use basic cookies for authentication (Better Auth). You can disable cookies, but some site features may not work.

How We Use Information

We process personal data under lawful bases including contract performance, legitimate interests, and legal obligations under UK GDPR.

  • Operating the Marketplace: We use your data to run the service. For example, we use your email and password to authenticate you; profile info to build your page; listing info to show items; shipping addresses to share with sellers. Payment notes help populate sale records. Messages enable buyer-seller communication.

  • Support & Fraud Prevention: We use login IP addresses, session data, and user reports to detect unauthorized access or abuse. If we suspect fraud (e.g. someone using multiple accounts to scam), we may investigate by reviewing account activity. ExoMarket staff may use your data through read-only account view mode (support access mode) to assist you if you have a problem. Your agreement to these Terms includes permission for staff to access your account for legitimate support.

  • Communications: We send emails to verify your account, notify you of messages or sales offers, and provide essential service updates (including policy changes). We may also send marketing and platform news emails as described in our Terms of Service (Communications and Marketing). There is no separate marketing consent checkbox at signup; you may opt out of marketing emails by contacting privacy@exomarket.example.

Analytics, Research, and Commercial Data Products

We may analyze, aggregate, transform, combine, and otherwise use information collected through the platform to improve our services, conduct research, understand market activity, develop new products, and support business operations.

We may create aggregated, anonymized, de-identified, statistical, or derived datasets from listings, taxonomic information, photographs, marketplace activity, transaction data, and user-generated content, where such datasets do not identify you.

To the extent permitted by applicable data protection law, these datasets may be used internally or licensed, sold, shared, commercialized, or otherwise provided to third parties for lawful purposes, including analytics, market intelligence, scientific research, machine learning, artificial intelligence development, and related commercial activities.

This processing is disclosed at registration; your acknowledgment at signup supports transparency and fairness under UK GDPR alongside our lawful bases described above.

Where required by applicable law, personal data will be processed in accordance with applicable privacy regulations.

  • Legal Compliance: We may use and share data to comply with laws. For example, if authorities request user records for enforcement (wildlife law, fraud investigations), we will respond as required.

Sharing Information

  • Other Users: Your public profile, listings, and reviews are visible to other users. When you complete a sale with another user, we share your shipping address with the other party for fulfillment.

  • Service Providers: We employ subprocessors (hosting, email, analytics). These include: Vercel (server hosting and media storage), our database host, email service (e.g. Resend), analytics (PostHog), error monitoring (Sentry), and the Polar system for subscriptions. These vendors only access data needed for their service (per our contracts). We may transfer data across borders for these services (for example PostHog servers in the US); by using ExoMarket you consent to such transfers.

  • Law Enforcement: We will share your information with law enforcement or regulators as required by subpoena, warrant, or applicable law. We may also share info to enforce our policies (e.g. when investigating fraud or illegal wildlife trade on our platform).

Aggregated, Derived, and Commercial Data

We may disclose, license, sell, transfer, publish, or otherwise commercialize aggregated, anonymized, de-identified, derived, statistical, or transformed information generated from platform activity.

Such information may be used for analytics, research, trend reporting, market intelligence, machine learning, artificial intelligence systems, commercial data products, and related purposes.

  • Business Transfers: If ExoMarket is acquired or merges, your data may be transferred as part of the transaction. We will notify you of any such change and new entity’s privacy terms in advance.

Staff Access and Account Review

Authorized ExoMarket personnel may access account information, listings, transaction records, messages, uploaded content, and related information where reasonably necessary to:

  • Provide customer support;
  • Investigate complaints and disputes;
  • Detect and prevent fraud;
  • Enforce platform policies;
  • Protect users and platform security;
  • Comply with legal obligations;
  • Diagnose technical issues.

Staff may be granted read-only account view mode (support access mode) that allows them to view an account substantially as the user sees it for support and investigative purposes.

This access does not permit staff to send messages, enter into transactions, or otherwise act as the user through that read-only access mode.

Authorized personnel may separately perform moderation and administrative actions on listings, reviews, categories, accounts, and platform content where necessary.

Data Retention and Deletion

We retain information for as long as necessary to provide our services and for legitimate business purposes.

Deleting an account does not necessarily result in the deletion of messages, transaction records, listings, uploaded content, IP logs, moderation records, fraud-prevention records, payment notes, reviews, or other information associated with the account.

We may retain such information for as long as reasonably necessary for the purposes described in this Policy, including:

  • Fraud prevention;
  • Scam investigations;
  • Security monitoring;
  • Platform integrity;
  • Ban-evasion detection;
  • User safety;
  • Dispute resolution;
  • Legal compliance;
  • Research and analytics;
  • Business operations;
  • Enforcement of our Terms.

We may also retain backups, logs, archives, and derived datasets after account deletion.

Your Rights

If you are in the United Kingdom or European Economic Area, you have the following rights under UK GDPR and applicable data protection law (subject to conditions and exemptions):

  • Right of access — to obtain a copy of your personal data.
  • Right to rectification — to correct inaccurate personal data.
  • Right to erasure — to request deletion in certain circumstances.
  • Right to restrict processing — in certain circumstances.
  • Right to object — to processing based on legitimate interests, including direct marketing.
  • Right to data portability — to receive personal data you provided in a structured, commonly used format, where applicable.

Access and export: We provide a built-in export of your account data (JSON) including listings, messages, and related records. For other requests, contact privacy@exomarket.example.

Correction: You can edit much of the data you provide (profiles, listings, messages) through the app.

Deletion: You may delete your account as described in Data Retention and Deletion above. Remember the limitations noted there.

Opt-out (analytics and marketing): You may disable non-essential cookies, opt out of marketing emails by contacting privacy@exomarket.example, or contact us to object to certain processing where applicable. Disabling cookies may affect site functionality. Marketing opt-out controls in account settings may be added in future.

Complaints: If you are dissatisfied with how we process your personal data, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/. We encourage you to contact us first at privacy@exomarket.example so we can try to resolve your concern.

  • Children’s Privacy: ExoMarket is not directed at children. We do not knowingly collect data from anyone under 18. If you believe a child’s data has been submitted, please contact us for deletion.

  • California & Other Rights: Where required (e.g. CCPA), you may request information we have shared or request deletion. We do process “sensitive” data categories like precise location (shipping address) but only to provide the service.

Security

We use standard security measures (HTTPS, encrypted storage) to protect your data. Access to personal data is restricted to authorized employees and subprocessors. However, no online system is 100% secure. ExoMarket will never ask you for your password or financial info by unsolicited email or phone. If you use ExoMarket on a shared device, please log out when done.

Cookies & Tracking

We use cookies for login sessions and preferences. We also use analytics cookies (PostHog) to understand usage. You can disable non-essential cookies in your browser, but this may affect functionality. We use a consent banner in applicable regions (EU/UK) to inform users about cookies.

Changes to This Policy

We may update this Privacy Policy over time (e.g. to comply with law or change our services). If we make material changes, we will notify you by email or site announcement before the changes take effect. The “Last Updated” date at the top reflects when this policy was revised. Your continued use after changes means acceptance.

Contact Information

For privacy questions or requests (access, correction, deletion), contact ExoMarket Ltd at privacy@exomarket.example or write to the registered office address in Data controller above.

Policy version: 82eeabbaf28e932c0c1e5d7466213e3474cb80f06139b9a425b6ec466b4c7bde