Skip to main content

GDPR Compliance

Last Updated: 2 February 2026

Operating Entity

RTC Collector is a service operated by RetroTechCollection.

Operating Entity: RetroTechCollection Service Name: RTC Collector Operating Entity Website: https://retrotechcollection.com Service URL: https://rtccollector.com

This document explains how RetroTechCollection complies with the UK General Data Protection Regulation (UK GDPR) and your rights under this legislation in relation to the RTC Collector service.

What is UK GDPR?

The UK GDPR is data protection legislation that came into effect after Brexit, based on the EU's General Data Protection Regulation. It gives you control over your personal data and sets out how organizations must handle it.

RetroTechCollection is committed to full compliance with UK GDPR and takes your data rights seriously.

Our Role

RetroTechCollection acts as a data controller for your personal information when you use RTC Collector. This means we decide how and why your data is processed.

For some services (like payment processing through Stripe), we also act as a data processor, handling data on behalf of others under strict instructions and contracts.

The Lawful Bases We Use

UK GDPR requires a lawful basis for processing personal data. Here's what we use:

Contract Performance

When you sign up and use RTC Collector, we process data because it's necessary to provide the service. This includes:

  • Creating your account
  • Storing your collection
  • Facilitating marketplace transactions
  • Sending service-related communications

Legitimate Interests

We have legitimate business interests that justify processing, like:

  • Improving our service
  • Detecting fraud and abuse
  • Maintaining security
  • Analyzing usage patterns
  • Sending relevant product updates

We balance these interests against your rights and don't process data in ways you wouldn't reasonably expect.

Sometimes we must process data to comply with laws, such as:

  • Keeping transaction records for tax purposes
  • Responding to valid legal requests
  • Meeting accounting requirements

For non-essential activities, we ask for explicit consent:

  • Marketing emails beyond service updates
  • Analytics cookies
  • Sharing data with third parties beyond what's necessary

You can withdraw consent anytime without affecting the legality of processing before withdrawal.

Your Rights in Detail

UK GDPR gives you comprehensive rights over your data:

1. Right of Access (Article 15)

You can ask what personal data we hold about you. We'll provide:

  • Categories of data
  • Purposes of processing
  • Who we've shared it with
  • How long we keep it
  • Your other GDPR rights
  • A copy of the data in portable format

How to request: Email [email protected] Response time: Within 30 days Cost: Free (first request)

2. Right to Rectification (Article 16)

If your data is inaccurate or incomplete, you can have it corrected.

Most data you can update yourself in account settings. For things you can't change (like transaction history), contact us with evidence of the correction needed.

How to request: Update in settings or email [email protected] Response time: Within 30 days

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data if:

  • It's no longer needed for the purposes collected
  • You withdraw consent and there's no other lawful basis
  • You object and we have no overriding legitimate grounds
  • It was unlawfully processed
  • Legal obligations require deletion

Exceptions - we can refuse if we need the data for:

  • Complying with legal obligations (like keeping transaction records for 7 years)
  • Defending legal claims
  • Exercising freedom of expression
  • Establishing, exercising, or defending legal rights

How to request: Close your account in settings or email [email protected] What gets deleted: Most data within 30 days; some retained per retention schedule What's kept: Transaction records (7 years), dispute records (2 years after resolution)

4. Right to Restriction of Processing (Article 18)

You can ask us to limit how we use your data while we:

  • Verify accuracy you've challenged
  • Consider your objection
  • Determine if our legitimate grounds override yours

During restriction, we store the data but don't actively process it (except with your consent or for legal claims).

How to request: Email [email protected] with the reason Response time: Within 30 days

5. Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format and transfer it to another service.

This applies to data:

  • You provided to us
  • Processed based on consent or contract
  • Processed by automated means

What you get:

  • JSON or CSV export of your collection
  • Transaction history
  • Account information
  • Messages (where possible while respecting others' privacy)

How to request: Export from account settings or email [email protected] Format: JSON or CSV Response time: Immediate (in-app export) or within 30 days (full export)

6. Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

For direct marketing: We must stop immediately For legitimate interests: We'll stop unless we demonstrate compelling legitimate grounds that override your rights

How to object:

  • Marketing: Unsubscribe link in emails or account settings
  • Other processing: Email [email protected] with your reasons Response time: Immediate (marketing) or within 30 days (other)

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

Our current practice: We don't make automated decisions with legal or similarly significant effects.

If we introduce such processing, we'll:

  • Inform you clearly
  • Get explicit consent
  • Provide information about the logic involved
  • Offer ways to contest decisions
  • Allow human intervention

Data Protection Principles

We process your data according to UK GDPR's core principles:

Lawfulness, Fairness, and Transparency

  • We have lawful bases for all processing
  • We're upfront about what we collect and why
  • This policy explains our practices in clear language

Purpose Limitation

  • We collect data for specific, legitimate purposes
  • We don't use it in ways incompatible with those purposes
  • If purposes change significantly, we'll get fresh consent

Data Minimization

  • We only collect what's necessary
  • We don't ask for data "just in case"
  • Optional fields are clearly marked

Accuracy

  • We take reasonable steps to keep data accurate
  • You can correct inaccuracies
  • We update or delete outdated data

Storage Limitation

  • We don't keep data longer than necessary
  • We have retention schedules for different data types
  • We delete or anonymize data when retention periods end

Integrity and Confidentiality

  • We protect data with appropriate security measures
  • We train staff on data protection
  • We have breach notification procedures

Accountability

  • We can demonstrate compliance
  • We maintain processing records
  • We conduct data protection impact assessments where required

Special Categories of Data

UK GDPR has extra protections for "special category" data (racial origin, health, genetics, biometrics, etc.).

We don't intentionally collect special category data. If you voluntarily include it in free-text fields (like item descriptions), please be aware it may be visible to others based on your privacy settings.

If we ever need to collect special category data, we'll:

  • Get explicit consent
  • Explain why it's necessary
  • Provide extra security

Children's Data

We don't knowingly collect data from children under 13.

For users 13-17:

  • Parental consent is required
  • We process minimal data
  • Parents can access, rectify, or delete their child's data

If we discover we've collected data from someone under 13, we'll delete it unless we have a legal obligation to retain it.

Data Transfers Outside the UK

Our primary servers are in the EU. Some service providers may process data in other countries.

When we transfer data outside the UK, we ensure:

For Adequate Countries:

  • We rely on adequacy decisions by the UK government
  • These countries have similar data protection standards

For Other Countries:

  • We use Standard Contractual Clauses (SCCs) approved by the UK ICO
  • We conduct transfer impact assessments
  • We implement supplementary measures where needed

You can request copies of the safeguards we use: [email protected]

Data Protection Impact Assessments

When we introduce new features that might pose high risks to your rights, we conduct Data Protection Impact Assessments (DPIAs).

We've conducted DPIAs for:

  • Marketplace payment processing
  • Message encryption systems
  • Third-party service integrations

We consult with the ICO when DPIAs indicate high risks we can't mitigate.

Data Breaches

If we discover a breach likely to result in risk to your rights, we'll:

Notify the ICO:

  • Within 72 hours of becoming aware
  • Provide details of the breach
  • Explain our response

Notify You:

  • Without undue delay if there's high risk to your rights
  • Explain what happened in clear language
  • Describe likely consequences
  • Outline steps we've taken

Our Measures:

  • We have breach detection systems
  • We maintain an incident response plan
  • We conduct regular security audits

Your Right to Complain

If you're unhappy with how we handle your data:

Step 1: Contact Us

Step 2: Supervisory Authority If you're not satisfied with our response, complain to the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You can complain to the ICO without contacting us first, though we'd appreciate the chance to address your concerns.

Data Protection Officer

We've appointed a Data Protection Officer (DPO) to oversee GDPR compliance.

Contact our DPO:

The DPO:

  • Monitors our compliance
  • Advises on data protection obligations
  • Acts as contact point for supervisory authorities
  • Handles data subject requests

Records of Processing Activities

We maintain detailed records of our processing activities as required by Article 30 UK GDPR, including:

  • Purposes of processing
  • Categories of data subjects and data
  • Categories of recipients
  • Data transfers
  • Retention periods
  • Security measures

These records are available to the ICO upon request.

Exercising Your Rights

To exercise any GDPR rights:

Email: [email protected]

Include:

  • Your full name and username
  • Email address associated with your account
  • Specific right you're exercising
  • Any relevant details

We'll need to verify your identity:

  • We may ask for additional information
  • This protects your data from unauthorized access
  • Verification is proportionate to the sensitivity of the request

Response Times:

  • Standard: 30 days
  • Complex requests: Up to 90 days (we'll explain the delay)
  • Immediate: Marketing opt-outs

Costs:

  • First request: Free
  • Excessive or repetitive requests: Reasonable fee or refusal
  • We'll explain any fees before processing

Changes to This Page

We'll update this page when our GDPR compliance practices change. Check the "Last Updated" date at the top.

For significant changes, we'll notify you via email or platform notification.

More Information

Related policies:

External resources:

Questions?

For any questions about GDPR compliance:

We're committed to transparency and happy to explain our practices.