Operated by STEAN GROUP LIMITED ยท Company number 09577677 ยท whaau.net
Whaau Market (with domain whaau.net) is operated and managed by STEAN GROUP LIMITED โ Company number 09577677.
This detailed Privacy Policy explains how STEAN GROUP LIMITED ("we", "us", "our"), the data controller for whaau.net, processes your personal data when you use the Whaau Market service.
1. DATA CONTROLLER
STEAN GROUP LIMITED โ Company number 09577677 โ is the data controller for the purposes of UK GDPR and the Data Protection Act 2018. Contact: admin@whaau.net.
2. PERSONAL DATA WE COLLECT
2.1 Account data: email address, hashed password, display name, optional city, GDPR/age confirmation timestamp, account status flags (e.g., new-user sandbox, trust score).
2.2 Listing data: title, description, price, category, condition, photos you upload, postcode/city, and (if provided) geocoded latitude/longitude.
2.3 Communication data: messages exchanged with other users about a listing, read receipts.
2.4 Transactional data: Stripe Checkout session IDs and payment statuses for paid upgrades (Featured, Highlighted). We do NOT store full card numbers โ payment instruments are handled exclusively by Stripe.
2.5 Technical data: IP-derived country (for geo-mismatch fraud checks only), session cookies, browser-language preference (whaau_lang), session-only cookie-consent flag.
2.6 Verification data (when applicable): email-verification tokens, password-reset tokens, mocked OTP codes.
3. LEGAL BASES (UK GDPR Art. 6)
3.1 Contract โ to operate your account and listings.
3.2 Legitimate interests โ fraud prevention (keyword blacklist, geo-mismatch flags, brute-force lockout), service security, moderation, and product improvement.
3.3 Consent โ analytics/non-essential cookies (you can withdraw at any time via the cookie banner or by clearing browser storage).
3.4 Legal obligation โ UK Online Safety Act intermediary record-keeping, ICO disclosure when lawfully required.
4. RETENTION
4.1 Active accounts: kept for the lifetime of the account.
4.2 Deleted accounts: personal data is removed within 30 days, except where retention is required by law.
4.3 Listings: 30 days for free listings, 7 days for Featured, 14 days for Highlighted, after which they expire automatically.
4.4 Moderation logs and reports: retained for 24 months to support fraud trend analysis.
4.5 Payment records: 7 years for UK accounting and tax purposes.
4.6 Backups: rolling 30-day window.
5. SUB-PROCESSORS
5.1 Stripe Payments Europe Ltd โ payment processing for paid upgrades.
5.2 Cloud hosting provider โ application hosting and database storage (EU/UK region).
5.3 Emergent object storage โ image hosting for listing photos.
5.4 OpenStreetMap Nominatim โ geocoding queries (city/postcode strings only โ no personal identifiers).
5.5 (Future, after activation) Resend or SendGrid for transactional email, Twilio for SMS OTP.
6. INTERNATIONAL TRANSFERS
Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum.
7. YOUR RIGHTS
Under UK GDPR you have the right to: (a) access, (b) rectification, (c) erasure, (d) restrict processing, (e) data portability, (f) object, (g) withdraw consent, and (h) lodge a complaint with the Information Commissioner's Office (ICO, ico.org.uk). To exercise any of these rights, email admin@whaau.net referencing "GDPR Request". We will respond within one month.
8. SECURITY MEASURES
8.1 Passwords are hashed with bcrypt.
8.2 JWT access tokens with 12-hour expiry, HttpOnly cookies + Bearer header, HTTPS-only transport.
8.3 Brute-force protection: 5-fail account lockout with exponential backoff (15 โ 30 โ 60 โ 120 โ 240 minutes, capped at 24 hours).
8.4 Anti-fraud: automated keyword blacklist for prohibited items, manual moderation for new-user first listings, IP-country vs listed-country mismatch flagging.
8.5 Role-based access control for admin endpoints.
9. COOKIES
We use strictly necessary cookies (authentication session) and a single localStorage entry to remember your cookie-consent choice and selected language. Optional analytics cookies are only set with your explicit consent via the cookie banner. We do not use behavioural advertising cookies.
10. CHILDREN
Whaau Market is for users aged 18 and over. Account registration requires explicit age confirmation. Reports of minor accounts are actioned immediately.
11. CHANGES TO THIS POLICY
Material changes will be notified via the cookie banner and/or email to verified accounts at least 14 days before they take effect.
12. CONTACT & COMPLAINTS
For any privacy or data-subject request: admin@whaau.net.
For complaints about how we handle data, you also have the right to complain to the Information Commissioner's Office โ https://ico.org.uk or 0303 123 1113.
This Privacy Policy was last updated in February 2026.
We use essential cookies to make Whaau Market work, and optional analytics cookies to help us improve. Your location preference is stored in your browser session only. We never sell your data.
