Welcome to Busk's Privacy Policy. At Busk, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and share your personal information when you use our platform.

This policy applies to all users of the Busk platform, including buyers, sellers, and visitors to our website. By using Busk, you agree to the collection and use of information in accordance with this policy.

We are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

Busk is the data controller responsible for your personal data. This means we determine how and why your personal data is processed.

3.1 Information You Provide

We collect personal information that you voluntarily provide when using our platform:

• Account Information: Name, email address, password, phone number
• Profile Information: Avatar photo, location, school affiliations, preferences
• Transaction Information: Billing address, shipping address, payment method details
• Listing Information: Item descriptions, photos, pricing, school affiliation
• Communication Data: Messages exchanged with other users, support inquiries, feedback
• Identity Verification: Documents or information provided for verification purposes

3.2 Automatically Collected Information

When you access or use our platform, we automatically collect certain information:

• Device Information: IP address, browser type, device type, operating system
• Usage Information: Pages viewed, features used, time spent, search queries
• Location Data: Approximate location based on IP address
• Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar tracking technologies

3.3 Information from Third Parties

We may receive information about you from third parties:

• Payment Processors: Transaction data and payment status
• School Administrators: Verification of school affiliation (with consent)
• Analytics Providers: Aggregated usage data and trends
• Fraud Prevention Services: Risk assessment data

We use your personal information for the following purposes:

4.1 Service Delivery

• Creating and managing your account
• Processing transactions between buyers and sellers
• Facilitating communication between users
• Providing customer support
• Delivering items and managing shipping

4.2 Platform Improvement

• Analyzing usage patterns to improve our services
• Developing new features and functionality
• Conducting research and analytics
• Testing and optimizing platform performance

4.3 Safety and Security

• Preventing fraud and abuse
• Verifying user identity
• Detecting and preventing security threats
• Enforcing our Terms and Conditions
• Resolving disputes between users

4.4 Communication

• Sending transactional emails (order confirmations, shipping updates)
• Providing customer support and responding to inquiries
• Sending service announcements and updates
• Marketing communications (with your consent)

4.5 Legal Compliance

• Complying with legal obligations and regulations
• Responding to legal requests and court orders
• Protecting our legal rights and interests
• Enforcing our policies and agreements

Under UK GDPR, we process your personal data based on the following legal grounds:

5.1 Contract Performance

Processing is necessary to fulfill our contract with you (our Terms and Conditions), including:

• Creating and managing your account
• Processing transactions
• Providing customer support
• Facilitating communication between users

5.2 Legitimate Interests

Processing is necessary for our legitimate interests, such as:

• Improving our platform and services
• Preventing fraud and ensuring security
• Analyzing usage and conducting research
• Marketing our services to existing customers

5.3 Consent

We process certain data based on your explicit consent, including:

• Marketing communications to non-customers
• Optional cookies and tracking technologies
• Processing of sensitive personal data (where applicable)

5.4 Legal Obligation

Processing is necessary to comply with legal obligations, such as tax reporting, responding to legal requests, and maintaining records as required by law.

6.1 With Other Users

To facilitate transactions, we share certain information with other users:

• Username and profile information
• Item listings and descriptions
• Shipping address (after purchase)
• Messages exchanged through our platform

6.2 Service Providers

We share information with trusted third-party service providers who assist us in operating our platform:

• Payment Processors: Stripe for payment processing
• Hosting Providers: Supabase for data storage and infrastructure
• Email Service Providers: For sending transactional and marketing emails
• Analytics Providers: For usage analysis and platform optimization
• Customer Support Tools: For providing customer service

6.3 Schools and Educational Institutions

With your consent or when you participate in school programs, we may share:

• School affiliation information
• Transaction data for fundraising purposes
• Aggregated platform usage statistics

6.4 Legal Requirements

We may disclose your information when required by law or in response to:

• Court orders or legal processes
• Requests from law enforcement or regulatory authorities
• Protection of our rights, property, or safety
• Protection of users' rights, property, or safety

6.5 Business Transfers

If Busk is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have regarding your information.

We retain your personal information for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

• Account Data: Retained while your account is active and for 7 years after closure for legal and accounting purposes
• Transaction Data: Retained for 7 years for tax, accounting, and legal compliance
• Communication Data: Retained for 3 years or as long as necessary for dispute resolution
• Marketing Data: Retained until you withdraw consent or for 2 years of inactivity
• Usage Data: Generally retained for 2 years for analytics purposes

7.2 Deletion Process

When retention periods expire, we will:

• Securely delete or anonymize your personal data
• Retain only aggregated, anonymized data for statistical purposes
• Maintain necessary records as required by law

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

8.1 Security Measures

• Encryption: Data is encrypted in transit using SSL/TLS and at rest using industry-standard encryption
• Access Controls: Strict access controls limit who can access personal data
• Authentication: Secure authentication mechanisms protect user accounts
• Regular Audits: We conduct regular security audits and assessments
• Secure Infrastructure: We use secure hosting providers with robust security measures
• Employee Training: Staff are trained on data protection and security best practices

8.2 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected users without undue delay
• Provide information about the breach and steps taken to address it
• Advise on measures you can take to protect yourself

While we strive to protect your personal information, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials and should notify us immediately of any unauthorized access.

Under UK GDPR and data protection law, you have the following rights regarding your personal data:

9.1 Right of Access

You have the right to request a copy of the personal information we hold about you. You can access most of your data through your account dashboard, or you can request a full copy by contacting us.

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

9.3 Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

9.4 Right to Restriction

You have the right to request restriction of processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

9.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

9.6 Right to Object

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (including profiling)
• Processing for research or statistical purposes

9.7 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before the withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data properly:

9.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@busk.com. We will respond to your request within one month, though this may be extended by two additional months for complex requests.

We use cookies and similar tracking technologies to collect and store information about how you use our platform.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience and understand how our platform is used.

10.2 Types of Cookies We Use

• Essential Cookies: Necessary for the platform to function properly (e.g., maintaining your session)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how users interact with our platform
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

10.3 Managing Cookies

You can control and manage cookies through:

• Your browser settings (most browsers allow you to refuse or delete cookies)
• Our cookie consent banner when you first visit our site
• Your account privacy settings for certain types of tracking

Please note that blocking or deleting cookies may affect your ability to use certain features of our platform.

Our platform integrates with third-party services to provide functionality and improve your experience. Each third party has its own privacy policy governing how they handle your data.

11.1 Payment Processing

We use Stripe to process payments. When you make a purchase or sale, Stripe collects and processes your payment information. Please review Stripe's Privacy Policy for details on how they handle your data.

11.2 Infrastructure and Hosting

We use Supabase for data storage and hosting. Your data is stored securely on their infrastructure. Review Supabase's Privacy Policy for more information.

11.3 Links to Other Websites

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

Your personal information may be transferred to and processed in countries outside the United Kingdom, including countries that may not have the same level of data protection as the UK.

12.1 Safeguards

When we transfer your data internationally, we ensure appropriate safeguards are in place:

• Transferring data to countries with adequacy decisions from the UK government
• Using Standard Contractual Clauses approved by the UK authorities
• Ensuring third-party service providers implement appropriate security measures
• Obtaining your explicit consent where necessary

12.2 Data Storage Locations

Primary data storage is within the European Economic Area (EEA) and the United Kingdom. However, some service providers may process data in other regions with appropriate safeguards.

Busk is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

13.1 Age Verification

By creating an account, you represent and warrant that you are at least 18 years old. If you are under 18, you must not use our platform or provide any personal information to us.

13.2 Parental Notice

If you are a parent or guardian and become aware that your child has provided us with personal information without your consent, please contact us immediately at privacy@busk.com. We will take steps to remove such information from our systems.

13.3 School Uniform Context

While Busk facilitates transactions related to school uniforms, all users must be adults (18+). Parents and guardians use the platform to buy and sell uniforms on behalf of their children, but children themselves should not create accounts or use the platform.

We use automated systems to help provide and improve our services, including fraud detection, content moderation, and personalized recommendations.

14.1 Fraud Detection

We use automated tools to detect and prevent fraudulent activity, including:

• Risk assessment of transactions
• Detection of suspicious account activity
• Prevention of unauthorized access

14.2 Content Moderation

We use automated systems to help moderate content and detect policy violations, including inappropriate listings or communications.

14.3 Your Rights

You have the right to request human review of any automated decision that significantly affects you. If you believe an automated decision has been made in error, please contact us at support@busk.com.