UK GDPR, Data Protection & E-Commerce Compliance Policy

Version [v1.0] – Effective Date: 11-7-2025

1  Introduction

Superlements operates an online marketplace that enables third-party sellers to offer goods and services-including supplements, beauty items, agricultural produce, meat, fish, books, and online or in-person courses-to consumers and businesses in the UK and worldwide. We respect the privacy and data rights of customers, sellers, employees, contractors, and partners. This policy explains how we collect, use, store, share, and protect personal data in line with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
UK consumer and e-commerce legislation (e.g. Consumer Rights Act 2015, E-Commerce Regulations 2002)

2  Scope and Application

This policy applies to:

Consumers purchasing via the Superlements Marketplace.
Third-party sellers listing and fulfilling orders.
Employees, contractors, and business partners.
All personal data handled by the Superlements Marketplace, whether stored or transferred inside or outside the UK.

3  Key Data-Protection Principles

We abide by the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. Every processing activity is supported by a valid legal basis.

4  What Personal Data We Collect

Data subject	Typical data items
Customers	Name, postal address, email, telephone, payment data, order history, IP address, cookie IDs, ratings & review metadata, buyer–seller inbox messages, logistics data (parcel contents, HS code, tracking ID, delivery-proof images).
Third-party sellers	Business name, registration/ID documents, beneficial ownership details, contact persons, pay-out banking info, VAT number, KYB/KYC checks, sanctions-screening results, seller-performance scores.
Employees & contractors	Personal identifiers, work contact details, payroll and tax data, HR records, DBS/background checks.
Website & marketing users	Device details, browsing activity, cookie IDs, social-media engagement metrics, preferences.

5  Legal Bases for Processing

We rely on one or more of: consent, contractual necessity, legal obligation, and legitimate interest (e.g. fraud prevention, service optimisation, seller vetting).

6  How We Use Personal Data

Customer order fulfilment – payment, delivery, returns.
Seller account management – on-boarding, commission calculation, performance tracking.
Customer service – queries, complaints, dispute resolution.
Marketing – personalised offers and updates (with opt-in consent).
Marketplace ranking & personalisation – surfacing relevant listings and recommendations.
Regulatory screening & risk scoring – automated fraud, money-laundering, counterfeit and safety checks.
Legal compliance – consumer protection, tax, customs, sanctions.
Security & fraud prevention – monitoring transactions and access.

7  Data Sharing with Third Parties

Category	Purpose / examples	Safeguard
Third-party sellers	Delivery addresses, product details necessary to fulfil an order	Seller Terms require GDPR compliance & data-minimisation (30-day retention limit).
Service providers	Payment processors, cloud hosts, ID-verification partners, couriers, warehousing.	Contracts include UK GDPR Article 28 clauses.
Customs & border agencies	Clearing cross-border consignments (e.g. HMRC, US CBP)	Data disclosed only as legally required.
Optional marketplace apps	Inventory or analytics tools chosen by seller	Enabled solely at seller request; separate DPA executed.
Regulators & law enforcement	HMRC, Trading Standards, ICO, sanctions authorities	Only where we have a legal duty to disclose.

8  International Data Transfers

Where data leaves the UK we ensure:

A UK “adequacy” decision or Standard Contractual Clauses / Binding Corporate Rules are in place.
Additional safeguards (encryption etc).
Data localisation rules are met (e.g. payment-data tokenisation).
Data subjects are informed and retain their rights.

9  Data Storage & Security Measures

Encryption at rest and in transit.
Zero-trust, least-privilege, just-in-time access model.
Multi-factor authentication for admin accounts.
Continuous vulnerability scanning and a public bug-bounty programme.
Regular penetration tests and security audits.
Secure deletion and shredding of media when no longer needed.
Data is retained only as long as required (see §18).

10  Consumer & Seller Rights

Individuals may:

Access their data.
Rectify inaccuracies.
Erase data (“right to be forgotten”).
Restrict or object to processing.
Exercise data portability.
Withdraw consent at any time.
Request human review of automated decisions (see §17).
Lodge complaints with the ICO (www.ico.org.uk, 0303 123 1113).

Contact the Data Protection Officer (DPO) at [Insert DPO email].

11  Cookies & Tracking

We use cookies and similar tech to analyse traffic, personalise content, and support advertising (with consent). Full details and preference controls are provided in our Cookie Policy.

12  Third-Party Seller Responsibilities

Use buyer data only for order fulfilment; delete it within 30 days of dispatch.
Conduct sanctions and export-control checks before shipping abroad.
Handle all communications via the in-platform messaging tool; do not harvest personal email lists.
Maintain a compliant privacy notice and register any sub-processors engaged for fulfilment or support.
Adhere to all product-specific laws (supplements, cosmetics, food, meat/fish, books, courses).
Allow Superlements Marketplace to audit data-handling practices; non-compliance may result in suspension.

13  Data-Breach Notification

Contain & assess the breach.
Notify the ICO within 72 hours if required.
Inform affected individuals where risk is high.
Record incident and implement corrective actions.

14  E-Commerce Regulatory Compliance

Superlements also complies with the Consumer Rights Act 2015, E-Commerce Regulations 2002, Electronic Communications Regulations 2003, Distance Selling Regulations, the Payment Services Regulations 2017, and relevant export-control rules.

15  Policy Review & Contact

This policy is reviewed annually or sooner if laws or business processes change.
Questions: [Insert DPO name, email, phone]

16  Complaints & Disputes

If you believe your data has been mishandled, please contact us first. You may also complain to the ICO.

Marketplace Best-Practice Enhancements

17  Automated Decision-Making & Profiling

We use machine-learning models for fraud prevention, counterfeit detection, search ranking and delivery-time prediction. Where an automated decision produces legal or similarly significant effects, you may request human intervention, express your viewpoint, and contest the outcome.

18  Data-Retention Schedule

Category	Standard retention	Legal / operational basis
Orders & invoices	7 years	HMRC requirements
KYC / KYB docs	Life of account + 5 years	Money-Laundering Regulations
Buyer–seller messages	2 years	Dispute resolution

Data is securely erased or anonymised once the retention period ends.

19  Children & Vulnerable Persons

The Platform is not directed at individuals under 18. We do not knowingly process children’s data. Any such data identified will be deleted unless retention is legally required.

20  Sub-Processors List & Change Notification

A real-time list of core sub-processors is available at superlementsstore.com/[—–]. We will give 30 days’ notice before adding or substituting a sub-processor.

21  Policy Versioning & Acceptance

Every revision receives a unique version ID and effective date.

Vendors must accept the latest version in their dashboard before listing new items.
Buyers and visitors are notified via site banner and may access archived versions at superlementstore.com/privacy[—-].

Shop