Don't leave just yet!

Enter your email address below to receive madelocal.app offers and newsletters from time to time.

Back

Privacy Policy

Date last updated 21/06/2021
Introduction

You might have heard of the term “GDPR” but do you know your privacy rights and how you are protected by law? madelocal respects your privacy. It matters to us that users feel safe and secure in all aspects of interacting with us. In this document we set out how we protect your personal data collected through your use of the web application www.madelocal.app including the use of your data by third parties. Please take the time to read and understand what happens to your personal data. If you have any questions or concerns about madelocal’s Privacy Policy please contact us.

“GDPR” is the UK General Data Protection Regulation; in law the Data Protection Act 2018. It sets out rights for individuals on:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • rights around automated decision making and profiling

For further information see the Information Commission Officer website https://ico.org.uk

We do not collect any data in the special category under GDPR.


Glossary
  • “Personal data” and “personal information” means any information about an individual that enables them to be identified such as their name and address.
  • “Sensitive personal data” means data which needs more protection because it is sensitive such as racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic or biometric data, health, sex life and sexual orientation. madelocal does not collect any data of this nature.
  • “Website” or “the site” or “platform” refer to the web application www.madelocal.app
  • “Use” is defined as browsing, selling or purchasing an item or items, and any activity associated with these tasks such as signing up for an account.
  • “Users” are defined as individuals who browse, sell or purchase items on the website.
  • Users are over 18 years of age. This is a term and condition of use. madelocal does not knowingly collect data from anyone under the age of 18 years.
  • “We”, “us” and “our” refers to madelocal limited.
  • “Third party” or “third parties” refers to an organisation associated with madelocal who processes your personal data as part of your use of madelocal.
  • “madelocal server” refers to the unique and secure hosting of the website on a web server. A web server stores, processes and delivers web pages to display to the users. This intercommunication is done using Hypertext Transfer Protocol Secure (HTTPS).

It is important that the personal data we hold about you is accurate and up to date. In accordance with our Terms and conditions you must let us know if your personal data changes by updating your account details on madelocal. If you fail to provide accurate personal data (for example a postcode) you will not be able to buy or sell items on madelocal.

Your personal data is only used for the purposes for which it is collected by madelocal. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. In accordance with our Terms and conditions madelocal reserves the right to update this policy at any time and without notice. However, when we update this document you will be notified the next time you access the site. We record the date of the last update at the beginning of the document.


Who we are and how to contact us

madelocal is the data controller. madelocal is responsible for your personal data.

madelocal is a limited company registered in England and Wales with company number 13411017. madelocal operates in the United Kingdom.

The registered and postal address of madelocal is Chapel House Ffordd Y Llan Treuddyn Flintshire CH7 4LN. If you have any questions or concerns about madelocal’s Privacy Policy please contact us.


What information do we collect?

madelocal collects, stores, transfers and uses personal data about you. We have specified the types of personal information here:

  • Identity information
  • Profile information
  • Contact information
  • Transaction information
  • User interaction information
  • Marketing information
  • Technical information
  • Usage information
  • Business information

The table describes all of the types of personal data that madelocal collects, stores, transfers and uses.

Data Description Collection Storage Transfer Use
Identity Information
First Name Identifies the user.
Identifies the user in connection with their orders.
User dashboard. On the madelocal server which is protected by a username and password. This data is not transferred. Provision of goods and services.
Last Name Identifies the user.
Identifies the user in connection with their orders.
User dashboard. On the madelocal server which is protected by a username and password. This data is not transferred. Provision of goods and services.
Postcode/location The specific location of the user is not identifiable from their postcode. The postcode is converted to a latitude and longitude to the nearest town. When a user first enters the site they are prompted to enter their postcode in the search box before viewing items for sale in the Marketplace.
The postcode is also collected when a user creates an account.
Session variable temporarily stored in the server’s /tmp directory until the user closes the browser or after 10 mins of inactivity on the site.
When a user creates an account, their postcode is stored on the madelocal server which is protected by a user name and password.
This data is not transferred. Provision of goods and services.
Necessary for the function of the site. What makes madelocal unique is that it prioritises items for sale based on the proximity to the buyer’s location.
Profile Information
Account username/profile name To protect the privacy of users we ask them to enter a username by which they will appear to others in the community; as a seller, and through the messaging function. When a user signs up for a madelocal account. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
Provision of goods and services.
Account password User defined password to secure their sign-in details. When a user signs up for a madelocal account. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
About me Sellers can create a profile to help other users get to know them. madelocal encourages sellers to share their inspiration to help connect with buyers and bring extra meaning to their purchases. On madelocal site located in seller’s dashboard. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
Your T&Cs Sellers can add their own terms and conditions to help build trust and reduce the risk of any unexpected issues. On madelocal site located in seller’s dashboard. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
Your orders A record of items bought and sold. Automatically collected when a transaction is completed by the user. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
Contact Information
Email address A valid email address is a requirement to identify buyers and sellers on madelocal and to provide a point of contact for order confirmations.
Email address acts as the username for an account.
Required for processing payments.
When a user signs up for a madelocal account. On the madelocal server which is protected by a user name and password. It is transferred securely to Stripe through their Application Programming Interface (API) which allows madelocal and Stripe to communicate. Account set up and administration.
Requirement of Stripe to process payments.
Delivery address The buyer must disclose the delivery address during the checkout process if they select a delivery option which requires the seller to have an address for the purposes of dispatching the item. On checkout. On the madelocal server which is protected by a user name and password. This data is not transferred. The delivery address can only be viewed by the seller via their orders on the madelocal dashboard. Provision of goods and services.
Collection address The seller must disclose their address if the buyer selects the option which requires the buyer to have the seller's address for the purposes of collecting the item. When the seller sends the buyer a message containing instructions for collecting their item. On the madelocal server which is protected by a user name and password. The seller’s address is transferred via email to the buyer on completion of purchase. Provision of goods and services.
Transaction Information
Items bought/sold Details of the items including images. On completion of a transaction madelocal creates a record for the order which include the order ID, user ID, Date and time, status, item details, quantity and amount. On the madelocal server which is protected by a user name and password. This data is not transferred. Account administration.
Provision of goods and services.
Payments made by/to you madelocal holds data about every transaction to ensure that the checkout process is successful. Stripe provides madelocal with an ID for every payment and charge made. The ID is stored on the madelocal server which is protected by a user name and password. It is transferred securely to madelocal from Stripe through their Application Programming Interface (API) which allows madelocal and Stripe to communicate. Provision of goods and services.
Provides a reference should a transaction require further discussion with Stripe.
User Interaction Information
Messages The username, date/time and contents of the message. A record of communication between buyers and sellers using the messaging function on the website. Automatically collected when a user sends a message. On the madelocal server which is protected by a user name and password. This data is not transferred. Provision of goods and services.
Messages are only visible to the sender and recipient; not other users of the site.
Reviews The username, data/time and contents of the review. Buyers have the option to leave a review about the item they have purchased. Automatically collected when a user completes the review. On the madelocal server which is protected by a user name and password. This data is not transferred. Provision of goods and services.
Reviews are visible to all users of the site.
Marketing Information
Marketing consent Record of user opting in/out of email marketing communications from madelocal. When a user signs up for a madelocal account. On the madelocal server which is protected by a user name and password. This data is not transferred. Delivering marketing communication.
Technical Information
Session variables Session variables store the user’s information to be used across the site (such as username).
Session variables exist until the user closes the internet browser or signs out of the site.
Throughout the use of the site. Stored on the madelocal server temporarily and are deleted when the user closes the browser window, signs out or following a period of 10 minutes inactivity on a page. This data is not transferred. Provision of goods and services.
Personalisation of content, user experience.
Cookies madelocal website uses cookies to record information about the user, such as the pages visted.
madelocal also uses Google Analytics and tawk.to in order to provide data on the number of visits made to the website.
Google Analytics and tawk.to use cookies.
As a user navigates between web pages. Google Analytics and tawk.to provide madelocal with JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. madelocal does not store cookies. Cookies are placed on the user's device by the user's web browser.
Google Analytics and tawk.to store data on their pages which are accessed by madelocal via a secure log on.
The Google Analytics and tawk.to JavaScript libraries use HTTP Cookies to "remember" what a user has done on previous pages and interactions with the website.
There is no transfer of data from Google Analytics or from tawk.to to madelocal. Personalisation of content, user experience.
Internal research and development purposes.
Internet Protocol (IP) address A numerical label assigned to each device connected to a computer network that uses the internet for communication.
It allows the host or network interface to identify and locate the device.
madelocal website does not collect the users IP address but madelocal uses Google Analytics and tawk.to to provide data on the number of visits made to the website.
Google Analytics and tawk.to collect IP addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from.
The data is stored on the respective web pages which are accessed by madelocal via a secure log ons. There is no transfer of data from Google Analytics or tawk.to to madelocal. Personalisation of content, user experience.
Internal research and development purposes.
User Information
User name The user’s email address is their username.
A valid email address is a requirement to identify buyers and sellers on madelocal and to provide a point of contact for order confirmations.
When a user signs up for a madelocal account. On the madelocal server which is protected by a user name and password. This data is not transferred. Account set up and administration.
Date and time of sign in Record of the date and time that the user signs in to the website. Automatically collected when the user signs in. On the madelocal server which is protected by a user name and password. This data is not transferred. Personalisation of content, user experience.
Internal research and development purposes.
Page(s) visited Record of the pages visited by all users whether or not they are signed in. Automatically collected when the user browses the site. On the madelocal server which is protected by a user name and password. This data is not transferred. Personalisation of content, user experience.
Internal research and development purposes.
Item(s) viewed Record of the itema viewed by the user during a single browsing session. Automatically collected when the user browses the site. On the madelocal server which is protected by a user name and password. This data is not transferred. Personalisation of content, user experience.
Internal research and development purposes.
Business Information
Aggregated data Data of one or more users for the purpose of calculating business information such as the number of users per postcode. Data from individual users is automatically collected.
This data is used for business information and analysis.
On the madelocal server which is protected by a user name and password. This data is not transferred. Internal research and development purposes.

How do we use personal information?

madelocal uses personal information in order to carry out the following services and business-related activities:

  • account set up and administration
  • provision of goods and services
  • personalisation of content, business information or user experience
  • delivering marketing and events communication
  • internal research and development purposes
  • legal obligations (such as the prevention of fraud)
  • meeting internal audit requirements

The table above describes all of the types of personal data that madelocal collects, stores, transfers and uses.

Users must agree to our Terms and conditions when they register an account with madelocal. In those Terms and conditions, we stipulate the collection of the following data:

  • Identification - first name, last name, profile name
  • Contact information - email address
  • Geolocation - postcode and name of the local town inferred from the postcode and confirmed by the user.

We generate a latitude and longitude for the users' location based on the postcode provided.

Additional information collected about madelocal users includes their acceptance of the Terms and Conditions and the date they registered for an account. Furthermore, to become part of the community users have to create a profile. Users are asked to provide a short statement about themselves. The information provided in the statement is given in the knowledge that this is visible to all users of madelocal.

madelocal uses a third party payment provider called Stripe. Stripe provides an end-to-end payment solution to manage third-party transactions, designed for marketplaces like madelocal. Stripe collects the following personal data as part of the account setup process:

  • email address
  • full name
  • country of residence
  • password
  • marketing consent
  • mobile phone number
  • proof of identity
  • proof of address
  • mobile phone number
  • type of business
  • business details
  • bank sort code and account number
  • first name and last name
  • date of birth
  • billing address

For full details see Stripe's Privacy Policy https://stripe.com/en-gb/privacy


What legal basis do we have for processing your personal data?

madelocal processes personal data on the following legal grounds:

  • consent – madelocal collects the consent of users to process their personal data when they create an account and tick the box to accept the Terms and conditions. A separate marketing consent is collected at this point.
  • contract – madelocal enters into contract with users through the provision of a platform to allow the buying and selling of items.
  • legitimate interests – madelocal processes personal data as a necessary part of the provision of the service to its users.

When do we share personal data?

Data sharing means disclosing your personal data to third parties other than madelocal. It also includes the sharing of personal data between different parts of madelocal or other organisations within the same group or under the same parent company.

madelocal treats personal data confidentially and there are only three occasions when we will share or disclose your data with a third party. These are necessary reasons to provide a service to users of the site and to conduct business operations, as outlined in the purposes for processing:

  1. When processing payments through our third party payment provider Stripe. madelocal does not store financial information however other information about the transaction is shared, for example the amount, in order for the transaction to be completed and the site to perform its intended service. Data is transferred securely to Stripe through their Application Programming Interface (API) which allows madelocal and Stripe to communicate.
  2. When a buyer agrees to collect their item from the seller. Sellers can choose how their items are collected or delivered. If a seller selects the option to have the buyer collect the item from them, they agree to their address being shared with the buyer. madelocal communicates the address to the buyer by email on completion of their order. Until the order is completed the buyer can only see the location of the seller at postcode level.
  3. When a buyer completes their address details to enable to the seller to deliver or post the item to them. Sellers can choose local and national delivery options. The delivery address can only be viewed by the seller via their orders on the madelocal dashboard.

We may also need to share personal data with professional advisors, for example with solicitors where relevant in the case of a dispute or claim, and where required as part of legal and regulatory compliance.


Where do we store and process personal data?

madelocal stores all data on a secure web server. madelocal is based and operates in the United Kingdom only. Personal data is therefore processed in the users’ home country. Payment data is processed by Stripe. Stripe is a global business and because madelocal is based in the European Economic Area they comply with applicable laws to provide an adequate level of data protection for the transfer of your personal data.

Access to the madelocal web server is restricted by a user name and password which is only known to the relevant members of madelocal staff.


How do we secure personal data?

madelocal stores all data on a secure web server. Access to data is restricted by a user name and password. madelocal uses appropriate security measures to:

  • protect data against accidental loss
  • prevent unauthorised access, use, destruction or disclosure
  • ensure business continuity and disaster recovery
  • restrict access to personal information
  • conduct privacy impact assessments in accordance with the law and madelocal business policies
  • train employees and contractors on data security
  • manage third party risks, through use of contracts and security reviews
  • deal with suspected personal data breaches
  • Notify users and the ICO of a data breach in accordance with the law

A requirement of the payment process is the collection of the users’ card details. This data is not stored by madelocal. Card details never pass via the madelocal server. madelocal is strictly not allowed to store card details. It is transferred securely to Stripe through their Application Programming Interface (API) which allows madelocal and Stripe to communicate.

In accordance with our Terms and conditions users accept that the Internet is not a completely secure medium for communication and, accordingly, we cannot guarantee the security of any information sent or received via the Internet. We are not responsible for any damages which you, or others, may suffer as a result of the loss of confidentiality of such information.


How long do we keep your personal data for?

madelocal retains your personal data in order to provide you with a record or history of your items sold and purchased. This is considered a legitimate basis for keeping personal data because it is part of the service provided by the site. We also retain your data to satisfy legal, accounting and reporting requirements. For example, details of your orders will be kept for as long as we need to retain the data to comply with our legal and regulatory requirements. This is usually seven years unless the law prescribes a longer period.

To determine the appropriate retention period for personal data, we consider the following factors:

  • Amount, nature and sensitivity
  • Potential risk of harm from unauthorised use or disclosure
  • Purpose for which we collect and process data
  • Alternative means of storage
  • Anonymising the data to remove the personal association
  • Compliance with legal and regulatory requirements
  • Request from users to delete their data

Data is securely disposed of when it is no longer needed by deleting the record from the server.


Your rights in relation to personal data

madelocal respects the right of users to access and control their personal data. We aim to be as transparent as possible about how we collect, store, transfer and use personal data. Under GDPR, individuals have the right to be informed about the collection and use of their personal data, specifically:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • rights around automated decision making and profiling

For further information see the Information Commission Officer website https://ico.org.uk

Under certain circumstances, madelocal users have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no legitimate reason for us to continue to store or use it. For example, where you:
    1. consider that we do not need it any longer for the purposes for which we originally collected it as explained in this Privacy Policy;
    2. have withdrawn your consent to it being used;
    3. consider that we cannot show a valid reason for continuing to use it;
    4. have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to delete your personal data to comply with local law. It is important to note that we may not always be able to comply with your request of deletion for specific legal reasons which we will explain, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate reason (or that of a third party) and there is something about your particular situation which makes you want to object to this because you feel it impacts on your fundamental rights and freedoms.
  • Object where we are processing your personal data for direct marketing purposes.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    1. if you want us to establish the data’s accuracy;
    2. where our use of the data is unlawful but you do not want us to erase it;
    3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;
    4. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you or the third party with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a service contract with you.
  • Withdraw consent at any time where we are relying on your consent to process your personal data. This will not apply to any processing that has already been carried out before you withdraw your consent.

madelocal users wishing to exercise their rights should contact us. We try to respond to all legitimate requests within one month, however it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated of progress. If your request is accepted then you will not have to pay a fee to access your personal data. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. In this case we may refuse to fulfil with your request where we can demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

In order to respond to your request, we may need to confirm your identity as a security measure to ensure that your personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.


Use of automated decision-making and profiling

What makes madelocal unique is that it prioritises items for sale based on the proximity to the user’s location. In order to do this the user must enter their location in the form of their postcode in the search bar at the top of the Home page. The user’s exact location cannot be determined from the postcode. The website converts the postcode into a latitude and longitude, which generates a place name of the nearest town. The user is asked to confirm their location from a drop-down list before clicking the button to “show items”. The items are listed in order of proximity to the postcode, with the closest items listed first. The location of the items is determined by the seller’s location (postcode) which is collected through the account set-up process. The exact location of the seller is only revealed to the buyer via email if the seller agrees to the item being collected from their home or premises.

madelocal uses session variables to store the user’s information (such as username or items recently browsed) to be used across the site to enable personalisation of content and enhance the user’s experience. Session variables are temporarily stored on the madelocal server and are deleted when the user closes the browser window, signs out or following a period of 10 minutes inactivity on a page.


Use of cookies and other technologies

madelocal uses cookies along with tawk.to and Google Analytics to provide data on the number of visits made to the website. Google Analytics and tawk.to use cookies.

In Google Analytics, every user is registered with a unique ID. Google Analytics uses the unique ID to provide madelocal with insight into how many people visit the site and, for example, how many of them return. The unique IDs are considered personal data under GDPR.

Google Analytics is a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page.

The Google Analytics JavaScript libraries use HTTP Cookies to "remember" what a user has done on previous pages/interactions with the website.

Google Analytics also collects Internet Protocol (IP) addresses to provide and protect the security of the service, and to give website owners a sense of which country, state, or city in the world their users come from.

Read the Google Analytics privacy document for more details about the data collected by Google Analytics.

madelocal uses tawk.to in order to monitor and chat with visitors on the website.

Tawk.to uses several types of cookies to track visitors to the website and provide madelocal with usage information. For more information about the use of cookies see What are tawk.to cookies and what do they do?

tawk.to collects non-personally-identifying information of the sort that web browsers, apps and servers typically make available, such as the browser type, language preference, geographical location, referring site, and the date and time of each visitor request. tawk.to’s purpose in collecting non-personally identifying information is to better understand how tawk.to’s visitors use its services, and to provide tawk.to users the ability to understand how their visitors use their services. From time to time, tawk.to may release non-personally-identifying information in the aggregate, e.g. by publishing a report on trends in the usage of its services.

tawk.to also collects potentially personally-identifying information like Internet Protocol (IP) addresses for users that use the services and visitors.

madelocal remains in control of the information and data provided by users of the site. As part of the provision of services, tawk.to processes this data for madelocal, but at no stage of the collection, storage or retrieval of data, will the data belong to any other person except madelocal.

By using tawk.to (the chat function on madelocal), users acknowledge and agree to tawk.to’s collection, usage and disclosure of their personal information as governed by tawk.to's Privacy Policy.


Linking to other websites/third party content

madelocal may include links to other websites and third party content, plug-ins and applications. This does not mean that madelocal endorses the use of these sites. When users click on a link and leave madelocal for another site, we have no control or responsibility for the content or privacy of your data. It is important that you read the Privacy Policy of every website you browse.