PerfumeBible Ltd
Last updated: [DATE]
Effective: [DATE]
Legal review required. This document is a substantive draft prepared for legal review. It does not constitute legal advice. Before publishing, have a qualified solicitor review it for your specific circumstances, confirm your ICO registration, and insert all placeholder values marked
[PLACEHOLDER].
PerfumeBible Ltd ("PerfumeBible", "we", "us", "our") operates the website at perfumebible.com and any associated mobile applications (collectively, the "Platform").
Data Controller:
PerfumeBible Ltd
[REGISTERED ADDRESS]
[CITY, POSTCODE]
England & Wales
Company Number: [COMPANIES HOUSE NUMBER]
Contact for privacy matters:
privacy@perfumebible.com
ICO Registration Number: [ZB XXXXXX]
We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Where we process data of individuals located in the European Economic Area (EEA), we also act as a controller under EU GDPR Regulation 2016/679.
This Privacy Policy applies to all personal data we collect when you:
It does not apply to third-party websites linked from our Platform.
| Data | Why we collect it | Legal basis |
|---|---|---|
| Email address | Account creation, login, transactional emails | Contract (Art. 6(1)(b)) |
| Username | Public identity on the Platform | Contract (Art. 6(1)(b)) |
| Display name (optional) | Personalisation of your public profile | Consent (Art. 6(1)(a)) |
| Password (hashed) | Account security | Contract (Art. 6(1)(b)) |
| Profile avatar (optional) | Public profile | Consent (Art. 6(1)(a)) |
| Bio / location (optional, freetext) | Public profile | Consent (Art. 6(1)(a)) |
We do not ask for your full legal name on your public profile. If you choose to enter your real name in any optional field, that is your choice.
| Data | Why we collect it | Legal basis |
|---|---|---|
| Cabinet entries (fragrances you own) | Core product functionality | Contract (Art. 6(1)(b)) |
| Wishlist entries | Core product functionality | Contract (Art. 6(1)(b)) |
| Wearing today check-ins | Social feed and wearing statistics | Contract (Art. 6(1)(b)) |
| Reviews and ratings | Product functionality, community scoring | Contract (Art. 6(1)(b)) |
| Lists and collections | Product functionality | Contract (Art. 6(1)(b)) |
| Likes and follows | Social graph | Contract (Art. 6(1)(b)) |
When you buy or sell through our marketplace we collect additional data for payment processing and transaction integrity:
| Data | Why we collect it | Legal basis |
|---|---|---|
| Billing and shipping address | Order fulfilment | Contract (Art. 6(1)(b)) |
| Payment method details | Processed by Stripe — we do not store raw card data | Contract (Art. 6(1)(b)) |
| Transaction history | Order records, dispute resolution | Contract / Legal obligation (Art. 6(1)(b)/(c)) |
Verified Seller applicants only:
| Data | Why we collect it | Legal basis |
|---|---|---|
| Legal full name | Identity verification, KYC compliance | Legal obligation (Art. 6(1)(c)) |
| Government-issued ID | Identity verification | Legal obligation (Art. 6(1)(c)) |
| Bank account details | Stripe Connect payouts | Contract (Art. 6(1)(b)) |
| Tax identification number (if applicable) | HMRC / tax authority reporting obligations | Legal obligation (Art. 6(1)(c)) |
This information is held privately. It is never displayed on your public profile.
| Data | Why we collect it | Legal basis |
|---|---|---|
| IP address | Security, fraud prevention, analytics | Legitimate interests (Art. 6(1)(f)) |
| Browser type and version | Platform compatibility | Legitimate interests (Art. 6(1)(f)) |
| Device type | Platform compatibility | Legitimate interests (Art. 6(1)(f)) |
| Pages visited and time spent | Product improvement, analytics | Legitimate interests (Art. 6(1)(f)) |
| Referrer URL | Marketing attribution | Legitimate interests (Art. 6(1)(f)) |
| Error logs | Debugging and reliability | Legitimate interests (Art. 6(1)(f)) |
When you contact us by email or through any support channel, we retain those communications and your contact details to handle your enquiry and maintain a record.
We use cookies and similar tracking technologies. See our Cookie Policy for full details, including how to manage your preferences. In summary:
You can withdraw consent for non-essential cookies at any time via the cookie preference centre accessible at the footer of every page.
We do not sell your personal data. We share it only in the following circumstances:
We share data with third-party processors who act under our instruction and are contractually bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | EU (AWS eu-west-1) |
| Vercel | Application hosting and CDN | Global (data stored EU) |
| Stripe | Payment processing and KYC | UK / EEA / US |
| Resend | Transactional email delivery | US (SCCs in place) |
| [Analytics provider] | Usage analytics | [Location] |
| Sentry | Error monitoring | US (SCCs in place) |
When you complete a marketplace transaction, certain information is shared with the other party as necessary to fulfil the order — specifically your shipping address (if you are a buyer) or your seller username and shipping address (if you are a seller). We do not share legal names between buyers and sellers unless both parties are Verified Sellers or unless required for a dispute.
Your username, profile information, and public activity (reviews, wearing check-ins you choose to post, cabinet entries you choose to make public) are visible to other users of the Platform. You control visibility settings in your account settings.
We may disclose personal data where required to do so by law, court order, or to protect the rights, property, or safety of PerfumeBible, our users, or others. This includes sharing with law enforcement or fraud prevention agencies where legally required.
If PerfumeBible undergoes a merger, acquisition, or sale of all or part of its assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
Some of our service providers are located outside the UK and EEA. Where we transfer personal data to countries that do not offer an equivalent level of data protection, we use appropriate safeguards:
Specifically, transfers to Stripe (US), Resend (US), and Sentry (US) are governed by SCCs/IDTAs.
We retain your personal data only for as long as necessary for the purposes described in this Policy, or as required by law.
| Category | Retention period |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Fragrance activity (reviews, cabinet, check-ins) | Duration of account. If account deleted, public reviews are anonymised (username replaced with [deleted user]) rather than removed, to preserve community data integrity. Inform us at deletion if you want full removal. |
| Marketplace transaction records | 7 years (HMRC tax record requirements) |
| Verified Seller KYC documents | 5 years post-last transaction (AML regulations) |
| Support communications | 3 years |
| Server logs / IP addresses | 90 days |
| Anonymised analytics | Indefinitely |
Under UK GDPR and EU GDPR you have the following rights:
Right of access — You can request a copy of the personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it (e.g. transaction records) or a legitimate overriding interest.
Right to restriction — You can ask us to restrict processing of your data in certain circumstances (e.g. while you contest its accuracy).
Right to data portability — You can request your data in a structured, machine-readable format (JSON or CSV). This applies to data you provided to us and that we process on the basis of consent or contract.
Right to object — You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
Right to withdraw consent — Where processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right not to be subject to automated decisions — We do not make solely automated decisions that produce legal or similarly significant effects about you.
To exercise any of these rights, contact privacy@perfumebible.com. We will respond within one calendar month. We may need to verify your identity before acting on a request.
Right to complain: You have the right to complain to a supervisory authority. In the UK: the Information Commissioner's Office (ico.org.uk). In the EEA: your local data protection authority.
We implement appropriate technical and organisational measures to protect your personal data, including:
No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our legal obligations.
The Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us at privacy@perfumebible.com and we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by prominent notice on the Platform. The "last updated" date at the top of this document reflects the most recent revision. Continued use of the Platform after changes take effect constitutes acceptance.
Privacy queries:
privacy@perfumebible.com
Postal:
PerfumeBible Ltd, [REGISTERED ADDRESS], [CITY, POSTCODE]