Privacy Policy

Last updated: April 2026

1. Data Controller

DropSwap is a trading name of DROPSWAP LTD, a private limited company incorporated in England and Wales. References to "we", "us", or "DropSwap" refer to the DropSwap platform and DROPSWAP LTD. We are the data controller for the personal data we collect about you, and we are committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • Trading name: DropSwap
  • Legal name: DROPSWAP LTD
  • Incorporated in: England and Wales
  • Companies House number: 16767084 (verify at companieshouse.gov.uk)
  • Registered office: 34 Pencombe Road, Liverpool, England, L36 2NH
  • Contact email: hello@dropswap.co.uk
  • ICO registration number: ZC132166

2. What Data We Collect

We collect the following personal data: your email address (required for account creation and communications); your country of residence (required to match you with users in your area); profile information you choose to provide, including your username, biography, and profile photograph; item listings you post, including photos, videos, descriptions, and estimated values; the content of messages exchanged through the platform between swap participants; swap history, security hold records, and transaction outcomes; ratings and trust scores; reports you submit or that are submitted about you; and device and usage data collected automatically for security and fraud prevention purposes.

3. What We Do NOT Collect

We do not require a structured delivery address field. However, if you choose to share an address in messages to arrange collection or delivery, that address is stored as part of your message content and is accessible to the other party in that swap or giveaway exchange. We do not collect or store payment card details — these are handled entirely by Stripe and never transmitted to or stored on our servers. We do not collect government-issued identity documents.

4. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6 UK GDPR:

  • Performance of a contract (Art. 6(1)(b)): to create and manage your account, enable swap transactions, coordinate with Stripe on payment outcomes, and provide the core features of the platform
  • Legitimate interests (Art. 6(1)(f)): to prevent fraud and abuse, maintain platform security, resolve disputes, and improve our service — where these interests are not overridden by your rights
  • Legal obligation (Art. 6(1)(c)): to comply with applicable law, including responding to lawful requests from law enforcement or regulatory authorities, and retaining financial records as required by HMRC
  • Consent (Art. 6(1)(a)): where you have given specific consent, such as for optional marketing communications — you may withdraw consent at any time

5. How We Use Your Data

We use your personal data to: operate and improve the DropSwap platform; match you with users in your country; enable and facilitate swap transactions; coordinate payment and security hold outcomes via Stripe; detect, investigate, and prevent fraud, abuse, and policy violations; review and resolve disputes; send transactional notifications and emails relating to your account and swaps; comply with our legal and regulatory obligations.

6. Address & Location Sharing

We do not collect a structured home address field. If you choose to share your address in messages to arrange in-person collection or delivery, that address is stored as part of the message content and is accessible to the other swap participant. You are never required to share your address. DropSwap is not responsible for how other users handle address information shared in messages.

7. Data Sharing

We do not sell your personal data. We share your data only with the following third-party service providers where necessary to operate the platform: Supabase (database hosting and authentication), Stripe (payment processing), Vercel (platform hosting), and Resend (transactional email delivery). We also share data with law enforcement and regulatory authorities where required by law, court order, or regulatory requirement.

Some providers may process personal data outside the UK. Where personal data is transferred internationally, we rely on adequacy regulations or appropriate safeguards such as the UK International Data Transfer Agreement or UK Addendum to Standard Contractual Clauses, as applicable. You can contact us for more information about the safeguards used for a particular provider.

8. Data Retention

We retain your personal data for as long as your account is active. If you request account deletion, we will delete or anonymise your personal data — including your profile, item listings, and message content — within 7 days. Messages form part of a shared swap record; your messages will be anonymised rather than deleted entirely, so that the other party's record is preserved. Financial and transaction records are retained for 6 years from the date of the relevant transaction, as required by HMRC and applicable accounting legislation. Some data may be retained for longer where required by law or where there is a legitimate ongoing dispute or legal claim.

9. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights:

  • Right of access — to request a copy of the personal data we hold about you
  • Right to rectification — to request correction of inaccurate or incomplete data
  • Right to erasure — to request deletion of your data, subject to legal retention requirements
  • Right to restriction — to request that we limit how we use your data in certain circumstances
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — you may object at any time to processing based on legitimate interests. You also have an absolute right to object to direct marketing
  • Rights related to automated decision-making — see Section 10 below
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time

To exercise any of these rights, please contact us via the Contact page on DropSwap. We will respond within one calendar month. You will not be charged for making a request. We may ask you to verify your identity before processing your request.

10. Automated Decision-Making

DropSwap does not make decisions about users that produce legal or similarly significant effects through fully automated means. Trust scores displayed on user profiles are calculated automatically based on completed swaps and ratings received; they are informational indicators only and do not automatically determine account access or eligibility. Account suspension decisions are made by human review.

11. Cookies

DropSwap uses only essential cookies required for authentication and session management. We do not use advertising, tracking, or analytics cookies. No consent is required for essential cookies under the UK Privacy and Electronic Communications Regulations (PECR).

12. Children

DropSwap is strictly for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered on the platform, please report it immediately via our Contact page and we will delete the account promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

14. Contact & Complaints

For any privacy-related questions, to exercise your rights, or to raise a concern about how we handle your data, please contact us via the Contact page on DropSwap. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection: ico.org.uk | 0303 123 1113.