1. Data Controller
The data controller for the personal data collected and processed through homeshoppingcentre.co.uk and our mobile applications is:
Home Shopping Centre Ltd
[COMPANY ADDRESS]
Email: legal@homeshoppingcentre.co.uk
Website: homeshoppingcentre.co.uk
As data controller, we are responsible for deciding how we hold and use your personal data. This policy sets out the basis on which we process any personal data we collect from you, or that you provide to us.
2. What Data We Collect
Account Information
When you register, we collect your name, email address, password (stored as a cryptographic hash — never in plain text), username, profile picture (optional), date of birth (to verify you are 18+), and contact telephone number.
Listing & Transaction Data
When you create listings, we collect the listing title, description, photographs, pricing, category, location (city/postcode), and any other information you choose to include. When transactions occur, we retain order details, sale amount, commission charged, and fulfilment status.
Payment Data
Payments are processed by Stripe, a PCI DSS-compliant payment processor. HSC does not store your card number, CVC, or full card details. Stripe provides us with a tokenised payment reference and, where applicable, the last four digits of your card and card type for display purposes. For payout purposes via Stripe Connect, we collect your bank account details (sort code and account number), which are transmitted securely to Stripe and not stored permanently on HSC servers.
Messages & Communications
We store messages sent between buyers and sellers through the HSC platform, as well as support ticket communications. These are retained to facilitate dispute resolution and to protect against fraud.
Device & Technical Data
When you access HSC, we automatically collect your IP address, browser type and version, operating system, device type (desktop/mobile/tablet), pages visited, time spent, referral URL, and error logs. This data is used for security, fraud prevention, and service improvement.
Location Data
When you create a listing, you provide a general location (town/city or postcode prefix) to help buyers find local items. We do not collect precise GPS location unless you explicitly grant this permission on mobile.
Cookies & Tracking
We use cookies and similar technologies as described in our Cookie Policy. Analytics data (such as page views and session durations) may be collected via analytics providers with your consent.
Identity Verification Data
To comply with anti-money laundering obligations and to enable payouts, we may require you to provide identity documents (e.g. passport or driving licence) via Stripe’s identity verification service. HSC does not retain copies of these documents — they are processed and stored by Stripe.
3. How We Use Your Data
Providing the Service
To create and manage your account, display your listings, process transactions, facilitate buyer–seller communications, resolve disputes, and manage your wallet.
Processing Payments
To initiate, process, and record payments via Stripe; to credit seller wallets; to process withdrawals; and to manage refunds and chargebacks.
Fraud Prevention & Security
To detect and prevent fraudulent activity, account takeovers, prohibited listings, and money laundering. We may use automated systems to flag suspicious behaviour for human review.
Legal Obligations
To comply with our legal obligations, including financial record-keeping, tax reporting (including HMRC DAC7 seller income reporting), responding to law enforcement requests, and complying with court orders.
Customer Support
To respond to your support requests, investigate and resolve disputes, and improve our support processes.
Platform Improvement
To analyse usage patterns, identify bugs, test new features, and improve the HSC platform using aggregated and anonymised data.
Marketing (with consent)
Where you have opted in, we may send you promotional emails about new features, special offers, and relevant listings. You can unsubscribe at any time using the link in any marketing email or via your account settings. We do not send marketing by SMS without explicit consent.
Personalisation
To personalise your experience — for example, showing you listings relevant to your location and browsing history. You can control personalisation preferences in your account settings.
4. Legal Basis for Processing
Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Purpose | Legal Basis |
|---|---|
| Account registration & management | Contract (Art. 6(1)(b) UK GDPR) |
| Processing transactions & payments | Contract (Art. 6(1)(b) UK GDPR) |
| Fraud prevention & platform security | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Financial record-keeping | Legal obligation (Art. 6(1)(c) UK GDPR) |
| HMRC tax reporting (DAC7) | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Marketing emails | Consent (Art. 6(1)(a) UK GDPR) |
| Analytics & platform improvement | Legitimate interests / Consent (where cookies used) |
| Dispute resolution & legal claims | Legitimate interests / Legal obligation |
| Identity verification for payouts | Legal obligation (AML regulations) |
Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
5. Data Sharing
We never sell your personal data to third parties. We share data only in the following circumstances:
Stripe (Payment Processing)
We share transaction data and identity information with Stripe, Inc. to process payments, manage payouts, and conduct identity verification as required by AML regulations. Stripe acts as a data processor on our behalf and as an independent data controller for certain purposes. Stripe is certified to PCI DSS Level 1. See stripe.com/gb/privacy.
Cloudinary (Image Hosting)
Listing photographs and profile images are uploaded to and served from Cloudinary. Cloudinary processes image data on our behalf as a data processor under a Data Processing Agreement.
AWS (Cloud Infrastructure)
Our platform is hosted on Amazon Web Services (AWS). AWS processes data on our behalf as a data processor. Data is stored in UK/EEA data centres where possible.
Analytics Providers
Where you have consented to analytics cookies, anonymised or pseudonymised usage data may be shared with analytics providers (such as Google Analytics). These providers act as data processors. No personally identifiable information is shared with analytics providers for advertising purposes without your explicit consent.
Law Enforcement & Legal Proceedings
We may disclose your data to law enforcement, regulatory authorities, or courts where required by law, court order, or to protect the legal rights and safety of HSC, our users, or third parties.
Buyers & Sellers
When a transaction is completed, limited information (such as your name and the delivery address you provide) is shared with the other party to fulfil the order. Your email address and phone number are not shared without your consent.
Business Transfers
If HSC is acquired by or merged with another company, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
6. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & profile data | While account is active + 2 years after closure | Dispute resolution, fraud prevention |
| Transaction & financial records | 7 years from transaction date | UK tax law (HMRC requirement) |
| Active listings | While listing is live | Service delivery |
| Expired / deleted listings | 30 days then permanently purged | Grace period for reinstatement |
| Messages & communications | 2 years from last message | Dispute resolution, fraud prevention |
| Support tickets | 3 years from ticket closure | Legal claims limitation period |
| Security logs (IP, access) | 12 months | Fraud prevention, security |
| Analytics data | 26 months (standard industry) | Trend analysis |
| Marketing consent records | Duration of consent + 3 years | Proof of consent |
When data is no longer required, it is securely deleted or anonymised. We conduct regular data audits to ensure we are not retaining data beyond what is necessary.
7. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and are subject to certain exceptions.
Right of Access
You have the right to request a copy of the personal data we hold about you (Subject Access Request). We will respond within 30 days. The first copy is free; we may charge a reasonable fee for additional copies.
Right to Rectification
You have the right to request that we correct inaccurate or incomplete personal data. You can update most information directly in your account settings.
Right to Erasure
You have the right to request deletion of your personal data ("right to be forgotten") in certain circumstances — for example where the data is no longer necessary or where you withdraw consent. This right does not override our legal obligation to retain financial records.
Right to Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to request that we transfer it to another controller where technically feasible.
Right to Object
You have the right to object to processing based on legitimate interests (including profiling) and to direct marketing. If you object to marketing, we will stop immediately.
Right to Restriction
You have the right to request that we restrict processing of your personal data in certain circumstances — for example while we investigate an accuracy complaint.
Rights re: Automated Decisions
Where we make solely automated decisions that produce legal or similarly significant effects (such as automated account suspension), you have the right to request human review of that decision.
Right to Complain
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113 if you believe we have not handled your data lawfully.
To exercise any of these rights, contact us at legal@homeshoppingcentre.co.uk. We will verify your identity before processing any request.
9. International Transfers
Whilst HSC primarily processes data within the United Kingdom, some of our third-party service providers may transfer data outside the UK or the European Economic Area (EEA). We ensure all such transfers comply with UK GDPR requirements through appropriate safeguards:
Stripe
Stripe, Inc. is headquartered in the United States. Transfers to Stripe are made under the UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses (SCCs) and Stripe's Binding Corporate Rules. Stripe also holds EU-US Data Privacy Framework certification.
Cloudinary
Cloudinary may process image data on servers in the United States and other countries. Transfers are governed by Standard Contractual Clauses.
AWS
Amazon Web Services offers UK and EEA data centre regions. We select UK/EEA regions where possible. Any AWS transfers outside the UK/EEA are covered by AWS's approved transfer mechanisms.
You may request a copy of the transfer safeguards we use by contacting us at legal@homeshoppingcentre.co.uk.
10. Children
HSC is a platform for adults only. We require all users to be at least 18 years of age. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us immediately at legal@homeshoppingcentre.co.uk and we will delete the relevant data promptly.
If we discover that we have collected personal data from someone under 18 without verified parental consent, we will take steps to delete that information immediately and close the associated account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Updating the “Last updated” date at the top of this page.
- Sending an email notification to your registered email address.
- Displaying a notice in the platform at your next login.
Where required by law, we will seek fresh consent for any material change that affects how we process data based on consent. Your continued use of HSC after the updated policy takes effect constitutes acceptance of the changes.
12. Contact & Data Protection
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
Data Protection Enquiries
Home Shopping Centre Ltd
[COMPANY ADDRESS]
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk