Privacy Policy

AquaLots Ltd (“AquaLots”, “we”, “us”, “our”) operates the online marketplace at aqualots.com (the “Platform”) that connects buyers and sellers of aquatic life, equipment, and related products.

For the purposes of data protection law, AquaLots Ltd is the data controller responsible for the personal information collected through the Platform.

Contact: our contact page

We collect personal information in the following ways:

Information you give us directly:

• Account registration: name, email address, password (hashed), username, and profile details.
• Third-party sign-in: if you register or sign in via Google, we receive your name, email address, and profile picture from Google.
• Listings: descriptions, photographs, prices, species information, and any other content you upload when creating a listing.
• Purchases and payments: order details, delivery address, and payment method. Payment card processing is handled by Stripe — we do not store your full card number. We retain only your payment method type, card type, and last 4 digits for records.
• Seller onboarding: identity and banking information collected and held by Stripe via Stripe Connect for payout purposes.
• Competition entries: ticket purchase details and skill-question answers.
• Communications: messages sent via the Platform, emails or enquiries sent to us, and any feedback or reports you submit.
• Preferences: notification settings, cookie consent choices, and region settings.

Information we collect automatically:

• Usage data: pages visited, listings viewed, searches performed, time spent on the Platform, and clicks.
• Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and referring URL.
• Cookies and tracking technologies: we use cookies and similar technologies for session management, security, and analytics. See section 12 and our Cookie Policy for full details.
• Analytics: we use Google Analytics 4 (via Google Tag Manager) to understand how users interact with the Platform. This may involve the collection of pseudonymous identifiers.

Information from third parties:

• Authentication information from Google if you use Google sign-in.
• Payment and fraud-prevention information from Stripe.
• Information from other users (for example, where a seller or buyer provides your delivery address in connection with an order).

We use your personal information for the following purposes:

• To create and manage your account and authenticate your identity.
• To process purchases, auctions, offers, and competition entries.
• To facilitate payments and payouts via Stripe.
• To communicate with you about your orders, listings, disputes, and account.
• To send service messages, including important updates, security alerts, and policy changes.
• To send marketing emails and notifications where you have given consent or where we have a legitimate interest to do so, and in each case where you have not opted out.
• To personalise your experience on the Platform.
• To analyse usage of the Platform and improve its performance, features, and content.
• To detect, prevent, and investigate fraud, abuse, and security incidents.
• To comply with our legal and regulatory obligations.
• To enforce our Terms & Conditions and other policies.
• To respond to disputes, complaints, and legal claims.
• To conduct business operations including auditing, reporting, and corporate transactions.

Where UK GDPR or EU GDPR applies, we rely on the following lawful bases:

We do not sell your personal information. We share your information only in the following circumstances:

• Other users: when you buy or sell, certain information (such as your username, listing details, and delivery address) is shared with the other party to complete the transaction.
• Stripe: your payment information is processed by Stripe Payments UK Ltd. Stripe acts as both a payment processor and, for sellers using Stripe Connect, a data controller for identity verification and payout purposes. Please review Stripe’s Privacy Policy.
• Google: if you sign in with Google, your authentication is handled by Google. We also use Google Analytics 4 and Google Tag Manager for site analytics. Please review Google’s Privacy Policy.
• Microsoft Azure: our Platform infrastructure, database, and file storage run on Microsoft Azure. Microsoft processes data on our behalf as a data processor under a data processing agreement.
• Email and notification providers: we use third-party services to send transactional and marketing emails on our behalf.
• Legal and regulatory authorities: we may disclose your information to law enforcement agencies, regulators, or courts where required to do so by law or to protect our legal rights.
• Business transfers: if AquaLots is involved in a merger, acquisition, or sale of all or part of its assets, your information may be transferred as part of that transaction. We will notify you of any such change and your choices.
• Professional advisers: lawyers, accountants, insurers, and other advisers acting on our behalf where necessary.

All third-party service providers are required to take appropriate security measures and may only use your information for the specific purposes we instruct.

AquaLots is based in the United Kingdom. Your personal information may be transferred to and processed in countries outside of the UK and European Economic Area (EEA), including the United States, where some of our third-party service providers (including Google and Stripe) operate.

Where we transfer personal information outside the UK or EEA, we ensure appropriate safeguards are in place, including:

• UK adequacy regulations or EU adequacy decisions where the destination country provides an equivalent level of data protection.
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO) or the European Commission.
• The UK International Data Transfer Agreement (IDTA) where applicable.

You may request further information about the specific safeguards in place for international transfers by contacting us at our contact page.

We take the security of your personal information seriously and use a variety of measures based on good industry practice to keep it secure. Nonetheless, transmissions over the internet may not be completely secure, so please exercise caution. When accessing links to other websites, their privacy policies, not ours, will apply to your personal information.

We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction, and damage. When we have provided (or you have chosen) a password allowing you access to certain parts of the Platform, you are responsible for safeguarding it and keeping it confidential, and must not allow it to be used by third parties.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals in accordance with applicable law.

The Platform may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites, so we encourage you to read their privacy policies. We are not responsible for the privacy policies and practices of other websites even if you access them using links that we provide, and we provide such links solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices, and terms of use, and we make no endorsements, representations, or promises about their accuracy, content, or thoroughness. Your disclosure of personal information to third-party websites is at your own risk.

In addition, if you linked to the Platform from a third-party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party website and recommend that you check their policy.

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Our general retention approach is:

When personal information is no longer required, it is securely deleted or anonymised.

Depending on where you are located, you may have the following rights in relation to your personal information. We will respond to all valid requests within 30 days (or within 45 days for complex or multiple requests).

• Access: the right to request a copy of the personal information we hold about you.
• Correction: the right to request that we correct any inaccurate or incomplete personal information.
• Erasure (“right to be forgotten”): the right to request deletion of your personal information in certain circumstances, for example where it is no longer needed for the purpose it was collected or where you withdraw consent.
• Restriction: the right to request that we restrict processing of your personal information in certain circumstances, for example while we investigate a complaint.
• Data portability: the right to receive your personal information in a structured, commonly used, machine-readable format and to have it transferred to another controller where technically feasible.
• Object: the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will always comply. Where you object to other legitimate interest processing, we will comply unless we have compelling legitimate grounds that override your rights.
• Withdraw consent: where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Non-discrimination: the right not to be discriminated against for exercising your privacy rights (relevant particularly for California users — see section 11).

To exercise any of these rights, please contact us at our contact page. We may need to verify your identity before processing your request. There is generally no fee for exercising your rights, although we may charge a reasonable fee or refuse unreasonably repetitive or manifestly unfounded requests.

If you are located in the United Kingdom or the European Economic Area, the following additional provisions apply.

Applicable law. Your personal information is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (for UK users), and the EU General Data Protection Regulation 2016/679 (EU GDPR) (for EEA users).

Data controller. AquaLots Ltd is the data controller for personal information processed through the Platform. Our contact details are set out in section 15.

Your rights under UK/EU GDPR. In addition to the general rights set out in section 9, you also have the right to lodge a complaint with your local supervisory authority:

• UK users: the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
• EEA users: the supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.

We would, however, always appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please contact us first at our contact page.

Automated decision-making. We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you without human involvement.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may provide you with additional rights.

Categories of personal information collected. In the past 12 months we have collected the following categories as defined by the CCPA: identifiers (name, email, IP address, account ID); commercial information (transaction history, listings); internet or other electronic network activity information (usage data, analytics); geolocation data (inferred from IP address); and inferences drawn from the above to create a profile about you.

We do not sell or share personal information. AquaLots does not sell your personal information or share it for cross-context behavioural advertising as those terms are defined by the CCPA/CPRA. We do use Google Analytics which may involve sharing limited data with Google — please see our Cookie Policy for more information and how to opt out.

Your California rights. As a California resident you have the right to:

• Know what personal information we collect, use, disclose, and sell about you.
• Delete personal information we hold about you, subject to certain exceptions.
• Correct inaccurate personal information we hold about you.
• Opt out of the sale or sharing of your personal information (not applicable as we do not sell or share).
• Limit the use and disclosure of sensitive personal information.
• Non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

How to exercise your California rights. Submit a verifiable consumer request via our contact page. You may designate an authorised agent to make a request on your behalf — we will require written authorisation. We aim to respond within 45 days; if we require more time we will notify you.

Shine the Light. California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

We use cookies and similar tracking technologies on the Platform for session management, security, and analytics purposes. You can control non-essential cookies through our cookie consent banner.

For full details of the cookies we use, their purpose, duration, and how to manage them, please see our Cookie Policy.

AquaLots is not directed at children under the age of 18. We do not knowingly collect or solicit personal information from anyone under 18. If you are under 18, please do not use the Platform or provide any personal information to us.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have any information from or about a child under 18, please contact us at our contact page.

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The date at the top of this page reflects when it was last updated.

Where changes are material, we will notify registered users via email or a prominent notice on the Platform before the changes take effect. We encourage you to review this policy periodically.

Your continued use of the Platform after changes take effect constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact our privacy team:

Contact us

We aim to respond to all privacy-related enquiries within 5 working days and to resolve all requests within 30 days.

If you are not satisfied with our response, or believe we are processing your personal information unlawfully, you have the right to lodge a complaint with the relevant supervisory authority in your country. For UK users this is the Information Commissioner’s Office (ICO).