cercle Back to site

Privacy policy

Last updated 21 May 2026
In short

We collect what we need to run Cercle, never sell your data, store passwords securely, and let you delete everything within 30 days. The full policy below explains the details.

Data controller: Masera Hedman Ltd, registered in England and Wales (company number 17163705), 84b Ringford Road, London, England, SW18 1RR. Contact: hello@cercleapp.co.uk

This policy explains what personal data we collect when you use Cercle, how we use it, who we share it with, and the rights you have over it. It applies to everyone who uses Cercle, whether through our app, website, or any connected service.

Contents
  1. 01 What we collect
  2. 02 Marketplace credentials
  3. 03 How we use your data
  4. 04 Who we share with
  5. 05 International transfers
  6. 06 Your rights
  7. 07 How long we keep data
  8. 08 Cookies
  9. 09 Children
  10. 10 Changes to this policy
  11. 11 Contact
01

What we collect

When you use Cercle, we collect:

  • Account data: your name, email address, phone number, and password (stored hashed, never in plain text).
  • Listing data: the photos, titles, descriptions, prices, categories, and condition information you create or that Cercle generates on your behalf.
  • Marketplace data: information returned from the marketplaces you connect — your listings on those platforms, order and sales history, buyer messages, and transaction values.
  • Payout details: the bank or payment account information needed to receive earnings, handled through our payments processor.
  • Communications: any messages you send us through support channels, in-app chat, or email.
  • Cross-platform activity: aggregate data about your selling patterns across connected marketplaces, used to surface insights inside the app.
  • Authentication and technical data: login times, IP addresses, session identifiers, device type, operating system, and basic analytics about how you use the app.
02

Marketplace credentials

When you connect a marketplace to Cercle, you authorise us through that marketplace's official OAuth flow. We store an encrypted access token that lets us act on your behalf within the scope you granted. We never see or store your marketplace passwords. You can disconnect any marketplace at any time from Settings, which revokes the token immediately.

03

How we use your data, and our legal basis

We process your data for the following purposes:

  • To operate the service and cross-post your listings — performance of a contract
  • To process payouts and handle billing — performance of a contract
  • To detect and prevent fraud, abuse, or unauthorised use — legitimate interest
  • To improve and develop the product, including aggregate analysis of usage patterns — legitimate interest
  • To contact you about your account, changes to the service, or important updates — performance of a contract
  • To send you optional marketing communications, where you've consented — consent, which you can withdraw at any time
04

Who we share your data with

We share data only with the parties needed to deliver Cercle's service:

  • The marketplaces you connect (currently Vinted, eBay, and Depop; more added over time): we send the listing data you authorise us to publish, and receive back your account's order and sales data.
  • Stripe, our payments processor, for payout handling and fraud screening.
  • Amazon Web Services (AWS, eu-west-2 London region), our primary cloud hosting provider.
  • Anthropic and/or OpenAI, our AI providers, which process listing content (photos, titles, descriptions) to generate draft listings on your behalf. Data sent to these providers is processed under their respective data processing agreements and is not used to train their models.
  • Postmark, for transactional emails such as sign-up confirmations and account notifications.

We do not sell your personal data to anyone, ever.

05

International data transfers

Cercle's primary data storage is in the UK (AWS London region). Some of our processors — particularly Stripe, our AI providers, and Postmark — may transfer or process data outside the UK or EEA, including in the United States. Where this happens, the transfer is protected by appropriate safeguards: either the UK Extension to the EU-US Data Privacy Framework, the UK International Data Transfer Agreement, or Standard Contractual Clauses approved by the ICO.

06

Your rights under UK GDPR

You have the following rights over your personal data:

  • Access — request a copy of the data we hold about you
  • Correction — ask us to fix anything inaccurate
  • Deletion — ask us to delete your data (subject to legal retention requirements, see section 7)
  • Portability — export your data in a machine-readable format
  • Restriction — ask us to limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email hello@cercleapp.co.uk. We respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we've handled your data unlawfully. You can contact the ICO at ico.org.uk or on 0303 123 1113.

07

How long we keep your data

  • Active account data is kept while your account is open.
  • When you close your account, we delete your personal data (name, contact details, listings, photos, marketplace credentials) within 30 days.
  • Transaction and payout records are retained for 6 years after account closure, as required by HMRC for tax record-keeping.
  • Support correspondence is retained for 2 years.
  • Backups containing your data are cycled out within 90 days of deletion from primary systems.
08

Cookies

Cercle uses strictly necessary cookies only — for authentication, session management, and security (CSRF protection). We do not use third-party advertising cookies, tracking pixels, or marketing cookies. You can manage your preferences in Settings → Cookie preferences.

Specific cookies in use:

  • Session cookie (expires when you close the browser or after 14 days)
  • Authentication token (expires after 30 days of inactivity)
  • CSRF token (expires with the session)
09

Children

Cercle is not intended for use by anyone under 18. We do not knowingly collect personal data from minors. If you believe a child has signed up for Cercle, please contact us at hello@cercleapp.co.uk and we will delete the account promptly.

10

Changes to this policy

We may update this policy as Cercle evolves or as the law changes. If we make a material change — meaning a change that affects how we use your data — we'll notify you by email and through the app at least 14 days before it takes effect. Non-material updates (like clarifying language or fixing typos) will be reflected here without separate notice. The "Last updated" date at the top of this policy will always reflect the latest version.

11

Contact

For any privacy-related questions, requests, or concerns:

Email: hello@cercleapp.co.uk
Postal: Masera Hedman Ltd, 84b Ringford Road, London, England, SW18 1RR

For complaints you'd rather take elsewhere, the UK supervisory authority is the Information Commissioner's Office at ico.org.uk.

cercle

A product of Masera Hedman Ltd, registered in England and Wales.
For enquiries: hello@cercleapp.co.uk

Privacy PolicyTerms & ConditionsContact
© 2026 Masera Hedman Ltdcercleapp.co.uk