Privacy Policy

Last updated: February 2026

1. Who We Are

The Model Exchange ("we", "our", "us") operates the website www.themodelexchange.com (the "Platform"). We are the data controller responsible for your personal data. If you have questions about this policy or your data, please contact us.

2. What Data We Collect

We collect the following categories of personal data:

Category Examples
Account information Email address, display name, password (hashed)
Transaction data Purchase history, order details, delivery addresses, payment references
Seller data Stripe Connect account ID, payout history, seller ratings
Listing content Item descriptions, photographs, pricing
Guest checkout data Email address and billing details provided at checkout (no account created)
Technical data IP address, browser type, pages visited, referring URL

3. How We Use Your Data

We process your personal data for the following purposes:

  • To provide our service — creating your account, processing transactions, managing escrow, and facilitating communication between buyers and sellers.
  • To send transactional emails — order confirmations, shipping updates, payment receipts, and dispute notifications.
  • To manage payments — processing purchases via Stripe and transferring funds to sellers through Stripe Connect.
  • To prevent fraud — monitoring transactions and user activity for suspicious behaviour.
  • To improve the Platform — analysing usage patterns to enhance features and user experience.
  • To manage memberships — processing Collector Membership subscriptions and delivering member benefits.

4. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

  • Contract — processing necessary to fulfil our agreement with you (e.g. completing a purchase, managing your account).
  • Legitimate interests — fraud prevention, platform security, and service improvement, where these do not override your rights.
  • Legal obligation — where we are required to retain data for tax, regulatory, or legal purposes.
  • Consent — where you have opted in to marketing communications (you may withdraw consent at any time).

5. Third-Party Services

We share data with the following third-party services, all of which process data in accordance with their own privacy policies:

  • Supabase — database hosting and authentication (servers in the EU/UK).
  • Stripe — payment processing and seller payouts. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
  • Resend — transactional email delivery.

We do not sell your personal data to any third party.

6. Data Retention

  • Account data — retained while your account is active and for 12 months after deletion request, unless required longer for legal purposes.
  • Transaction records — retained for 6 years to comply with UK tax and accounting obligations.
  • Guest checkout data — retained for 6 years alongside the associated order record.
  • Technical logs — retained for up to 90 days.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (subject to legal retention requirements).
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us. We will respond within one month as required by law.

8. Cookies

The Platform uses essential cookies required for authentication and session management. We do not use advertising or tracking cookies. Third-party services (Stripe, Supabase) may set their own cookies as necessary for their services to function.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and access controls. Payment card details are handled entirely by Stripe and are never stored on our servers.

10. Children

The Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated to registered users via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

13. Contact

For any privacy-related questions, please contact us.