Privacy Policy

1. Introduction

This Privacy Policy explains how Brindleford Technologies Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use Market Cross ("the Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Brindleford Technologies Ltd
Company No. 16871436, registered in England and Wales
Registered address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ
Contact: privacy@marketcross.online

2. What information we collect

We collect and process the following categories of personal data:

2.1 Account information

• Email address (required for registration)
• Password (stored as a bcrypt hash — we never store your actual password)
• Town selection (required for community participation)
• Display name and bio (optional)
• Profile avatar (optional)

2.2 Social login data

If you register via Facebook or Google, we receive your name, email address, and profile picture URL from the provider. We do not access your friends list, posts, or any other social media content.

2.3 Content you create

• Posts, comments, and replies
• Events and classifieds listings
• Reports and moderation submissions
• Images uploaded to the Service

2.4 Technical data

• IP address and approximate location (for security and abuse prevention)
• Browser type and version
• Pages visited and timestamps
• Referral source

3. Why we collect your information

We process your personal data for the following purposes:

• Account management: To create and maintain your account, verify your identity, and enable you to participate in your local community.
• Community features: To display your posts, connect you with neighbours in your town, and send relevant notifications.
• Security: To protect against fraud, abuse, and unauthorised access. To enforce our Acceptable Use Policy.
• Communication: To send essential service emails (verification, password resets, critical notices) and optional notification digests.
• Legal obligations: To comply with UK law, respond to lawful requests, and cooperate with law enforcement where required.
• Service improvement: To understand how the Service is used and improve the experience (using aggregate, anonymised data only).

4. Legal basis for processing

Under the UK GDPR, we rely on the following lawful bases:

• Consent (Article 6(1)(a)): When you register for an account and agree to our terms. You may withdraw consent at any time.
• Contractual necessity (Article 6(1)(b)): To perform our contract with you (providing the Service as described in our Terms & Conditions).
• Legitimate interests (Article 6(1)(f)): For security, fraud prevention, and service improvement, where these interests do not override your rights.
• Legal obligation (Article 6(1)(c)): To comply with applicable laws, including responding to lawful requests from authorities.

5. How we store your data

Your data is stored in MongoDB databases on a virtual private server hosted by Contabo GmbH in Germany (within the UK adequacy arrangement). All data at rest is stored on encrypted volumes. Passwords are hashed using bcrypt with a cost factor of 12. Data in transit is encrypted using TLS 1.2 or higher.

We implement appropriate technical and organisational measures to protect your data, including firewalls, access controls, regular security updates, and encrypted backups.

6. Who we share your data with

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not run advertising. We do not use tracking cookies or analytics services that share data with third parties. Our website analytics are self-hosted (see section 8 below) and no data leaves our infrastructure.

Your data may be disclosed only in the following circumstances:

• Community visibility: Content you post (posts, comments, events, listings) is visible to other members of your town community, along with your display name and avatar.
• Service providers: Brevo (Sendinblue SAS) processes transactional emails on our behalf under a Data Processing Agreement.
• Legal requirements: We may disclose data if required by UK law, court order, or lawful request from a government authority.

7. Cookies

We use essential cookies only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. For full details, see our Cookie Policy.

8. Website analytics

We use Rybitt, a privacy-focused web analytics tool that we self-host on our own infrastructure at track.brindleford.co.uk. Rybitt collects aggregate usage statistics (page views, referral sources, browser type, country) to help us understand how the Service is used and improve the experience.

Rybitt does not:

• Set any cookies on your device
• Collect or store personal data or IP addresses
• Track you across websites
• Build advertising or behavioural profiles
• Share any data with third parties

All analytics data stays on our own servers and is never sent to any external service. Because Rybitt is cookieless and does not process personal data, it does not require consent under the UK GDPR or the Privacy and Electronic Communications Regulations (PECR).

9. Your rights

Under the UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to data portability: Request your data in a structured, commonly used, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at privacy@marketcross.online. We will respond within 30 days.

10. How long we keep your data

• Active accounts: We retain your data for as long as your account is active.
• Deleted accounts: When you delete your account, we remove your personal data within 30 days. Anonymised content (posts with author removed) may be retained.
• Server logs: Retained for 90 days, then automatically deleted.
• Backups: Purged within 60 days of account deletion.

11. Children

Market Cross is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@marketcross.online and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top of this page indicates the most recent revision.

13. Complaints

If you have a complaint about how we handle your personal data, please contact us first at privacy@marketcross.online. We will do our best to resolve your concern.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. How to contact us

For any questions about this Privacy Policy or your personal data, contact us at: