Privacy Policy

1. Quick summary

We collect the minimum data required to operate a crypto-settled electronics marketplace. The largest categories are account data (email, password hash), order data (items, shipping address, payment metadata), and verification data (identity documents you submit for KYC). We use that data to fulfil your Orders, to comply with our anti-money-laundering obligations, to prevent fraud, and to improve and secure the Services.

We do not sell your personal data. We do not run third-party advertising trackers. We share data with carefully chosen processors (such as our payment provider and our identity-verification vendor) and with regulators and law-enforcement where we are required to do so by law. We retain your data for as long as your Account is active and afterwards for the periods required by applicable law.

2. Controller and contact details

The controller for your personal data is Specialist Electronics Ltd, a company registered in England and Wales with company number 17060942. Our registered office is available from Companies House. Data-protection enquiries can be sent to [email protected]. We will respond to substantive requests within 30 calendar days; complex requests may take up to 60 days under UK GDPR, in which case we will tell you within the first 30 days.

3. The data we collect

4. How we use your data and the legal bases

Under UK and EU data-protection law, we must identify a lawful basis for each processing activity. The principal bases we rely on are summarised in the table below. Where we rely on legitimate interests, you have the right to object — see clause 11.

Provide the Services and perform our contract with you

Account creation, login, checkout, payment confirmation, fulfilment, customer service. (Legal basis: contract performance.)

Process Cryptocurrency payments and credit your Account

Receiving on-chain payments, applying Store Credit, issuing refunds and payouts. (Legal basis: contract; legal obligation for AML records.)

Comply with AML, KYC and sanctions obligations

Identity verification, sanctions screening, transaction monitoring, regulatory reporting. (Legal basis: legal obligation; substantial public interest for special-category data.)

Prevent and detect fraud and abuse

Risk scoring, IP geolocation, velocity checks, manual review. (Legal basis: legitimate interests in running a secure marketplace.)

Communicate with you about Orders, security, policy changes

Order confirmations, shipping updates, password and 2FA alerts, mandatory legal notices. (Legal basis: contract; legal obligation.)

Send optional marketing

Newsletters, promotional drops, recommendations. (Legal basis: consent; or for existing customers in the UK/EEA, "soft opt-in" under PECR.)

Improve and secure the Services

Analytics, A/B tests, error monitoring, capacity planning, security incident handling. (Legal basis: legitimate interests in improving our offering.)

Defend legal claims

Investigating disputes, responding to subject-access requests, regulatory enquiries. (Legal basis: legitimate interests; legal obligation.)

5. Special-category data

Identity documents you submit for KYC may contain biometric data (your photograph and a selfie used for liveness matching) and, in some jurisdictions, may reveal information about your nationality. We rely on the "substantial public interest" condition under UK GDPR Schedule 1 Part 2 (paragraph 14, "preventing or detecting unlawful acts") to process this data. Biometric matches are performed by our identity-verification vendor and are deleted within 30 days of the verification result; the underlying documents are retained for the period required by anti-money-laundering law.

6. Cookies and tracking

We use cookies and similar technologies as described in the Cookie Policy. We do not run third-party advertising trackers and we do not share your data with ad networks for behavioural advertising. You can manage your cookie preferences through the Cookie preferences widget, available from the footer or via the link in the Cookie Policy.

7. Who we share data with

8. International transfers

Personal data we collect is processed and stored primarily within the United Kingdom and the European Economic Area. Where a processor is located outside the UK/EEA, we rely on one of the following safeguards: an adequacy decision by the UK Government or the European Commission; the UK International Data Transfer Agreement or the EU Standard Contractual Clauses (SCCs), supplemented by the UK Addendum where relevant; or another valid transfer mechanism recognised under applicable law. A copy of the transfer mechanism for a specific processor can be requested via [email protected].

9. Retention

Account data

For as long as your Account is active, plus 6 years after closure to defend legal claims.

Order data

6 years from the date of the Order, in line with UK accounting and consumer-rights statutes of limitation.

Verification (KYC) data

5 years after the end of our business relationship with you, as required by the Money Laundering Regulations 2017 (as amended).

Marketing data

Until you withdraw consent or unsubscribe; suppression lists are kept indefinitely so we do not contact you again in error.

Analytics data

Up to 26 months in identifiable form; aggregated data may be kept indefinitely.

Security logs

Up to 12 months by default; longer where needed for a specific investigation.

10. Security

We use a combination of organisational and technical measures appropriate to the risk of the processing, including: encryption of personal data in transit (TLS 1.2 or above) and at rest; salted, slow-hashed password storage; access controls limiting personal data to staff with a need-to-know; multi-factor authentication for administrative access; segregation of identity documents in encrypted object storage; audit logging of security-sensitive events; vendor due diligence before onboarding a processor; an internal security-incident response plan; and periodic security reviews.

No method of transmission or storage is completely secure. Where, despite our measures, a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office without undue delay and (where the risk is high) notify you directly.

11. Your rights

Subject to the conditions and exemptions set out in applicable data-protection law, you have the following rights in respect of your personal data:

Right of access

You may request a copy of the personal data we hold about you and information about our processing.

Right to rectification

You may ask us to correct inaccurate or incomplete data.

Right to erasure

You may ask us to delete your personal data where we no longer have a lawful basis to keep it. This right is limited by our legal obligation to retain KYC and accounting records.

Right to restriction

You may ask us to suspend processing of your data while a dispute about its accuracy or use is being resolved.

Right to data portability

You may receive certain data you provided to us in a machine-readable format, or have it transmitted to another controller.

Right to object

You may object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is needed for legal claims.

Right to withdraw consent

Where we rely on consent (e.g. for marketing), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right not to be subject to automated decisions

We do not make decisions that produce legal or similarly significant effects on you using fully automated processing without human review. Where automated tools are used to assist a decision (e.g. fraud risk scoring), a human reviews the outcome.

12. How to exercise your rights

Send a written request to [email protected] including enough information for us to identify you and to verify the request. We may ask for additional information where reasonable to confirm your identity. We will not charge a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

13. Complaints

If you believe we have not handled your personal data in accordance with applicable law, please contact us first and we will work with you to resolve the matter. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, if you are based in the EEA, the supervisory authority in your country.

14. Children

The Services are not directed at children under 18 and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it promptly.

15. Changes to this Policy

We may update this Policy from time to time. The current version is identified by the "Last updated" date below the title. Where revisions are material, we will notify you by email or in-Account notice before they take effect.