Privacy Policy

Last updated: 13 May 2026

BuyOneOfOne is committed to protecting your privacy and handling your data with clarity, care, and respect.

0. Data Controller Details

BUYONEOFONE LTD is the data controller for the personal data processed through this platform. For privacy requests, contact support@buyoneofone.com.

Operator
BUYONEOFONE LTD
Country of registration
England and Wales
Company number
17218026
Company activity
Marketplace software development and support for sales, provenance records, and Certificate of Authenticity services.
Privacy contact
support@buyoneofone.com

1. Information We Collect

We collect only the information necessary to provide and maintain our services. This may include:

  • Account information (such as name, email address, and login credentials)
  • Transaction data (including purchases, sales, and ownership records)
  • Order communications, tracking updates, return requests, complaints, and dispute evidence
  • Artwork information, including associated seller-provided Certificate of Authenticity (CoA) data
  • Communications with support
  • Technical and security data (such as IP address, device/browser metadata, and logs)

We do not collect unnecessary personal data.

1.1 Data Sources

We collect personal data from:

  • You directly (account setup, profile updates, uploads, support requests)
  • Payment providers such as Stripe (payment and payout status information)
  • Technical systems used to secure and operate the platform

2. How Your Data Is Stored

Authentication, database storage, and application data are managed using Supabase. This includes securely storing user accounts, artwork listings, provenance records, and Certificate of Authenticity data.

Payments and available checkout methods are processed by Stripe. We do not store full card numbers, wallet credentials, or sensitive payment details on our servers.

2.1 Processors We Use

We use trusted third-party processors to provide our service:

  • Supabase (authentication, database, storage) - Privacy Policy
  • Stripe (payments, payouts, identity verification) - Privacy Policy
  • Plausible Analytics (if enabled, cookieless analytics) - Data Policy

3. How We Use Your Information

We use your information to:

  • Provide and maintain your account
  • Process purchases, sales, and ownership records
  • Generate and store Certificates of Authenticity on behalf of artists or authorised sellers
  • Maintain provenance and transaction history
  • Send order, tracking, return, complaint, and seller/buyer message notifications
  • Review returns, complaints, chargebacks, fraud concerns, and marketplace disputes
  • Prevent fraud and protect platform integrity
  • Carry out tax, sanctions, anti-money-laundering, and seller verification checks where required
  • Operate browse rotation, fair surfacing, and editorial curation features
  • Comply with legal and tax obligations

We do not sell your personal data or use it for third-party advertising.

4.1 Browse Rotation and Curation

We may use listing data, availability, user-selected filters, and visit-level rotation logic to order artworks in browse surfaces. This is intended to improve relevance and distribute exposure more fairly across eligible listings over time.

Where you choose to join our mailing list, we may use your email address to send platform updates, launches, and editorial announcements. You can opt out of marketing emails at any time.

4. Legal Basis for Processing (UK GDPR)

Under UK data protection law, we rely on the following lawful bases:

  • Contract: to deliver our services and complete transactions
  • Legitimate interests: to maintain security, prevent fraud, and improve the platform
  • Legal obligation: to comply with applicable laws and regulations
  • Consent: where required for non-essential cookies and marketing communications

5. Data Retention

We retain data only as long as necessary. Typical retention periods are:

  • Account profile data: while your account is active, then deleted or anonymized when possible
  • Order and transaction records: up to 6 years for legal, tax, and accounting obligations
  • Order messages, tracking updates, complaints, and return evidence: normally up to 6 years where linked to a transaction or dispute
  • Certificate and provenance records: retained as needed to preserve authenticity history
  • Support communications: normally up to 24 months
  • Security and abuse-prevention logs: normally up to 90 days unless legally required longer

6. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your data, where applicable
  • Restrict or object to certain processing
  • Request a copy of your data (data portability)

To exercise these rights, contact us at: support@buyoneofone.com

We aim to respond within one calendar month in line with applicable data protection laws.

6.1 Children

This service is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will investigate and remove the information where appropriate.

7. Cookies and Analytics

We use cookies and similar technologies in the following categories:

  • Essential cookies: maintain secure sessions and core functionality
  • Preference cookies: remember choices such as currency, cookie settings, or interface preferences
  • Analytics: if enabled, we use privacy-focused analytics to understand usage patterns and improve reliability

Where required, you will be given the option to manage or consent to non-essential cookies before they are set.

We do not use non-essential cookies or similar technologies for behavioural advertising. If this changes, we will update this notice and request consent where required.

8. Data Security

We take appropriate technical and organisational measures to protect your data from unauthorised access, loss, misuse, or alteration.

If a personal data breach occurs, we will investigate and notify affected individuals and regulators when required by law.

9. International Data Transfers

Where data is processed outside the United Kingdom, we ensure appropriate safeguards are in place to protect your information in accordance with UK GDPR.

Where required, we rely on approved transfer mechanisms such as adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses.

9.1 Automated Decision-Making

We do not carry out solely automated decision-making, including profiling, that produces legal or similarly significant effects on individuals.

9.2 Marketplace Records

Buyer and seller order messages are stored on the website timeline so BuyOneOfOne can provide customer support, send notifications, review disputes, handle payment issues, and maintain a reliable record of fulfilment. Email is used as a notification channel; the website order timeline remains the main record.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be reflected on this page with a revised effective date.

11. Contact

For questions, requests, or concerns about this policy or your data, contact:

support@buyoneofone.com

12. ICO Registration

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk.