Skip to content
Thrifted.mt LogoTHRIFTED.mt

Privacy Policy

Last updated: May 2026

1. Introduction

Welcome to Thrifted.mt. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website and tells you about your privacy rights and how the law protects you.

2. Data Controller

The data controller for all personal data processed through Thrifted.mt is:

  • Entity: Joshua Fielding (Sole Trader), trading as Thrifted.mt
  • Address: 53 Triq Il-Lunzjata, Flat 3 Julian Flats, San Gwann SGN 1312, Malta
  • Email: gdpr@thrifted.mt

If you have any questions about how your personal data is processed, please contact us at the address above.

3. Data We Collect

We may collect, use, store and transfer different kinds of personal data about you, grouped as follows:

  • Identity Data: first name, last name, username or similar identifier, date of birth and seller payout verification status. For legacy sellers who used our former internal ID verification flow, this may also include records relating to government-issued ID documents (see Section 5).
  • Contact Data: email address, delivery address, payout address and telephone number.
  • Financial Data: bank account number (IBAN), bank account holder name, Stripe connected account identifiers and payment card details. Your IBAN is encrypted at rest and used to set up Stripe Connect payouts or process legacy wallet withdrawals (see Section 5a). Payment card details are processed exclusively by Stripe and are never stored by us.
  • Transaction Data: details about payments to and from you and details of products you have purchased from or sold on our platform.
  • Technical Data: IP address, login data, browser type and version, time zone setting and location and operating system and platform.
  • Profile Data: username, password, purchases or orders made by you, interests, preferences and feedback.
  • Listing Content: item photos, descriptions, prices and other information you provide when creating a listing.
  • Promotion Data: listing boost purchase records, free boost credits awarded and used, boost durations and expiry dates.

We collect only the personal data necessary for the purposes described in this policy. Where possible, we use anonymisation or pseudonymisation to reduce the identifiability of data.

4. How We Use Your Data & Lawful Basis

We only use your personal data when the law allows us to. The lawful basis (under GDPR Art. 6) for each type of processing is:

  • Account creation and authentication: Performance of contract (Art. 6(1)(b)).
  • Processing orders and payments: Performance of contract (Art. 6(1)(b)).
  • Seller payout verification through Stripe Connect: Performance of contract (Art. 6(1)(b)), legal obligation where payment compliance rules apply (Art. 6(1)(c)) and legitimate interest in fraud prevention (Art. 6(1)(f)).
  • AI-assisted listing generation (Gemini/OpenAI): Legitimate interest in platform quality (Art. 6(1)(f)). AI processing of your listing images occurs only when you explicitly use AI auto-fill or Bulk Upload.
  • Automated stock-image detection: Legitimate interest in marketplace integrity (Art. 6(1)(f)). See Section 6a.
  • Platform communications (emails, notifications): Performance of contract (Art. 6(1)(b)) for transactional messages; legitimate interest (Art. 6(1)(f)) for platform updates.
  • Client-side analytics (Google Analytics, PostHog pageviews): Consent (Art. 6(1)(a)), only after cookie consent.
  • Server-side operational analytics (PostHog event tracking for orders, bundles, fraud signals): Legitimate interest in platform integrity and fraud prevention (Art. 6(1)(f)). These events are tied to platform operations, not browsing behaviour, and cannot be consent-gated as they fire from server-side webhooks.
  • Fraud prevention, dispute handling, security: Legitimate interest (Art. 6(1)(f)).
  • Legal and regulatory compliance (financial record retention): Legal obligation (Art. 6(1)(c)).

5. Seller Verification and Legacy ID Verification

Seller verification and payout compliance are now handled through Stripe Connect. We no longer accept new government ID uploads through our own internal ID verification system.

  • Stripe Connect collection: To receive payouts, sellers provide legal name, date of birth, address, phone number, email address and bank account details. Stripe may request additional identity, business or tax information directly during onboarding.
  • Stripe processing: Stripe processes connected account verification, know-your-customer checks and payout eligibility under Stripe's own legal terms and privacy policy. We receive and store the Stripe connected account ID and status flags such as whether charges and payouts are enabled.
  • Platform use: We use seller verification status to decide whether listings can remain visible, whether payouts can be made and whether additional compliance review is required.
  • Legacy internal ID records: If you previously submitted an ID document to our former internal verification flow, that document was reviewed manually by a team member, not by bots or AI models. New uploads to this internal flow are no longer accepted.
  • Legacy temporary storage: Legacy ID uploads were encrypted and placed in secure temporary storage with automatic deletion after 24 hours.
  • Legacy archive and retention: Approved legacy ID documents were encrypted using AES-256-GCM and retained for up to 180 days from verification, then permanently deleted. Rejected documents were deleted immediately. You may request early deletion at any time via gdpr@thrifted.mt.
  • Audit Logs: Access logs related to legacy ID verification actions are retained for 7 years for legal and fraud-prevention compliance. Logs contain metadata only (action, timestamp, anonymised IP address, user identifier, reviewer identifier, browser user-agent and action details such as rejection reason), never document images.
  • Legal Basis: Processing is necessary for performance of contract, legal compliance and legitimate interest in fraud prevention.

5a. IBAN (Bank Account Number)

To allow sellers to receive earnings, we collect and store an International Bank Account Number (IBAN).

  • Collection: Your IBAN is entered voluntarily in your account profile or payout setup flow. It is required to set up Stripe Connect payouts or to process legacy wallet withdrawals.
  • Encryption: Your IBAN is encrypted with AES-256-GCM immediately on save and stored encrypted.
  • Stripe Connect: When you set up a connected payout account, your IBAN and account holder name may be sent to Stripe to create or update your external bank account.
  • Access: Decrypted IBAN is accessible only to authorised Thrifted.mt staff for payout support, legacy withdrawals and compliance checks.
  • Retention: Your IBAN is retained while saved in your profile. You may update or remove it at any time.
  • Legal Basis: Processing is necessary for performance of contract (fulfilling your request to be paid for sales).

6. Cookies and Consent

We use cookies to improve your experience.

  • Strictly Necessary Cookies: Required for the website to function (for example login sessions and security). These do not require consent.
  • Authentication Cookies (Firebase): Used to maintain your login session and authenticate API requests. These are strictly necessary and do not require consent.
  • Analytics Cookies (Google Analytics, PostHog): Used to understand how you interact with the website and improve the platform experience. These are not set unless you explicitly give consent via our cookie banner. All PostHog data is processed within the EU.

6a. Automated Decision-Making

We use limited automated processing in the following areas:

  • Stock image detection: Listing images are automatically scored for stock-image likelihood. If the score exceeds a threshold, a listing may be hidden for manual review or rejected. You can contest any automated moderation decision via support@thrifted.mt.
  • AI listing generation: When you use AI auto-fill or Bulk Upload, your images may be sent to Google Gemini (or OpenAI fallback) to suggest listing content. Suggestions are assistive only and require your review before publish.
  • Chat message moderation: Messages sent between users are automatically screened for prohibited content using both rule-based filters and AI analysis (Google Gemini). Messages that violate our community guidelines may be blocked from delivery or flagged for manual review. You can contest any moderation decision via support@thrifted.mt.
  • Anti-money laundering and payout risk checks: We monitor transaction patterns, withdrawal limits and bank account holder name matching. We may also perform sanctions or PEP screening where required. If a suspicious pattern is detected, your account may be temporarily restricted pending manual review. You have the right to request human review of any automated restriction via gdpr@thrifted.mt.

Under GDPR Art. 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Where automated moderation is used, human review is available on request.

7. Third-Party Services & International Transfers

We use third-party service providers to operate the platform. Each acts as a data processor under GDPR Art. 28:

  • Stripe (USA/EU): Payment processing, Stripe Connect seller onboarding, connected account verification and payouts. Stripe handles payment card data under PCI-DSS terms. We do not store card numbers.
  • Brevo (France/EU): Transactional email delivery for confirmations, notifications and account communications.
  • Cloudflare (USA/EU): Web hosting, DDoS protection and image storage (R2).
  • Google (Firebase Auth and Gemini AI) (USA/EU): Authentication and AI listing generation.
  • OpenAI (USA): Fallback AI provider for listing generation.
  • Google Analytics (USA/EU): Website usage analytics, only with explicit consent.
  • PostHog (EU): Product analytics and event tracking to understand user behaviour and platform performance. Data is hosted in the EU (Frankfurt). Processing is based on explicit consent (Art. 6(1)(a)).
  • Google Cloud Translation (USA/EU): Automatic translation of chat messages and listing content. Message text is sent to the Google Cloud Translation API for processing. Translations are cached in our database to reduce repeat API calls.
  • DeepL (Germany/EU): Primary translation provider for listing content and chat messages into supported languages (Italian, Spanish, Portuguese). Message text is sent to the DeepL API for processing. DeepL processes data within the EU.
  • OneSignal (USA/EU): Push notification delivery for mobile and web. Your user ID is shared with OneSignal to deliver notifications. OneSignal is Privacy Shield certified and supports EU data processing.
  • MaltaPost (Malta): Shipping label generation and parcel tracking for orders using the pickup point delivery method. MaltaPost receives buyer and seller names, delivery addresses and phone numbers necessary to fulfil the shipment.
  • Apple (USA): Authentication via Sign in with Apple on iOS devices. Apple provides your name and email address during sign-in. Apple's privacy policy governs how Apple processes your credentials.
  • Shopify, WooCommerce, Wix, Squarespace (various): Store integration for sellers who import products from their own e-commerce stores. When you connect a store, product data (names, prices, images, inventory) is synced between the external store and Thrifted.mt using your OAuth authorisation. No data is shared unless you explicitly connect your store.
  • Resend (USA): Administrative email delivery for internal platform notifications. Resend does not process user-facing emails or user personal data as recipients.
  • Amazon Web Services (USA/EU): Email bounce and complaint handling via AWS SNS. Email addresses and delivery event metadata (bounce type, complaint type) are processed to maintain email deliverability. No email content is stored.
  • OpenSanctions (EU): Anti-money laundering and sanctions screening where enabled or required. Name and date of birth may be checked against international sanctions lists and politically exposed persons (PEP) databases to comply with Malta's Prevention of Money Laundering Act.

Where data is transferred outside the EEA, we rely on appropriate safeguards such as EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) or explicit consent where applicable.

Data Processing Agreements (DPAs) with each processor are available upon request to gdpr@thrifted.mt.

8. Data Security

We implement appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. Access is limited to personnel and third parties with a business need to know.

8a. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Malta Information and Data Protection Commissioner (IDPC) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.

9. Your Rights

Under the GDPR, you have the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data (right to be forgotten).
  • Object to processing of your personal data.
  • Request restriction of processing your personal data. For legacy internal ID verification records, this means your data is stored but not processed until the restriction is lifted. Stripe Connect verification data is handled under Stripe's own restriction and compliance processes. Contact gdpr@thrifted.mt to exercise this right.
  • Request transfer of your personal data (data portability).
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint: You can lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC) if you believe your personal data has been processed unlawfully. Contact: idpc.org.mtor by post at Commissioner for Information and Data Protection, Second Floor, Airways House, High Street, Sliema SLM 1549, Malta.

10. Account Deletion and Retained Data

How to request deletion

  1. Sign in and open your Profile page.
  2. Go to the Danger Zone section.
  3. Choose Request Account Deletion.
  4. Type DELETE and confirm.

If you cannot access your account, email gdpr@thrifted.mt from the email address associated with your account.

What we delete

  • Profile data (name, username, avatar, location, date of birth, IBAN and payout address).
  • Legacy internal ID verification data and documents held by us, where no legal retention reason applies.
  • Saved items and account notifications.
  • Listing boost history and free boost credits.
  • Public listing visibility (listings are removed from marketplace views).

What we may retain and why

  • Financial records: Wallet balances, wallet transaction ledger and order/payment records for 10 years from transaction date.
  • Fraud/dispute records: Marketplace communication metadata (sender, receiver, timestamp, listing reference) and moderation records (offers, reports, disputes) for up to 6 years after account closure or longer where legally required. Message content is anonymised immediately upon account deletion; only metadata is retained for fraud prevention and dispute resolution.
  • Security/audit logs: Security and audit metadata for up to 7 years.
  • Legal basis for retention: Legal obligation (GDPR Art. 6(1)(c)) and legitimate interests (GDPR Art. 6(1)(f)).

Deleted accounts are deactivated and cannot continue normal platform use without support review.

11. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at gdpr@thrifted.mt.

Cookie Preferences

Manage your analytics cookie consent. Changing your preference takes effect immediately.

Current status:Not set