Your privacy, plainly.

No legalese. Just what we collect, why we collect it, and what you can do about it.

Last updated: May 2026 · Version 1.1 · Awaiting solicitor review
01

Who We Are

BOPM (Buy. Offer. Play. Marketplace.) is a UK-based price comparison and preloved toy marketplace.

Company
Buy Offer Play Marketplace
Address
9 Simons Grove, Keresley, Coventry, CV7 8RR
Company Reg
16438802
ICO Number
CSN1892170
Data Protection Contact
privacy@bopm.co.uk

For the purposes of UK GDPR and the Data Protection Act 2018, BOPM is the data controller for the personal data described in this policy.

02

What This Policy Covers

This Privacy Policy explains: what personal information BOPM collects about you, why we collect it and what we use it for, the legal basis on which we process it, who we share it with, how long we keep it, your rights under UK data protection law, and how to exercise those rights and make a complaint.

This policy applies to all users of BOPM — including visitors to our website, registered users, buyers, sellers, and anyone who signs up for our email list. It covers our website at bopm.co.uk and any future BOPM mobile applications.

Age restriction: BOPM is a service for adults — primarily parents and caregivers of children. You must be 18 or over to create a BOPM account or list items for sale. We do not knowingly collect personal data directly from children under 13. Where child profiles are introduced in Phase 3, they will be created and managed by the account-holding adult. See Section 10 for full details.

Applicable legislation: UK GDPR, Data Protection Act 2018, PECR 2003, ICO Children's Code, DMCC Act 2024, Data (Use and Access) Act 2025, Consumer Rights Act 2015, Electronic Commerce Regulations 2002.

03

The Information We Collect

3.1 Information You Give Us Directly

At registration: full name, email address, password (hashed — never stored in plain text), postcode or general location.

When listing an item Phase 2+: item title, description, photographs, condition, price; full delivery address; bank account or payment details (handled by payment processor — not stored by BOPM directly).

When making a purchase Phase 2+: delivery name and address; payment card details (handled entirely by our payment processor — BOPM does not store card data).

When contacting us: name and email address; messages through BOPM's in-platform messaging; dispute submissions and evidence; support requests.

When signing up to marketing emails: email address and, optionally, name and toy interests.

When creating a child profile Phase 3: child's first name or nickname (no surname required); child's age or date of birth; toy preferences and wishlist items.

3.2 Information We Collect Automatically

Subject to your cookie consent: device and browser information, IP address (security and approximate location only), location data (approximate from IP; precise GPS only with explicit consent), pages visited and navigation patterns, referring website, click-out data (which retailer links you clicked), search terms used within BOPM, affiliate tracking data.

In addition to cookies, we may use similar tracking technologies including localStorage, sessionStorage, and pixel tags. These are subject to the same consent requirements under PECR. Full details are in our Cookie Policy.

3.3 Information From Third Parties

Affiliate networks (AWIN, CJ Affiliate, Rakuten) — click and commission data. Identity verification providers Phase 2+ — confirmation of verification status only, not the underlying documents. Social login providers — name, email, profile picture. Payment processors (Stripe) — confirmation of payment success or failure; no card data shared with BOPM.

04

Legal Bases for Processing

4.1 Performance of a Contract (Article 6(1)(b))

Creating and managing your account, processing purchases and sales, providing buyer and seller support. You cannot opt out without terminating your account.

4.2 Legitimate Interests (Article 6(1)(f))

Fraud prevention and platform security; analytics to improve how BOPM works (post-consent only); service communications; improving price comparison data; understanding which products are most useful.

4.3 Consent (Article 6(1)(a))

Non-essential cookies and tracking; marketing emails (active opt-in required); push notifications; child profile creation in Phase 3 (adult account holder consents).

4.4 Legal Obligation (Article 6(1)(c))

Retaining financial transaction records for 7 years; cooperating with law enforcement where legally required; complying with court orders.

05

How We Use Your Information

5.1 Phase 1 — Price Comparison Tool

Display price comparison results; record retailer link clicks for affiliate commission attribution; send price drop alerts (with consent); analyse popular products and searches; prevent abuse; conduct A/B testing; generate anonymised insights.

Affiliate disclosure: When you click a retailer link on BOPM, we may earn a commission from that retailer at no extra cost to you. Affiliate tracking cookies are only placed after you have given your consent. This never affects the prices shown or our independent ranking of retailers.

5.2 Phase 2 — Preloved Toy Marketplace Phase 2+

Create and manage buyer and seller accounts; process purchases, sales, and offers; hold payments in escrow; facilitate delivery by sharing address with shipping providers; support dispute resolution; display seller profile, ratings, and transaction history; verify identity to maintain trust and safety; send transaction notifications.

5.3 Phase 3 — AI Features, Child Profiles, and Play Forum Phase 3

Power AI-driven toy recommendations; create and manage child profiles at the adult's direction; enable Play Forum participation; personalise content based on children's ages and interests.

06

Who We Share Your Information With

BOPM does not sell your personal data.

6.1 Other Users

Username, profile photo, seller rating, and transaction history are visible on your public profile. Shipping name and address are shared with the other party on completion of a sale solely to enable delivery. Listing photos, descriptions, and price are publicly visible.

Off-platform warning: BOPM's Buyer Protection only applies to transactions conducted entirely within the platform. Sharing contact details with other users and transacting off-platform removes your protection. We strongly discourage off-platform communication.

6.2 Service Providers

Third Party Purpose Data Shared Phase
AWIN / Commission Junction / Rakuten Affiliate tracking — records clicks to retailers for commission attribution Anonymous click ID, cookie data Phase 1+
Google Analytics (Google LLC) Website analytics and performance measurement Anonymised usage data (post-consent only) Phase 1+
Klaviyo Email marketing, price drop alerts, transactional emails Email address, name, preferences Phase 1+
Cookiebot / CookieYes Cookie consent management Consent records and timestamps Phase 1+
Cloud infrastructure (AWS / GCP / Azure) Data storage, hosting, and backups All personal data processed by BOPM Phase 1+
Stripe Payment processing and escrow management Transaction data (no card details stored by BOPM) Phase 2+
Identity verification provider Seller ID verification Confirmation of verification status only Phase 2+
Shipping partners Generating postage labels and tracking Sender and recipient name and address Phase 2+
ADR provider Independent dispute resolution Dispute records and evidence Phase 2+
AI model provider Powering toy recommendations Anonymised preference data (no PII sent) Phase 3
Law enforcement / regulatory bodies Legal compliance where required by law As required by court order or legal process All phases
07

International Data Transfers

Some processors operate outside the UK. Safeguards: UK Adequacy Regulations (EEA countries and others), International Data Transfer Agreements (IDTAs), UK Addendum to EU Standard Contractual Clauses.

Key processors: Google Analytics — US, IDTA-compliant. Klaviyo — US, DPA incorporating IDTAs. Stripe — US and EU, DPA and applicable transfer mechanisms. AWIN — EU and UK, headquartered in UK and EU.

Contact privacy@bopm.co.uk for full details of transfer safeguards.

08

How Long We Keep Your Information

Data Category Retention Period Legal Basis / Reason
Account data (name, email, profile) Duration of account + 2 years after closure Contract performance; legitimate interests (fraud prevention)
Transaction records 7 years from date of transaction Legal obligation — HMRC and Companies Act
Dispute records 3 years after final resolution Legitimate interests — legal defence
Marketing preferences and consent records Until opt-out; consent record kept for 3 years after opt-out Legal obligation — evidence of consent
Email open / click analytics 24 months Legitimate interests — campaign improvement
Affiliate click data 13 months (standard affiliate network window) Contract performance — commission attribution
Cookie consent records 12 months minimum Legal obligation — PECR / ICO guidance
IP address logs (security) 90 days Legitimate interests — fraud prevention and security
Analytics data (anonymised) Retained indefinitely in anonymised form Legitimate interests — platform improvement
Child profile data Phase 3 Until adult account holder deletes it, or account closure + 30 days Consent of account-holding adult
Dispute evidence (photos, messages) 3 years after resolution Legitimate interests — legal defence
Seller identity verification records Duration of seller account + 2 years Legal obligation — fraud prevention

At the end of each retention period, data is securely deleted or irreversibly anonymised.

09

Cookies and Similar Technologies

BOPM uses cookies and similar technologies including localStorage, sessionStorage, and pixel tags. Under PECR, we may only place non-essential cookies after you have actively given your consent. Non-essential cookies are off by default. Manage your preferences via the 'Cookie Preferences' link in the footer.

Categories: Strictly necessary (no consent needed), Analytics (consent required; off by default), Affiliate tracking (consent required; off by default), Marketing (consent required; off by default).

If you use BOPM through an iOS mobile app, you'll be asked separately for App Tracking Transparency permission under Apple's ATT framework. You can change this in your iPhone Settings at any time.

Full cookie details are in our Cookie Policy.

10

Children's Privacy and the ICO Children's Code

BOPM is a service for adults. You must be 18 or over to create an account or sell items. We do not knowingly collect personal data directly from children under 13. We comply with the ICO's Age Appropriate Design Code:

  • High privacy settings by default
  • No children's data used for targeted advertising or profiling
  • Child profiles in Phase 3 created and controlled entirely by the account-holding adult
  • Data collected about children minimised to what is strictly necessary
  • No child profile data shared with third parties for marketing
  • Children's Code compliance assessment before launching Phase 3 features
If you believe we have inadvertently collected personal data from a child under 13 without appropriate parental consent, contact us immediately at privacy@bopm.co.uk. We'll delete that data promptly.
11

Your Rights Under UK GDPR

To exercise any right, email privacy@bopm.co.uk. We'll respond within one calendar month.

Your Right What It Means for BOPM
Right of Access Ask for a copy of all personal data we hold about you. Free of charge in most circumstances.
Right to Rectification Ask us to correct inaccurate or incomplete data.
Right to Erasure Ask us to delete your data. Not absolute — we may need to retain certain data for legal compliance. We'll tell you what we can and can't delete and why.
Right to Restriction Ask us to pause processing while a dispute about accuracy is resolved.
Right to Portability Where processing is based on consent or contract, ask us to send your data in a structured, machine-readable format.
Right to Object Object to processing based on legitimate interests. Absolute right to object to processing for direct marketing.
Right to Withdraw Consent Withdraw consent at any time. Doesn't affect processing that took place before withdrawal.
Rights Related to Automated Decision-Making Where BOPM uses automated decision-making that significantly affects you, request human review. Currently no significant automated decisions are made without human oversight.
How to make a request: Email privacy@bopm.co.uk with 'Data Rights Request' in the subject line. Include your full name and the email address on your BOPM account. We may ask for proof of identity. We'll respond within one calendar month, or notify you if we need up to two additional months for complex requests.
12

Marketing Communications

We'll only send you marketing emails if you've actively opted in. We use Klaviyo. No pre-ticked boxes or inferred consent. We use double opt-in — you'll receive a confirmation email and only be added after clicking the link.

Our emails may include: price drop alerts for toys on your watchlist; new preloved arrivals matching your interests; BOPM news, features, and updates; occasionally, information about partner retailers (always clearly labelled).

Every marketing email includes an unsubscribe link. Unsubscribe by email: privacy@bopm.co.uk. We'll process your request within 10 working days.

Transactional emails (order confirmations, payment receipts, dispatch notifications, dispute updates) are not marketing — they're service communications. You'll continue to receive these even if you unsubscribe from marketing, as they're necessary for the service.

We don't send push notifications without your explicit permission. Manage them in your device settings at any time.

13

How We Keep Your Information Secure

  • All data transmitted via TLS (HTTPS)
  • Passwords hashed using bcrypt or equivalent — never plain-text
  • Payment card data handled entirely by Stripe (PCI DSS compliant)
  • Access restricted to staff and systems that need it (least privilege)
  • Security reviews when introducing new processing
  • Data at rest encrypted on servers
  • Backups encrypted and stored securely

No system is completely secure. Keep your credentials confidential. Don't share your password. If you suspect unauthorised access, contact privacy@bopm.co.uk immediately.

Data Breach Notification: We'll notify the ICO within 72 hours of becoming aware of a likely-to-cause-risk breach, as required by UK GDPR. Where the breach is high risk, we'll also notify you directly.

14

Third-Party Websites and Links

BOPM links to retailer websites as part of our price comparison service. When you click a retailer link and leave BOPM, you're subject to that retailer's own privacy policy. BOPM is not responsible for the privacy practices of third-party websites. Review the privacy policy of any website you visit via a BOPM link before providing personal information.

15

Records of Processing Activities (ROPA)

In accordance with Article 30 of UK GDPR, BOPM maintains an internal ROPA mapping every data processing activity against its purpose, legal basis, data categories, recipients, retention periods, and security measures. The ROPA is not published publicly. You may request information about specific processing activities at privacy@bopm.co.uk. It's available for inspection by the ICO on request.

16

The Digital Markets, Competition and Consumers Act 2024

As a digital platform, BOPM commits to:

  • No dark patterns or manipulative design to influence data choices or purchasing decisions
  • Cookie consent interface designed to make accepting and rejecting cookies equally easy
  • No countdown timers, false urgency, or manipulative techniques to pressure data sharing
  • Unsubscribing from marketing is at least as easy as subscribing
  • Full cooperation with the CMA where required
17

Changes to This Privacy Policy

We may update this policy as BOPM grows or the law changes. For significant changes: we'll update the 'Last Updated' date; notify registered users by email for material changes; display a notice on the website.

Your continued use of BOPM after an update constitutes acceptance. If you don't accept, stop using BOPM and contact us to request deletion of your account. Previous versions are available on request.

18

Complaints and How to Contact Us

Contact us first:

Contact us

privacy@bopm.co.uk

9 Simons Grove, Keresley, Coventry, CV7 8RR

We'll acknowledge within 5 working days and aim to resolve within 30 days.

ICO complaint

You can also contact the Information Commissioner's Office at any time, but we'd appreciate the chance to resolve it first.