Privacy Policy
Last updated: 22 February 2026
TeaTrade Exchange ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the TeaTrade Exchange platform at exchange.teatrade.co.uk.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller responsible for your personal data is TeaTrade, contactable at contact@teatrade.co.uk.
2. What Data We Collect
| Data Type | Examples | Collected When |
|---|---|---|
| Account information | Email address, username, hashed password | Registration |
| Profile data | Display name, trading preferences | Account setup and use |
| Trading activity | Virtual trades, positions, portfolio history | Using the platform |
| Payment data | Stripe customer ID, transaction references | Making a purchase |
| Contact enquiries | Name, email, message content | Submitting the contact form |
| Technical data | IP address, browser type, device info, pages visited | Visiting the site |
| Cookies & analytics | Google Analytics identifiers, session data | Visiting the site |
We do not collect sensitive personal data (e.g. health, ethnicity, political opinions) and we do not process data about children under 13.
3. How We Use Your Data
We use personal data for the following purposes:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing and operating the platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (Art. 6(1)(b)) |
| Sending service-related emails (e.g. verification, password reset) | Performance of contract (Art. 6(1)(b)) |
| Analysing usage to improve the platform | Legitimate interest (Art. 6(1)(f)) |
| Responding to contact enquiries | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services
We use the following third-party services that may process your data:
- Supabase (database hosting and authentication) — Data stored on servers in the EU/UK. Supabase Privacy Policy
- Stripe (payment processing) — PCI DSS Level 1 compliant. We never see or store your full card number. Stripe Privacy Policy
- Google Analytics (GA4) (usage analytics) — Collects anonymised browsing data. Google Privacy Policy
- Sentry (error monitoring) — Collects technical error data to help us fix bugs. Sentry Privacy Policy
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Cookies
We use cookies and similar technologies for:
- Essential cookies — Authentication tokens and session management. Required for the platform to function.
- Analytics cookies — Google Analytics cookies (_ga, _gid) to understand how visitors use the site. These can be blocked via your browser settings without affecting platform functionality.
You can manage cookie preferences through your browser settings. Blocking essential cookies may prevent you from logging in.
6. Data Retention
- Account data: Retained for as long as your account is active, plus 12 months after deletion request.
- Trading history: Retained for as long as your account is active.
- Payment records: Retained for 7 years in accordance with UK tax and accounting obligations.
- Contact submissions: Retained for 24 months, then deleted.
- Analytics data: Retained per Google Analytics default settings (14 months).
7. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate data.
- Right to erasure — Request deletion of your data ("right to be forgotten").
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Request a machine-readable export of your data.
- Right to object — Object to processing based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, withdraw at any time.
To exercise any of these rights, email us at contact@teatrade.co.uk. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Hashed and salted password storage (via Supabase Auth)
- Row-level security policies on all database tables
- Two-factor authentication (optional) for user accounts
- Principle of least privilege for system access
9. International Transfers
Your data may be processed outside the UK where our third-party service providers operate. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.
10. Children
TeaTrade Exchange is not intended for use by individuals under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the platform or by email. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the opportunity to resolve any concerns directly first — please contact us.
13. Contact
For any privacy-related enquiries, please email contact@teatrade.co.uk.