Privacy Policy - Sharepact

Platform: Sharepact (website and mobile app)
Company: Sharepact Ltd (registered in England and Wales)
Effective date: • DATE •
Version: 1.0

PREMISE

This Privacy Policy (“Policy”) explains how Sharepact Ltd (“we”, “us”, “our”, or “Sharepact”), as the data controller, collects, uses, stores and shares your personal data when you use our peer‑to‑peer object rental platform (the “Platform”).
We comply with the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR for users in the European Union.

If you do not agree with this Policy, please do not use the Platform. By using Sharepact, you confirm that you have read and understood this Policy.

1. Data Controller and Data Protection Officer (DPO)

Company name: Sharepact Ltd
Registered address: • YOUR UK COMPANY ADDRESS •
Email (general privacy): privacy@sharepact.com
Phone: • PHONE NUMBER •

We have appointed a Data Protection Officer (DPO) who can be contacted at:
DPO email: dpo@sharepact.com
Postal address: • DPO ADDRESS •

2. Categories of personal data we collect

2.1 Data you provide directly

  • Registration and profile data: name, surname, date of birth, nationality, residential address (optional), phone number, email address, profile photo, personal description.

  • Verified identity data: copy of ID card or passport (number, expiry date), selfie with document – only required for identity verification before certain transactions. This data is not shared with other users.

  • Object listing data: photos, description, category, condition, approximate location (e.g. neighbourhood), daily/weekly rental price, security deposit amount.

  • Transaction data: rental history (items borrowed or lent), ratings and reviews left by/for you, internal chat messages, amounts paid/received.

  • Payment data: IBAN, credit/debit card details (number, expiry, cardholder name). We never store full card data – it is handled by our PCI‑DSS certified payment provider via tokenisation (with your explicit consent).

  • Insurance data: if we offer optional damage cover, we collect data necessary to handle claims (e.g. photos of damage, description of incident).

  • Communications with support: any information you send to our customer service team.

2.2 Data collected automatically

  • Usage data: IP address, browser type, operating system, pages visited, session duration, clickstream, device identifiers.

  • Location data (with your consent): approximate GPS or IP‑based location to show nearby items. You can disable this in device settings.

  • Cookies and similar technologies – see Section 10.

  • Social login (if you use “Sign in with Google/Apple”): we receive only your name, email address and account identifier – used solely for authentication.

2.3 Data generated by the Platform

  • Ratings and reviews – visible on your public profile.

  • Transaction history – dates, duration, amounts, status.

  • Dispute and claim data – photographic evidence, chat logs, damage descriptions – kept only until the dispute is resolved.

3. Purposes and legal bases for processing

We process your personal data only for specific, explicit and legitimate purposes. The legal bases under UK/EU GDPR are:

 
 
Purpose Legal basis
Register and manage your account Performance of contract (Art. 6.1.b)
Facilitate rental transactions (bookings, payments, deposits, reminders) Performance of contract (Art. 6.1.b)
Verify your identity (to prevent fraud and increase trust) Legitimate interest (Art. 6.1.f) and/or legal obligation
Customer support and dispute resolution Performance of contract (Art. 6.1.b)
Improve and secure the Platform (analytics, bug fixing, fraud detection) Legitimate interest (Art. 6.1.f)
Marketing communications (newsletters, offers) – only with your consent Consent (Art. 6.1.a) – revocable anytime
Comply with legal obligations (tax, anti‑money laundering, digital services laws) Legal obligation (Art. 6.1.c)
Corporate transactions (merger, acquisition, sale) Legitimate interest (Art. 6.1.f) – with prior notice
Behavioural advertising / remarketing Consent (Art. 6.1.a)
Automated profiling (e.g. trust scores, personalised search results) Consent or legitimate interest – you have the right to human intervention under Art. 22

We do not take decisions based solely on automated processing that produce legal or similarly significant effects without human review.

4. Who we share your data with

Your data may be shared with the following recipients, only as necessary:

  • Other Sharepact users – they see your name, profile photo, ratings, approximate location (neighbourhood) and listed items. After a booking is accepted, they also see your phone number for logistics.

  • Service providers (data processors) – hosting (AWS EU region), payment processor (Stripe / • PROVIDER •), analytics (Google Analytics, PostHog), email/SMS (Brevo), customer support (Intercom), security (Cloudflare), AI content processing (OpenAI – no direct identifiers unless strictly needed). All processors sign data processing agreements (DPA) under Art. 28.

  • Insurance partner (if applicable) – • INSURER NAME • – only to handle claims.

  • Public authorities – when required by law, court order, or lawful request (e.g. HMRC, ICO, police).

  • Group companies or commercial partners – only for compatible purposes, with adequate safeguards.

We never sell your personal data to third parties for direct marketing.

5. International data transfers

Your data is primarily stored on servers located in the European Economic Area (EEA) (AWS region: Ireland/Frankfurt).
If we transfer data outside the UK/EEA, we ensure at least one of the following safeguards:

  • An adequacy decision by the UK or EU Commission.

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, together with supplementary measures.

  • Binding Corporate Rules (BCRs) (if applicable).

You can request a copy of these safeguards by contacting our DPO at dpo@sharepact.com.

6. Data retention periods

We keep your data only as long as necessary for the purposes set out above, plus any legal retention obligations.

 
 
Category Retention period
Active account data For the duration of your account
Closed account data • NUMBER • years after closure, unless longer required by law
Transaction data (tax/accounting) • NUMBER • years from the transaction date
Verified identity documents Deleted • NUMBER • days after verification, unless fraud suspected (then up to • NUMBER • years)
Chat messages • NUMBER • months after rental ends, or until dispute resolved
Marketing data Until consent revoked, or max • NUMBER • years from last interaction
Logs and security data • NUMBER • months
Anonymised data Indefinitely for statistical/research purposes

After retention expires, data is securely deleted or irreversibly anonymised.

7. Your rights (UK GDPR / EU GDPR)

Under data protection law, you have the following rights:

  1. Access – confirm whether we process your data and obtain a copy.

  2. Rectification – correct inaccurate or incomplete data.

  3. Erasure (“right to be forgotten”) – request deletion, subject to legal exceptions.

  4. Restriction – limit processing in certain situations (e.g. while you contest accuracy).

  5. Portability – receive your data in a structured, machine‑readable format and transmit it to another controller.

  6. Objection – object to processing based on legitimate interests (including profiling for direct marketing).

  7. Withdraw consent – at any time, without affecting the lawfulness of processing before withdrawal.

  8. Not be subject to automated decision‑making – request human intervention under Art. 22.

To exercise these rights, contact us at privacy@sharepact.com or in writing to • POSTAL ADDRESS •. We will respond within 30 days (extendable by 60 days for complex requests). We may ask for proof of identity.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO)www.ico.org.uk – or with your local EU data protection authority.

8. Security of data

We implement technical and organisational measures to protect your data, including:

  • TLS 1.3 encryption in transit, AES‑256 encryption at rest.

  • Role‑based access control and multi‑factor authentication for staff.

  • Regular penetration testing and vulnerability scanning.

  • Data Protection Impact Assessments (DPIAs) for high‑risk processing.

  • Employee training on data protection.

Data breach notification: If a breach poses a risk to your rights, we will notify the ICO within 72 hours and inform you without undue delay (Art. 34).

No system is 100% secure – use a strong password and do not share your login credentials.

9. Children’s data

The Platform is not intended for persons under • AGE (minimum 16 or 18) • years. We do not knowingly collect personal data from minors. If we learn that a minor has provided us with data without parental consent, we will delete it immediately. Parents/guardians can contact us at privacy@sharepact.com.

10. Cookies and tracking technologies

We use cookies and similar technologies as described below. You can manage preferences via our cookie banner or your browser settings.

 
 
Type Purpose Expiry
Essential / technical Login, session, cart Session / • HOURS •
Preferences Language, saved location • DAYS •
Analytics (anonymised) Google Analytics, PostHog – to improve the Platform up to 2 years
Marketing / remarketing (consent required) Show personalised ads (Google Ads, Meta) • DAYS •

Third‑party cookies are subject to the respective providers’ policies. You can opt out of interest‑based advertising via www.youronlinechoices.com (EDAA) or optout.aboutads.info (DAA).

See our full Cookie Policy at • URL TO COOKIE POLICY •.

11. User‑generated content and public data

Information you voluntarily post on the Platform (e.g. item descriptions, photos, reviews) is visible to other users. Do not include sensitive personal data in such public areas. We are not responsible for data you choose to make public.

12. Links to third‑party sites

The Platform may contain links to external websites or services. This Policy does not apply to those third parties – please read their privacy policies. We are not liable for their data practices.

13. Changes to this Privacy Policy

We may update this Policy from time to time. If we make material changes that significantly affect your rights, we will notify you by email or via a prominent notice on the Platform at least 30 daysbefore the changes take effect. The latest version will always be available at • URL OF PRIVACY POLICY •. Your continued use of the Platform after the changes constitutes acceptance.

14. Governing law and jurisdiction

This Policy is governed by the laws of England and Wales. Any disputes arising out of or relating to this Policy or the processing of your personal data shall be subject to the exclusive jurisdiction of the courts of • CITY (e.g. London) •, unless mandatory consumer protection laws say otherwise.

15. Contact us

For any questions, requests or complaints regarding this Privacy Policy or your data:

  • Email: privacy@sharepact.com

  • Post: • YOUR POSTAL ADDRESS •

  • DPO email: dpo@sharepact.com

We will respond as soon as possible, and in any event within the time limits required by law.

APPENDIX – List of main data processors (sub‑processors)

Below is an indicative list of our key service providers who may access user data as processors. An up‑to‑date list is available from our DPO.

 
 
Service Provider Privacy / DPA link
Cloud hosting AWS (EU region – Ireland/Frankfurt) AWS GDPR
Payment processing Stripe / • PROVIDER • Stripe privacy
Analytics Google Analytics, PostHog Google / PostHog
Email & CRM Brevo (Sendinblue) Brevo privacy
Customer support Intercom Intercom privacy
Security / CDN Cloudflare Cloudflare privacy
AI content processing OpenAI OpenAI privacy
Remarketing Google Ads, Meta (Facebook) Ads Google / Meta
Social login Google, Apple Google / Apple
Search Algolia Algolia privacy

The best rental platform for items from individuals and professionals, including ID verification and Insurance

English

About

Support

LEGAL

Sharepact© 2026 All rights reserved.