Thrifted.mt LogoThrifted.mt

Privacy Policy

Last updated: January 2026

1. Introduction

Welcome to Thrifted.mt. We respect your privacy and are committed to protecting your personal data. This privacy policy informs you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tells you about your privacy rights and how the law protects you.

"Thrifted.mt" refers to the online marketplace platform operating in Malta for buying and selling second-hand items.

2. Data We Collect

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data: includes first name, last name, username or similar identifier. For sellers undergoing verification, this also includes government-issued ID documents (processed securely and temporarily).
  • Contact Data: includes email address, delivery address, and telephone number.
  • Financial Data: includes bank account details and payment card details (processed securely by our payment provider, Stripe).
  • Transaction Data: includes details about payments to and from you and other details of products you have purchased from or sold on our platform.
  • Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, and operating system and platform.
  • Profile Data: includes your username, password, purchases or orders made by you, your interests, preferences, and feedback.

3. How We Use Your Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Performance of Contract: Where we need to perform the contract we are about to enter into or have entered into with you (e.g., processing an order, facilitating a sale).
  • Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (e.g., fraud prevention, platform security).
  • Legal Obligation: Where we need to comply with a legal or regulatory obligation (e.g., anti-money laundering regulations).

4. ID Verification & Automated Processing

To maintain a safe marketplace, we may require sellers to verify their identity.

  • Collection: We collect images of government-issued ID documents (Passport, ID Card, Driving License).
  • Automated Processing (AI): We use third-party automated systems (Google Cloud Document AI) to extract text and data from your ID document to verify its authenticity. This automated decision-making is necessary for entering into a contract (selling on the platform).
  • Human Review: If automated verification fails, a human administrator may review the encrypted document to manually verify identity.
  • Retention: ID documents are encrypted at rest and strictly retained for only 180 days, after which they are permanently deleted. You may request early deletion via your account settings.

5. Cookies and Consent

We use cookies to improve your experience.

  • Strictly Necessary Cookies: Required for the website to function (e.g., login sessions, security). These do not require consent.
  • Analytics Cookies (Google Analytics): Used to understand how you interact with the website. These are NOT set unless you explicitly give consent via our Cookie Banner. You can withdraw this consent at any time.

6. Third-Party Services

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

  • Stripe: Payment processing and payouts.
  • Cloudflare: Web hosting, security, and image optimization.
  • Google Cloud Platform: AI and machine learning services for content moderation and verification.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

7. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access to your personal data is limited to those employees, agents, contractors and other third parties who have a business need to know.

8. Your Rights

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data ("right to be forgotten").
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data ("data portability").
  • Withdraw consent at any time where we are relying on consent to process your personal data.

9. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at gdpr@thrifted.mt.