Privacy Policy

1. Introduction

1.1 INSTABUY LTD ("InstaBuy", "we", "us" or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our InstaBuy marketplace platform, including our website and mobile application (collectively, the "Platform").

1.2 We are registered in England and Wales under company number 16379504, and our registered office is at 4th Floor, Silverstream House, 45 Fitzroy Street, London, United Kingdom, W1T 6EB.

1.3 This Privacy Policy should be read in conjunction with our Terms of Service. By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

1.4 We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation. We act as the Data Controller for the personal data we process through the Platform.

2. Information We Collect

2.1 When you use the InstaBuy mobile application and create a registered account, we collect your name, email address, password, and phone number. If you choose to upload a profile picture, we collect and store this image. For each order, we collect delivery details including recipient name, shipping address, phone number, and email address.

2.2 When you visit the InstaBuy website, we use Google Analytics to collect information about your usage of the website. This includes pages visited, time spent on pages, navigation paths, button clicks (including download button clicks for App Store and Google Play), form submissions, device type, browser type, IP address, and referring websites. Google Analytics uses cookies and similar technologies to collect and analyse this information. We use this data to understand how visitors interact with our website, improve user experience, and measure the effectiveness of our marketing efforts.

2.3 Payment card details are collected and processed by our third-party payment processor. We do not directly store complete payment card information, but we may receive limited payment information such as the last four digits of your card number and transaction details.

2.4 We collect details of products you purchase, order history, order value, and transaction records. When you contact us or communicate with Sellers through the Platform, we collect the content of your messages, correspondence, and any information you choose to provide.

2.5 In accordance with anti-money laundering regulations, we may collect identity documents, proof of address, and other verification information if your order exceeds £500 or if your cumulative orders exceed £1,000 within a 12-month period, or if we suspect fraudulent activity.

2.6 We automatically collect device information including device type, operating system, unique device identifiers, mobile network information, and device settings when you use the mobile application. We collect log data including IP address, time zone setting, access times, and error logs.

2.7 When you use the InstaBuy mobile application, we collect comprehensive information about your behaviour and interactions within the app. This includes screens viewed, time spent on each screen, buttons and elements clicked, scroll depth, product views, search queries, filter selections, navigation paths, session duration, app opens and closes, feature usage, and other interaction data. This behavioural data is collected and analysed to understand how users engage with the app, improve user experience, provide personalised recommendations, and enhance our services.

2.8 We use Mixpanel, a third-party analytics service, to collect, track, and analyse user behaviour within the mobile application. Mixpanel collects information about your interactions with the app, including the events and actions described in clause 2.7. This data is used for business analytics, understanding user engagement patterns, measuring feature performance, and improving the overall service. Mixpanel may store and process this data in accordance with its own privacy policy.

2.9 We operate a proprietary recommendation system that uses the behavioural data collected from your use of the mobile application to train machine learning algorithms. This system analyses your interactions, preferences, and usage patterns to provide personalised product recommendations and to display relevant content tailored to your interests. The recommendation system processes data about products you view, search for, purchase, and interact with to improve the relevance of suggestions shown to you.

2.10 We collect approximate location based on IP address. We do not collect precise GPS location data unless you explicitly grant permission through your device settings.

2.11 We use cookies on our website solely for Google Analytics purposes. The mobile application does not use cookies. See Section 10 for more details about cookies and tracking technologies.

2.12 We receive transaction information and payment status from our third-party payment processors (Apple Pay, Google Pay, and associated payment services). We may receive information from fraud prevention and identity verification services to protect against fraudulent activity.

2.13 If you use the mobile application as a guest without creating a full account, most of your data is stored locally on your device. However, we must still process and store order-related information (shipping details, order history, and payment records) to fulfil your orders and comply with legal obligations. Behavioural tracking data described in clauses 2.7, 2.8, and 2.9 is still collected for guest users.

3. Legal Basis for Processing

3.1 We process your personal information based on contract performance where processing is necessary to fulfil our contract with you, including processing orders, facilitating payments, arranging delivery, and providing customer support.

3.2 We process your personal information based on legal obligation where processing is necessary to comply with legal obligations, including tax laws, anti-money laundering regulations, consumer protection laws, and retention of transaction records.

3.3 We process your personal information based on legitimate interests where processing is necessary for our legitimate interests or those of third parties, such as fraud prevention, network and information security, improving our services, analytics, and marketing, provided these interests are not overridden by your rights and freedoms.

3.4 We process your personal information based on consent where you have given explicit consent, such as for marketing communications or specific data processing activities. You may withdraw consent at any time.

4. How We Use Your Information

4.1 We use your personal information for processing and managing your orders, facilitating payment transactions, communicating order status, confirmations and updates, arranging delivery and providing shipping information to Sellers, consolidating orders from the same Seller to the same address, and issuing invoices and receipts.

4.2 We use your personal information for creating and maintaining your account, authenticating your identity, enabling you to access your order history, and managing your preferences and settings.

4.3 We use your personal information for responding to your inquiries and requests, facilitating communication between you and Sellers, resolving disputes and complaints, and providing technical support.

4.4 We use your personal information for detecting, preventing, and investigating fraudulent or illegal activities, conducting identity verification checks as required by anti-money laundering regulations, protecting against unauthorised access or use of the Platform, and enforcing our Terms of Service.

4.5 We use your personal information for complying with legal obligations including tax reporting and anti-money laundering requirements, responding to legal requests from law enforcement or regulatory authorities, and maintaining records as required by law.

4.6 We use your behavioural data collected through the mobile application, including information about screens viewed, time spent, clicks, interactions, product views, searches, and other usage patterns, to conduct business analytics, measure app performance, understand user engagement, identify trends, and make data-driven decisions to improve our services.

4.7 We use behavioural data and interaction patterns to train and operate our proprietary recommendation system. This machine learning system analyses your activity to provide personalised product recommendations, display relevant content, suggest items that may interest you, and improve the overall shopping experience by tailoring the content you see based on your preferences and behaviour.

4.8 We share behavioural data with Mixpanel, our third-party analytics service provider, to track user behaviour, analyse app usage patterns, measure feature adoption, identify areas for improvement, and generate insights about how users interact with the mobile application. This helps us understand which features are most valuable and how we can enhance the user experience.

4.9 We use your personal information for analysing usage patterns and trends, improving Platform functionality and user experience, developing new features and services, and conducting research and testing.

4.10 We use your personal information for sending transactional emails related to orders which are mandatory, sending service-related communications about Platform updates which are mandatory, sending marketing and promotional communications which are optional and you may opt out, and personalising content and recommendations.

4.11 We use your personal information for displaying appropriate pricing and shipping costs based on your geographic location within Great Britain, based solely on objective commercial considerations such as shipping distance and delivery logistics.

5. How We Share Your Information

5.1 When you place an order, we share necessary information with the relevant Seller to fulfil your order, including your name, shipping address, phone number, email address, and order details. Sellers are independent businesses and are responsible for their own data protection compliance. We require Sellers to handle your information in accordance with applicable data protection laws.

5.2 We use third-party payment processing services (including Apple Pay, Google Pay, and associated payment processors) to process payments. These processors collect and process payment information directly. We do not store complete payment card details. Payment processors are bound by PCI-DSS standards and their own privacy policies.

5.3 We share behavioural data and analytics information with Mixpanel, Inc., a third-party analytics service provider. Mixpanel receives information about your interactions with the mobile application, including events, screens viewed, buttons clicked, time spent, and other usage data as described in Section 2. Mixpanel processes this data to provide us with analytics and insights about app usage. Mixpanel may store and process this data on servers located outside the United Kingdom, including in the United States. Mixpanel's use of this information is governed by Mixpanel's privacy policy and terms of service.

5.4 We engage trusted third-party service providers to perform functions on our behalf, including cloud hosting and data storage providers, email delivery services, customer support tools, fraud prevention and identity verification services, and marketing and advertising platforms. These service providers are contractually obligated to process your information only for the specific purposes we authorise and in accordance with our instructions and applicable data protection laws.

5.5 We may disclose your information to law enforcement agencies, regulatory bodies, courts, or other government authorities if required by law or legal process, necessary to respond to lawful requests, required to comply with anti-money laundering or counter-terrorism financing obligations, or necessary to protect our rights, property, or safety, or that of our users or the public.

5.6 In the event of a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal information may be transferred to the successor entity. You will be notified of any such change via email or notice on the Platform.

5.7 We may share aggregated, anonymised, or de-identified information that cannot reasonably be used to identify you for any purpose, including analytics, research, and business purposes.

6. International Data Transfers

6.1 The Platform operates exclusively in Great Britain, and we primarily store and process data within the United Kingdom. However, some of our service providers may be located in other countries, which may result in your personal information being transferred outside the UK.

6.2 Specifically, behavioural data and analytics information collected through the mobile application is transferred to and processed by Mixpanel, Inc. in the United States. Mixpanel may store and process your information on servers located in the United States and other countries outside the United Kingdom.

6.3 Where we transfer personal information outside the UK, we ensure appropriate safeguards are in place, including using service providers in countries with adequacy decisions from the UK government, implementing Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), and relying on appropriate binding corporate rules or certification schemes.

6.4 You may request more information about our international data transfers and the safeguards we have in place by contacting us using the details in Section 15.

7. Data Retention

7.1 We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

7.2 We retain order data, invoices, and payment records for a minimum of 6 years from the end of the financial year in which the transaction occurred, in compliance with UK tax and accounting requirements. We retain account information for as long as your account is active. If you close your account, we will delete or anonymise your account information within a reasonable timeframe, except where we must retain certain information to comply with legal obligations.

7.3 Customer service communications are retained for 3 years to maintain service quality and resolve disputes. Records collected for anti-money laundering purposes are retained for 5 years after the end of the business relationship, as required by the Money Laundering Regulations 2017. We retain records of your marketing preferences for as long as you remain subscribed or for 3 years after your last interaction with us.

7.4 For guest accounts, locally stored data on your device is retained according to your device settings. Order data we process is retained in accordance with the timeframes described above. After the applicable retention period expires, we will securely delete or anonymise your personal information in accordance with our data retention and deletion policies.

8. Your Data Protection Rights

8.1 Under UK data protection law, you have the right to request a copy of the personal information we hold about you. This is commonly known as a subject access request. We will provide this information free of charge, unless your request is manifestly unfounded, excessive, or repetitive.

8.2 You have the right to request correction of inaccurate or incomplete personal information we hold about you. You can update some information directly through your account settings.

8.3 You have the right to request deletion of your personal information in certain circumstances, including where the information is no longer necessary for the purposes for which it was collected, where you withdraw consent and processing is based on consent, where you object to processing and there are no overriding legitimate grounds, or where the information has been unlawfully processed. This right is not absolute. We may need to retain certain information to comply with legal obligations such as tax and accounting records or for the establishment, exercise, or defence of legal claims.

8.4 You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data or object to processing.

8.5 You have the right to request that we provide your personal information in a structured, commonly used, and machine-readable format, and to transmit that information to another controller where technically feasible.

8.6 You have the right to object to processing of your personal information where we rely on legitimate interests as the legal basis. You also have an absolute right to object to processing for direct marketing purposes at any time.

8.7 Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

8.8 You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your personal information in accordance with data protection law. The ICO can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by telephone at 0303 123 1113, or through their website at www.ico.org.uk.

8.9 To exercise any of these rights, please contact us using the details in Section 15. We will respond to your request without undue delay and within one month of receipt, unless the request is complex or we receive multiple requests, in which case we may extend this period by up to two months and will inform you of the extension.

8.10 We may need to verify your identity before processing your request. This is a security measure to ensure that personal information is not disclosed to unauthorised persons.

9. Security of Your Information

9.1 We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit using TLS/SSL protocols, encryption of sensitive data at rest, secure authentication mechanisms and password protection, regular security assessments and penetration testing, access controls to ensure that only authorised personnel can access personal information, employee training on data protection and security practices, use of reputable third-party service providers with robust security standards, and regular backup procedures and disaster recovery plans.

9.2 Payment information is processed by PCI-DSS compliant payment processors. We do not store complete payment card details on our systems.

9.3 While we take all reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal information. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.

9.4 If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the ICO within 72 hours of becoming aware of the breach.

10. Cookies and Tracking Technologies

10.1 Our website uses cookies solely for Google Analytics purposes. We do not use any other cookies, pixels, web beacons, or similar tracking technologies on our website. The InstaBuy mobile application does not use cookies at all.

10.2 Google Analytics cookies are used on our website to help us understand how visitors interact with the website. Google Analytics uses cookies to collect information about website usage, including IP addresses, page views, time on site, and user interactions. This information is processed by Google and provides us with reports about website traffic and usage patterns. Google Analytics collects only the IP address assigned to you on the date you visit the website, not your name or other identifying information. We do not combine the information collected through Google Analytics with personally identifiable information.

10.3 Google's ability to use and share information collected by Google Analytics is restricted by the Google Analytics Terms of Service and the Google Privacy Policy. For more information about how Google uses data, please visit www.google.com/policies/privacy/partners/.

10.4 You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, which is available at https://tools.google.com/dlpage/gaoptout. This add-on instructs the Google Analytics JavaScript to prohibit sending information to Google Analytics.

10.5 Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or to alert you when cookies are being sent. However, if you disable or refuse Google Analytics cookies, this will only affect our ability to analyse website traffic and will not impact your ability to use the website.

11. Third-Party Services and Links

11.1 The Platform may contain links to third-party websites, applications, or services that are not operated or controlled by InstaBuy. This Privacy Policy does not apply to such third-party services.

11.2 We use Google Analytics, a web analytics service provided by Google LLC, on our website. Google Analytics uses cookies and other tracking technologies to collect and analyse information about website usage. The information generated about your use of the website (including your IP address) is transmitted to and stored by Google. Google uses this information to evaluate your use of the website, compile reports on website activity, and provide other services relating to website activity and internet usage. Google may transfer this information to third parties where required by law or where such third parties process the information on Google's behalf. For more information about how Google uses data, please visit www.google.com/policies/privacy/partners/.

11.3 We use Mixpanel, an analytics service provided by Mixpanel, Inc., in our mobile application. Mixpanel collects and analyses behavioural data about how you interact with the mobile application, including events, actions, screens viewed, and usage patterns. The information collected by Mixpanel is transmitted to and stored by Mixpanel on servers that may be located outside the United Kingdom, including in the United States. Mixpanel uses this information to provide us with analytics, insights, and reports about app usage and user behaviour. Mixpanel may use and process this information in accordance with its own privacy policy and terms of service. For more information about Mixpanel's privacy practices, please visit www.mixpanel.com/legal/privacy-policy/.

11.4 We use third-party payment processors (Apple Pay, Google Pay, and associated payment services) to process transactions. When you make a payment, you will be subject to the privacy policies and terms of those payment providers. We encourage you to read their privacy policies before providing any information.

11.5 When you purchase products from third-party Sellers on the Platform, those Sellers may collect and process your information independently. We require Sellers to comply with applicable data protection laws, but we are not responsible for Sellers' privacy practices. We recommend reviewing Sellers' privacy policies where available.

11.6 We are not responsible for the privacy practices of any third parties or the content of linked websites. We encourage you to read the privacy policies of every website or service you visit.

12. Children's Privacy

12.1 The Platform is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18 years of age without parental or guardian consent.

12.2 By using the Platform, you represent that you are at least 18 years of age or have obtained parental or guardian consent to use the Platform and provide personal information.

12.3 If we become aware that we have collected personal information from a child under 18 without appropriate consent, we will take steps to delete such information as quickly as possible. If you believe we have collected information from a child, please contact us immediately using the details in Section 15.

13. Marketing Communications

13.1 When you use the Platform, you consent to receive transactional communications including order confirmations, invoices, shipping notifications, delivery updates, and other order-related communications. These are essential to the service and cannot be opted out of while you use the Platform.

13.2 You consent to receive service communications including important notices about your account, Platform updates, changes to Terms of Service or Privacy Policy, security alerts, and customer support responses. These are necessary for the proper functioning of the service.

13.3 You consent to receive marketing communications including promotional emails about InstaBuy services, new features, special offers, and relevant product recommendations. You may opt out of these at any time.

13.4 You may opt out of receiving marketing communications at any time by clicking the unsubscribe link in any marketing email, adjusting your communication preferences in your account settings, or contacting us directly using the details in Section 15.

13.5 Please note that even if you opt out of marketing communications, you will continue to receive transactional and service-related communications necessary for the operation of your account and orders.

14. Changes to This Privacy Policy

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on the Platform with a new "Last updated" date, sending you an email notification to the email address associated with your account, and displaying a notification within the mobile application.

14.2 Material changes will take effect no sooner than 7 days after notification. Your continued use of the Platform after the effective date constitutes your acceptance of the updated Privacy Policy.

14.3 If you do not agree with any changes to the Privacy Policy, you must stop using the Platform and may request deletion of your account and personal information, subject to our legal obligations to retain certain information.

14.4 We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Information

15.1 If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, or if you wish to exercise any of your data protection rights, please contact us at:

15.2 We aim to respond to all electronic communications within 3 to 5 business days. For data subject rights requests, we will respond within one month as required by UK GDPR, with possible extensions for complex requests.

15.3 When contacting us about your personal information, please include sufficient details to allow us to identify you and verify your identity. This is a security measure to protect your information from unauthorised disclosure.

15.4 INSTABUY LTD is registered as a Data Controller with the UK Information Commissioner's Office.