Skip to content
Thrifted.mt LogoTHRIFTED.mt

Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to Thrifted.mt. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website and tells you about your privacy rights and how the law protects you.

2. Data Controller

The data controller for all personal data processed through Thrifted.mt is:

  • Entity: Joshua Fielding (Sole Trader), trading as Thrifted.mt
  • Address: 53 Triq Il-Lunzjata, Flat 3 Julian Flats, San Gwann SGN 1312, Malta
  • Email: [email protected]

If you have any questions about how your personal data is processed, please contact us at the address above.

3. Data We Collect

We may collect, use, store and transfer different kinds of personal data about you, grouped as follows:

  • Identity Data: first name, last name, username or similar identifier. For sellers undergoing ID verification, this also includes images of government-issued ID documents (see Section 5).
  • Contact Data: email address, delivery address and telephone number.
  • Financial Data: bank account number (IBAN) and payment card details. Your IBAN is encrypted at rest and used only to process earnings withdrawals (see Section 5a). Payment card details are processed exclusively by Stripe and are never stored by us.
  • Transaction Data: details about payments to and from you and details of products you have purchased from or sold on our platform.
  • Technical Data: IP address, login data, browser type and version, time zone setting and location and operating system and platform.
  • Profile Data: username, password, purchases or orders made by you, interests, preferences and feedback.
  • Listing Content: item photos, descriptions, prices and other information you provide when creating a listing.
  • Promotion Data: listing boost purchase records, free boost credits awarded and used, boost durations and expiry dates.

We collect only the personal data necessary for the purposes described in this policy. Where possible, we use anonymisation or pseudonymisation to reduce the identifiability of data.

4. How We Use Your Data & Lawful Basis

We only use your personal data when the law allows us to. The lawful basis (under GDPR Art. 6) for each type of processing is:

  • Account creation and authentication: Performance of contract (Art. 6(1)(b)).
  • Processing orders and payments: Performance of contract (Art. 6(1)(b)).
  • ID verification for sellers: Performance of contract (Art. 6(1)(b)) and legitimate interest in fraud prevention (Art. 6(1)(f)).
  • AI-assisted listing generation (Gemini/OpenAI): Legitimate interest in platform quality (Art. 6(1)(f)). AI processing of your listing images occurs only when you explicitly use AI auto-fill or Bulk Upload.
  • Automated stock-image detection: Legitimate interest in marketplace integrity (Art. 6(1)(f)). See Section 6a.
  • Platform communications (emails, notifications): Performance of contract (Art. 6(1)(b)) for transactional messages; legitimate interest (Art. 6(1)(f)) for platform updates.
  • Analytics (Google Analytics, PostHog): Consent (Art. 6(1)(a)), only after cookie consent.
  • Fraud prevention, dispute handling, security: Legitimate interest (Art. 6(1)(f)).
  • Legal and regulatory compliance (financial record retention): Legal obligation (Art. 6(1)(c)).

5. ID Verification

To maintain a safe marketplace, we require sellers to verify their identity before listing items for sale.

  • Collection: We collect images of government-issued ID documents (Passport, National ID Card, Driving Licence). You also provide explicit GDPR consent at upload and a timestamp of that consent is recorded.
  • Processing, Human Review Only: All ID verification is carried out exclusively by a team member. We do not use bots, AI models or automated decision-making to process, review, approve or reject identity documents.
  • Temporary Storage: Upon upload, your document is placed in secure temporary storage with automatic deletion after 24 hours.
  • Encryption and Archive: If approved, the document is encrypted using AES-256-GCM and moved to a restricted archive bucket. If rejected, the document is deleted immediately.
  • Retention: Archived ID documents are retained for up to 180 days from verification, then permanently deleted. You may request early deletion at any time via [email protected].
  • Audit Logs: Access logs related to ID verification actions are retained for 7 years for legal and fraud-prevention compliance. Logs contain metadata only (action, timestamp, anonymised IP address), never document images.
  • Legal Basis: Processing is necessary for performance of contract and legitimate interest in fraud prevention.

5a. IBAN (Bank Account Number)

To allow sellers to withdraw earnings, we collect and store an International Bank Account Number (IBAN).

  • Collection: Your IBAN is entered voluntarily in your account profile. It is required only for withdrawals.
  • Encryption: Your IBAN is encrypted with AES-256-GCM immediately on save and stored encrypted.
  • Access: Decrypted IBAN is accessible only to authorised Thrifted.mt staff to process withdrawals.
  • Retention: Your IBAN is retained while saved in your profile. You may update or remove it at any time.
  • Legal Basis: Processing is necessary for performance of contract (fulfilling your request to be paid for sales).

6. Cookies and Consent

We use cookies to improve your experience.

  • Strictly Necessary Cookies: Required for the website to function (for example login sessions and security). These do not require consent.
  • Authentication Cookies (Firebase): Used to maintain your login session and authenticate API requests. These are strictly necessary and do not require consent.
  • Analytics Cookies (Google Analytics, PostHog): Used to understand how you interact with the website and improve the platform experience. These are not set unless you explicitly give consent via our cookie banner. All PostHog data is processed within the EU.

6a. Automated Decision-Making

We use limited automated processing in the following areas:

  • Stock image detection: Listing images are automatically scored for stock-image likelihood. If the score exceeds a threshold, a listing may be hidden for manual review or rejected. You can contest any automated moderation decision via [email protected].
  • AI listing generation: When you use AI auto-fill or Bulk Upload, your images may be sent to Google Gemini (or OpenAI fallback) to suggest listing content. Suggestions are assistive only and require your review before publish.

Under GDPR Art. 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Where automated moderation is used, human review is available on request.

7. Third-Party Services & International Transfers

We use third-party service providers to operate the platform. Each acts as a data processor under GDPR Art. 28:

  • Stripe (USA/EU): Payment processing. Stripe handles payment card data under PCI-DSS terms. We do not store card numbers.
  • Brevo (France/EU): Transactional email delivery for confirmations, notifications and account communications.
  • Cloudflare (USA/EU): Web hosting, DDoS protection and image storage (R2).
  • Google (Firebase Auth and Gemini AI) (USA/EU): Authentication and AI listing generation.
  • OpenAI (USA): Fallback AI provider for listing generation.
  • Google Analytics (USA/EU): Website usage analytics, only with explicit consent.
  • PostHog (EU): Product analytics and event tracking to understand user behaviour and platform performance. Data is hosted in the EU (Frankfurt). Processing is based on explicit consent (Art. 6(1)(a)).
  • Google Cloud Translation (USA/EU): Automatic translation of chat messages and listing content. Message text is sent to the Google Cloud Translation API for processing. Translations are cached in our database to reduce repeat API calls.
  • MaltaPost (Malta): Shipping label generation and parcel tracking for orders using the pickup point delivery method. MaltaPost receives buyer and seller names, delivery addresses and phone numbers necessary to fulfil the shipment.
  • OpenSanctions (EU): Anti-money laundering and sanctions screening. Name and date of birth may be checked against international sanctions lists and politically exposed persons (PEP) databases to comply with Malta's Prevention of Money Laundering Act.

Where data is transferred outside the EEA, we rely on appropriate safeguards such as EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) or explicit consent where applicable.

Data Processing Agreements (DPAs) with each processor are available upon request to [email protected].

8. Data Security

We implement appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. Access is limited to personnel and third parties with a business need to know.

8a. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Malta Information and Data Protection Commissioner (IDPC) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.

9. Your Rights

Under the GDPR, you have the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data (right to be forgotten).
  • Object to processing of your personal data.
  • Request restriction of processing your personal data. For ID verification, this means your data is stored but not processed until the restriction is lifted. Contact [email protected] to exercise this right.
  • Request transfer of your personal data (data portability).
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint: You can lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC) if you believe your personal data has been processed unlawfully. Contact: idpc.org.mtor by post at Commissioner for Information and Data Protection, Second Floor, Airways House, High Street, Sliema SLM 1549, Malta.

10. Account Deletion and Retained Data

How to request deletion

  1. Sign in and open your Profile page.
  2. Go to the Danger Zone section.
  3. Choose Request Account Deletion.
  4. Type DELETE and confirm.

If you cannot access your account, email [email protected] from the email address associated with your account.

What we delete

  • Profile data (name, username, avatar, location, date of birth, IBAN).
  • ID verification data and documents.
  • Saved items and account notifications.
  • Listing boost history and free boost credits.
  • Public listing visibility (listings are removed from marketplace views).

What we may retain and why

  • Financial records: Wallet balances, wallet transaction ledger and order/payment records for 10 years from transaction date.
  • Fraud/dispute records: Marketplace communication and moderation records (including messages, offers and reports exchanged between users) for up to 6 years after account closure or longer where legally required. This data is retained even after account deletion for fraud prevention and dispute resolution purposes.
  • Security/audit logs: Security and audit metadata for up to 7 years.
  • Legal basis for retention: Legal obligation (GDPR Art. 6(1)(c)) and legitimate interests (GDPR Art. 6(1)(f)).

Deleted accounts are deactivated and cannot continue normal platform use without support review.

11. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at [email protected].

Cookie Preferences

Manage your analytics cookie consent. Changing your preference takes effect immediately.

Current status:Not set