Privacy Policy

Last updated: 5 April 2026

1. Who We Are

Shelfd is operated by Alexandra Phelan ("we", "us", "our"), based in the United Kingdom. We are the data controller for personal data processed through the Shelfd platform (the website at getshelfd.app and any associated web application).

Contact: hello@getshelfd.app

2. What Data We Collect

We collect the following categories of personal data:

Account information: Email address, username, and password (hashed — we never store your password in plain text). Provided when you create an account.

Profile information: Bio, location (city/region, not precise address), avatar image, social media handles, and postal preferences. Provided voluntarily when you set up your profile.

Collection data: Which figures you mark as owned, wanted, or dupes. This powers your collection tracking and trade matching.

Trade data: Trade listings you post (which figures you have and want), trade status, and any notes you include. This enables the trading features.

Messages: The content of messages you send to other users through the Platform. This enables the messaging feature.

Postal addresses: When you agree a trade, you may share your postal address with your trade partner through the Platform. Addresses are encrypted at rest and automatically deleted 7 days after trade completion. See Section 6 for details.

Technical data: IP address, browser type, device information, and usage analytics. Collected automatically to keep the Platform running and secure.

3. How We Use Your Data

We use your personal data for the following purposes:

To provide the Platform: Account management, collection tracking, trade matching, messaging, and all core features.
To match trades: We compare your wanted/dupe figures against other users' trade listings to suggest matches. This is core to how Shelfd works.
To communicate with you: Account verification emails, password resets, trade notifications, and important service updates.
To keep the Platform safe: Fraud detection, abuse prevention, enforcing our Terms & Conditions, and responding to reports.
To improve the Platform: Aggregated, anonymised usage data to understand how features are used and where to improve.

4. Legal Basis for Processing (UK GDPR)

We process your personal data on the following legal bases:

Contract: Processing necessary to provide you with the Shelfd service you signed up for (account, collection, trading, messaging).
Legitimate interests: Platform security, fraud prevention, and service improvement, where these interests are not overridden by your rights.
Consent: Where you voluntarily provide optional information (such as your bio or social media handles), or where we send you marketing communications.
Legal obligation: Where we are required to retain or disclose data to comply with applicable law.

5. What We Share

With other users: Your public profile information (username, avatar, bio, location, verification status, trust tier, postal preferences) is visible to other authenticated users. Your trade listings are visible to all authenticated users. Messages are only visible to the participants in that conversation.

With service providers: We use the following third-party services to operate the Platform:

Supabase (database, authentication, file storage) — hosted in the EU. Supabase Privacy Policy
Netlify (web hosting) — Netlify Privacy Policy

We do not sell your personal data. We do not share your data with advertisers. We do not use your data for profiling or automated decision-making beyond the trade matching described above.

With law enforcement: We may disclose your data if required by law, court order, or if we believe disclosure is necessary to protect the safety of our users or the public.

6. Postal Address Protection

Your postal address is sensitive data and we treat it with extra care:

Addresses are only shared with your specific trade partner during an active trade.
Addresses are encrypted at rest in our database using column-level encryption.
Addresses are automatically and permanently deleted 7 days after trade completion.
Our team cannot read your address in the database due to the encryption.
You can request immediate deletion of your address at any time via Account settings or by contacting us.

7. Data Retention

We retain your personal data for as long as your account is active. Specific retention periods:

Account & profile data: Until you delete your account.
Collection data: Until you delete your account.
Trade listings: Until you delete your account. Completed trade records are anonymised after 12 months.
Messages: Until you delete your account or the conversation is deleted.
Postal addresses: Automatically deleted 7 days after trade completion.
Reports: Retained for 24 months for safety review purposes, then deleted.
Technical logs: Retained for up to 90 days.

8. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights:

Right of access: You can request a copy of all personal data we hold about you.
Right to rectification: You can update your profile information at any time through the app, or ask us to correct inaccurate data.
Right to erasure: You can delete your account and all associated data at any time from Account settings in the app. This permanently removes your profile, collection, trades, messages, and any stored addresses.
Right to restriction: You can ask us to restrict the processing of your data in certain circumstances.
Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
Right to object: You can object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at hello@getshelfd.app or use the contact form and select "Data request (GDPR)". We will respond within 30 days.

9. Cookies & Local Storage

We use minimal cookies and browser storage:

Authentication token: A session token stored in your browser to keep you logged in. Essential for the Platform to function.
Preferences: Your selected filters and view preferences, stored locally in your browser. Not transmitted to our servers.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across other websites.

10. International Transfers

Your data is primarily stored on Supabase infrastructure in the EU. Where data is transferred outside the UK/EU (for example, to service providers in the United States), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Security

We take the security of your data seriously. Measures include:

Passwords hashed with bcrypt (never stored in plain text).
Postal addresses encrypted at rest with column-level encryption.
Row-level security on all database tables (users can only access their own data).
HTTPS encryption on all connections.
Automatic address deletion after trade completion.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@getshelfd.app.

12. Children's Privacy

Shelfd is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Platform or by email before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Complaints

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

Website: ico.org.uk
Phone: 0303 123 1113

We would appreciate the chance to address your concerns first — please contact us at hello@getshelfd.app before escalating to the ICO.

15. Contact

For any privacy-related questions or to exercise your data rights:

Email: hello@getshelfd.app
Contact form: getshelfd.app/contact (select "Data request (GDPR)")