RefittrRefittrBack to Home

Privacy Policy

Last updated: May 2026

1. Introduction

Refittr ("we", "our", or "us") operates a compatibility-matched marketplace for second-hand home fixtures. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at refittr.co.uk, our admin tools, or any related services (together, the "Platform").

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our registered address is Liverpool, United Kingdom.

2. Data Controller

Refittr is the data controller for personal data collected through the Platform. For any questions about this policy or your data, contact us at admin@refittr.co.uk.

3. Information We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Name and email address when you create an account.
  • Company name if you register a business account.
  • Phone number if you choose to provide one (optional, used for order queries).
  • Postcode to enable location-based matching and delivery estimates.
  • Password (stored in hashed form only; we never store or see your actual password).

3.2 Property and Fixture Information

  • House type, builder, and development to power our compatibility matching.
  • Listing details including fixture descriptions, photographs, dimensions, condition, and pricing.
  • Room information including room types, dimensions, and floor levels.

3.3 Transaction and Delivery Data

  • Delivery addresses when you commit to an extraction and delivery order.
  • Transaction records including order details, quantities, pricing, and order status.
  • Extraction job details including scheduling information, proposed time slots, and job status.
  • Communication records related to your orders and support queries.

3.4 Payment Data

  • Stripe payment data. Payments are processed by Stripe. We receive confirmation of payment status, transaction references, and payment intent identifiers. We do not store your full card number, expiry date, or CVV. Stripe's own privacy policy governs how they handle your payment card details.

3.5 Usage and Technical Data

  • Analytics data collected via Vercel Analytics, including pages visited, referral source, and general interaction patterns. This data is aggregated and does not include personal identifiers.
  • Device and browser information including browser type, operating system, and screen resolution.
  • Authentication tokens and session data to keep you logged in securely.

4. How We Use Your Information

We use your personal data for the following purposes:

  • Operating the marketplace: creating your account, displaying listings, processing compatibility matches, and enabling transactions between buyers and sellers.
  • Processing orders: coordinating extraction jobs, managing delivery scheduling, processing payments via Stripe, and tracking order status.
  • Compatibility matching: comparing your registered house type against our schema database to indicate whether fixtures from matching house types are dimensionally compatible.
  • Communication: sending order confirmations, extraction scheduling updates, quote notifications, and responding to your support queries.
  • Platform improvement: analysing usage patterns (in aggregate) to improve the user experience and fix issues.
  • Legal compliance: meeting our obligations under applicable laws, including tax and consumer protection regulations.
  • Fraud prevention: detecting and preventing fraudulent or abusive activity on the Platform.

5. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

  • Contract performance (Article 6(1)(b)): processing necessary to fulfil our contract with you, including account management, order processing, extraction coordination, and payment handling.
  • Legitimate interests (Article 6(1)(f)): improving our Platform, preventing fraud, and ensuring security. We balance our interests against your rights and only process data where the impact on you is minimal.
  • Legal obligation (Article 6(1)(c)): where we are required to process data by law, such as tax or regulatory requirements.
  • Consent (Article 6(1)(a)): for any optional marketing communications. You can withdraw consent at any time.

6. Who We Share Your Data With

We do not sell your personal data. We share data only with:

  • Stripe (payment processor): to process transactions securely. Stripe acts as an independent data controller for payment card data. See Stripe's Privacy Policy.
  • Supabase (database and authentication): hosts our database and authentication services. Data is stored in EU/UK data centres.
  • Vercel (hosting and analytics): hosts our website and provides aggregated, privacy-focused analytics. See Vercel's Privacy Policy.
  • Extraction partners: approved contractors who carry out fixture extraction and delivery. They receive the minimum data necessary to complete the job (delivery address, contact details, fixture details, and scheduling information).
  • Other users: your postcode area (not full address) may be visible on listings. Full delivery addresses are shared with extraction partners only after payment clears.
  • Law enforcement or regulators: where required by law, court order, or regulatory obligation.

7. Data Storage and Security

Your data is stored in secure, encrypted databases. We use industry-standard security measures including:

  • Encrypted connections (HTTPS/TLS) for all data in transit.
  • Row-level security policies in our database to ensure users can only access their own data.
  • Hashed passwords (we never store passwords in plain text).
  • Regular security reviews of our codebase and infrastructure.

Our primary data processing takes place within the UK and European Economic Area. Where data is processed outside the UK/EEA (for example, by US-based sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

  • Account data: retained while your account is active, and for up to 12 months after account closure (to handle any outstanding disputes or queries).
  • Transaction and order data: retained for 6 years after the transaction completes, as required for tax and legal compliance.
  • Analytics data: aggregated analytics data is retained indefinitely. Individual session data is retained for up to 12 months.
  • Support communications: retained for 2 years after the query is resolved.

You can request deletion of your account and personal data at any time (see Section 9). Some data may need to be retained for legal compliance even after deletion is requested.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") of your data, subject to legal retention requirements.
  • Restrict processing of your data in certain circumstances.
  • Data portability to receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at admin@refittr.co.uk. We will respond within 30 days.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies and Tracking

We use the following cookies and similar technologies:

  • Essential cookies: required for authentication and core Platform functionality (e.g., session tokens). These cannot be disabled.
  • Analytics: Vercel Analytics collects aggregated, privacy-focused usage data. It does not use third-party cookies or track you across other websites.

We do not use advertising cookies, retargeting pixels, or any third-party tracking tools beyond those listed above. You can manage cookies through your browser settings.

11. Children

The Platform is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will notify registered users via email or Platform notification.

13. Contact

For any questions about this Privacy Policy or how we handle your data:

Email: admin@refittr.co.uk

Location: Liverpool, United Kingdom