Shelfd Privacy Policy

Last updated: 18 May 2026

Shelfd (“we”, “us”, “our”) is operated by Photon Labs Ltd, a company registered in England and Wales. Photon Labs Ltd is the data controller for personal information processed through the Shelfd mobile application and website.

ICO registration: ZC136232.

This Privacy Policy explains what information we collect, how we use it, and your rights. See our Terms & Conditions for the rules of the service, and the Trade Protection Agreement for the rules of our optional escrow service.

1. Information We Collect

On the Shelfd website (getshelfd.app)

• Waitlist sign-ups: your email address, optional first name, the page you signed up from, any series or figure you expressed interest in, and — if you arrived via a friend’s invite link — the friend’s referral code so we can credit them.
• Anonymous web analytics: page views, anonymised session pseudonyms (cookieless, daily-rotated), country (from edge headers), device class, referrer URL. No IP address is stored. No cookies are set for analytics.
• Affiliate clicks: when you click an outbound “View on retailer” link we record that the click happened, anonymously, with the retailer + shop link reference.

In the Shelfd app

• Account information: email address, username, and password (stored securely by Supabase Auth — we never see or store your raw password).
• Profile information: optional location (city/country), bio, social media handles, and a profile photo. Visible to other Shelfd users.
• Collection data: figures you mark as owned, wanted, or duplicates — used to power your shelf and trade matching.
• Trade data: trade listings, accepted trades, and messages between traders.
• Shipping addresses: if you share a delivery address during a trade, it is encrypted in our database and automatically deleted 7 days after trade completion. If a trade is in an open dispute the address is retained until the dispute resolves.
• Trade proof photos: photos of the item you’re sending, visible only to the matched counterparty (and to Shelfd administrators if a dispute is raised). Deleted 60 days after the trade is marked completed; held longer if the trade is in an open or resolved dispute.
• Contact submissions: message category and content via the in-app Contact Shelfd form, to respond to your enquiry.
• Technical & usage data: IP address, device model, OS version, app version, timezone, and language — automatically logged by our infrastructure for security monitoring, fraud prevention, and reliability.
• Error reports: diagnostic reports sent to our error-monitoring provider (Sentry) with personal data — names, postcodes, addresses, phone numbers, email addresses, payment details, tracking numbers — actively stripped before transmission.
• Push notifications: if you enable push, your device’s anonymous push token is stored so we can send trade updates, drop-radar alerts, and chat messages.

2. How We Use Your Information

• Provide and maintain the Shelfd service (collection tracking, trading, messaging, drop tracking)
• Match you with relevant trades based on your wishlist and duplicates
• Display your profile to other users so they can trust and trade with you
• Send transactional emails (account confirmation, password reset, trade notifications)
• Respond to your support enquiries
• Monitor for abuse and enforce our Terms

We do not sell your personal information to third parties.

3. Data Storage & Security

Your data is stored on Supabase (hosted in the EU, London region). We use Row Level Security policies to ensure users can only access their own data. Shipping addresses are encrypted at rest using pgcrypto and automatically deleted 7 days after trade completion. All connections use HTTPS/TLS encryption.

4. Data Sharing

We share data only with the following service providers, strictly to operate Shelfd:

• Supabase — EU-hosted database, authentication, storage, and edge functions.
• Netlify — hosting for the public website.
• Sentry — error monitoring; receives diagnostic reports with PII actively redacted.
• ShipEngine — shipping carrier integration; receives your postal address only when you request live shipping rates or book a label for an active trade. Addresses are transmitted for the minimum time required and are not retained by Shelfd beyond the 7-day post-trade window.
• Stripe (Stripe Payments UK Limited) — Stripe acts in two roles. (i) As our payment processor for shipping fees, Trade Protection fees, and Stake authorisations: receives the transaction amount, your card or wallet token, and a non-identifying trade reference. (ii) As an independent data controller when you onboard to Stripe Connect to receive a payout from a resolved Trade Protection dispute (see §5.1). Shelfd never sees or stores your card number.
• Resend — transactional email provider; receives your email address for sign-up confirmation, password reset, and trade notifications.
• Expo Push Notification Service — push delivery; receives your anonymous device push token and notification payload.
• Law enforcement or regulators — only where required by law or a valid legal request.

We do not use advertising networks, cross-site trackers, or sell profile data to third parties.

Optional public shelf

Your collection is private by default. If you choose to make your shelf public via Account → Public Shelf, your owned/dupe figures, username, avatar, and bio become visible to other signed-in Shelfd members only — never to the open web, never indexed by search engines. This is opt-in consent under UK GDPR Article 6(1)(a) and is revocable at any time from the same Account screen.

5. Trade Protection: Additional Data Processing

5.1 Stripe Connect identity verification

If a Trade Protection dispute is resolved in your favour and you are entitled to receive a transfer from the other party’s Stake, you must complete identity verification through Stripe Connect Express. For this flow, Stripe Payments UK Limited acts as an independent data controller (not as our processor). The information you submit during Connect onboarding — typically your full legal name, date of birth, address, and either a national ID document or selfie verification — is collected, processed, and retained by Stripe under their own privacy policy: stripe.com/gb/privacy.

Shelfd receives only a minimal status flag from Stripe (whether your Connect account is verified) plus your Connect account ID.

5.2 Dispute evidence

When you raise or respond to a Trade Protection dispute, the following may be processed and visible to Shelfd administrators:

• Your free-text description of the issue
• Photos and other evidence you upload
• Messages exchanged about the trade
• The trade proof photos taken at trade acceptance
• Address and shipping label data relevant to the disputed trade

Dispute evidence is retained for 60 days after the dispute is formally resolved. Where a dispute is escalated to chargeback proceedings, legal review, or a regulatory enquiry, evidence is held for the longer of (i) 60 days post-resolution, or (ii) the duration required by the relevant external process.

5.3 Payment transaction records

Records of authorised, captured, refunded, and transferred amounts associated with your Stake and Trade Protection Fee are retained for 6 years from the trade completion date to comply with UK financial record-keeping obligations. These records contain transaction IDs, amounts, currencies, and timestamps. They do not contain card details.

6. Your Rights

• View your data in the Account section of the app
• Edit your profile at any time
• Delete your account from Account → Delete Account. Strike and dispute records are retained in anonymised form under UK GDPR Art 6(1)(f) (fraud prevention) and Art 6(1)(b) (contract).
• Download your data from Account → Download my data. Rate-limited to once per 24 hours.
• Request help from us at Shelfd@photonlabs.dev

If you are in the UK or EU, you have additional rights under GDPR including the right to access, rectification, erasure, data portability, and the right to object to processing.

7. Age

Shelfd’s catalogue and collection-tracking features are available to users aged 13 and over — the UK GDPR age of digital consent.

Financial features (Trade Protection escrow and payouts via Stripe Connect) require users to be 18 or over and are subject to Stripe’s own identity verification during onboarding.

If you become aware that anyone under the age of 13 has provided us with personal data, please contact us at Shelfd@photonlabs.dev so we can remove it.

8. Cookies & Tracking

The Shelfd mobile app does not use cookies. We may use basic analytics (session length, feature usage) to improve the service. We do not use advertising trackers.

If we begin sending analytics events to a third-party analytics provider in future, we will update this policy and present a consent prompt before any such data leaves your device.

One functional cookie on the website

When you click a friend’s Shelfd invite link (URLs of the form getshelfd.app/r/CODE or any page including ?ref=CODE), we store the 8-character referral code in a single first-party cookie named shelfd_ref. The cookie lasts 30 days, contains no personal information, and is used solely to credit your friend with the referral if and when you join the waitlist. It is not shared with any third party, is not used for advertising, and is not used for cross-site tracking.

Under the UK Privacy and Electronic Communications Regulations (PECR), this cookie qualifies as “strictly necessary for a service the user has explicitly requested” — by clicking the invite link you implicitly request that attribution be carried to your eventual signup. No consent banner is shown for this cookie. If you would prefer not to set it, clear cookies for getshelfd.app before signing up, or sign up without clicking an invite link.

9. Affiliate Links

Some product links shown in the app or on the Shelfd website are affiliate links — meaning Shelfd may earn a small commission if you make a purchase through them. We currently use:

• Amazon Associates UK (tag dralexunboxed-21) — primarily on Pop Mart product links
• AliExpress Affiliate Programme — on selected reseller storefront links

These commissions never change the price you pay, and we never let the existence of an affiliate relationship influence which products we surface.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your GDPR rights:

Data controller: Photon Labs Ltd
Email: Shelfd@photonlabs.dev
In-app: Account → Contact Shelfd

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.