Dukanoh

Privacy Policy

Effective: 16 April 2026Controller: TAFSI LTDICO Reg. ZC125203

This Privacy Policy explains how TAFSI LTD (“we”, “us”, “our”) collects, uses, and protects your personal data when you use the Dukanoh mobile marketplace application. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Online Safety Act 2023. By using the App you acknowledge that you have read and understood this policy.

1. Who We Are

The data controller responsible for your personal data is:

Company	TAFSI LTD
Registered in	England and Wales
Registered Address	29 Chapel Street, Hyde, SK14 1JB
Company Number	17154212
ICO Registration	ZC125203
Data Contact	legal@dukanoh.com

2. Personal Data We Collect

We collect the following categories of personal data:

Category	Examples	How Collected
Identity & Contact	Full name, email, phone number, delivery and billing address	Provided by you on registration or at checkout
Payment Data	Tokenised card details (last 4 digits, expiry), billing address, transaction history	Provided by you; card data processed exclusively by our PCI-DSS payment processor
Marketplace Activity	Listings created, items purchased, offers made, transaction history	Generated automatically as you use the marketplace
User-Generated Content	Product photos, descriptions, reviews, ratings, in-app messages	Provided by you within the App
Usage & Analytics	IP address, device ID, OS version, pages viewed, session duration, crash reports	Collected automatically via analytics SDKs
Communications	Support tickets, in-app messages, email correspondence	Provided by you when you contact us or message other users
Identity Verification	Government-issued ID document data, selfie imagery (where KYC is required)	Provided by you when identity verification is triggered — see section 7
Social Login Data	Name, email, and profile identifier from Google or Apple sign-in	Collected if you choose to sign in via Google or Apple ID
Pro Subscription Data	Subscription plan type (Founder / Standard), subscription status, start and renewal dates, Founder tier eligibility	Generated when you subscribe to Dukanoh Pro via the App
In-App Purchase Records	Purchase confirmation tokens, item purchased (e.g. Story Boost), transaction date and amount, App Store or Google Play order reference	Provided by Apple App Store or Google Play when an in-app purchase is completed
Boost & Story Analytics	Impressions, views, saves, and click-throughs on boosted listings and Stories; boost activation and expiry timestamps	Generated automatically when a Story Boost is active
Tax Reporting Data (Sellers)	National Insurance (NI) number or Unique Taxpayer Reference (UTR), date of birth (if not previously provided), and home address — collected for HMRC reporting under the UK Platform Information Reporting Regulations 2023	Provided by you via the in-app Tax information screen when you approach the reporting threshold — see section 8

We do not intentionally collect special category data. If you include such data voluntarily in listings or messages, you do so at your own discretion.

3. Legal Basis for Processing (UK GDPR Article 6)

Every processing activity we carry out has a documented legal basis:

Processing Activity	Legal Basis	UK GDPR Article
Account creation and management	Contract performance	Art. 6(1)(b)
Processing marketplace transactions	Contract performance	Art. 6(1)(b)
Holding payments in escrow	Contract performance	Art. 6(1)(b)
Fraud detection and trust & safety profiling	Legitimate interests + Legal obligation	Art. 6(1)(f) + (c)
Identity / KYC verification	Legal obligation (AML Regs 2017)	Art. 6(1)(c)
Analytics and App improvement	Legitimate interests	Art. 6(1)(f)
Retaining financial records	Legal obligation (HMRC)	Art. 6(1)(c)
Sending transactional notifications	Contract performance	Art. 6(1)(b)
Sending push notifications (marketing)	Consent	Art. 6(1)(a)
Sending marketing emails (existing customers)	Legitimate interests (soft opt-in)	Art. 6(1)(f)
Content moderation (Online Safety Act)	Legal obligation	Art. 6(1)(c)
Resolving buyer/seller disputes	Legitimate interests + Legal obligation	Art. 6(1)(f) + (c)
Managing Pro subscriptions and billing	Contract performance	Art. 6(1)(b)
Processing in-app purchases (Boosts)	Contract performance	Art. 6(1)(b)
Providing Boost & Story analytics to Pro sellers	Contract performance	Art. 6(1)(b)
Collecting and reporting seller tax data to HMRC (UK PIRRR 2023 / DAC7)	Legal obligation (UK PIRRR 2023, SI 2023/817)	Art. 6(1)(c)

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and are satisfied our interests are not overridden by your rights and freedoms. You may request a copy of any LIA at legal@dukanoh.com.

4. How We Use Your Personal Data

To create and manage your Dukanoh account.
To facilitate marketplace transactions between buyers and sellers.
To hold payments securely in escrow and release them upon confirmed delivery.
To communicate with you about your account, orders, listings, and messages.
To send transactional push notifications (e.g. order updates, delivery status).
To send marketing communications where you have opted in, or under the soft opt-in rule for existing customers.
To personalise your marketplace feed and surface relevant listings.
To detect and prevent fraudulent listings, transactions, and account activity.
To moderate content and ensure compliance with our Prohibited Items Policy and the Online Safety Act 2023.
To resolve disputes between buyers and sellers.
To comply with legal and regulatory obligations including HMRC, AML, and ICO requirements.
To improve App performance, fix bugs, and develop new features.
To manage your Dukanoh Pro subscription, including billing, renewal, and Founder tier tracking.
To process in-app purchases (such as Story Boosts) and deliver purchased features.
To provide Pro sellers with analytics dashboards showing boost and listing performance metrics.

5. Trust, Safety & Fraud Prevention

Dukanoh uses automated systems and human review to protect users and maintain a trustworthy marketplace. This processing includes:

Listing screening: Automated analysis of listing titles, descriptions, and images to detect prohibited items, counterfeit goods, and misleading content.
Transaction monitoring: Behavioural analysis of account and transaction patterns to detect fraud, money laundering, or suspicious activity.
Account profiling: We may assign internal trust scores based on transaction history, dispute rates, verification status, and community feedback. These scores influence account features (e.g. withdrawal limits) but do not produce solely automated decisions with significant legal effects without human review.
Dispute evidence: We retain records of buyer/seller disputes, reports, and moderation decisions to ensure consistent enforcement and enable appeals.

This processing is carried out under legitimate interests (protecting our platform and users) and legal obligation (AML Regulations, Online Safety Act 2023). You have the right to object to profiling based on legitimate interests — see section 14.

Transparency note: We will not covertly restrict or shadow-ban accounts without notifying the affected user, except where doing so would compromise an active fraud investigation or is required by law.

6. Push Notifications

We send two categories of push notifications to your device:

Type	Examples	Legal Basis	Can be disabled?
Transactional	Order confirmed, item dispatched, message received, payment released	Contract performance	Limited — may affect core functionality
Marketing & Promotional	New listings in saved searches, price drops, platform news	Consent	Yes — via App notification settings at any time

You can manage notification preferences at any time through your device settings or the Dukanoh in-app notification centre. Withdrawing consent for marketing notifications will not affect transactional alerts.

7. Identity Verification (KYC)

Dukanoh may require identity verification in the following circumstances:

When a seller’s cumulative transaction volume exceeds thresholds set under the Money Laundering Regulations 2017 or HMRC reporting requirements.
When we have reasonable grounds to suspect fraud or account misuse.
When withdrawing funds above a set threshold to a bank account.

Where verification is required, we use a third-party identity verification provider to compare a photo of your identity document with a selfie. Biometric comparison data is processed by our verification provider and is not stored by Dukanoh beyond the result (pass/fail) and a reference number. This processing is carried out under legal obligation (Art. 6(1)(c)) and, where biometric data is involved, explicit consent (Art. 9(2)(a)).

We will always notify you before initiating a verification check and provide an explanation of why it is required.

8. Platform Tax Reporting (UK PIRRR 2023 / DAC7)

Dukanoh is a Reporting Platform Operator under the UK Platform Information Reporting Regulations 2023 (UK PIRRR 2023), which implement the OECD DAC7 framework into UK law. Under these regulations we are required to collect, verify, and annually report certain information about sellers who use the platform to generate income.

8.1 Who is affected

These obligations apply to sellers who, in any calendar year, either:

complete 29 or more sales, or
receive €2,000 or more in gross proceeds from sales (approximately £1,690 at current rates — the authoritative threshold is the euro figure as set by UK PIRRR 2023).

If you approach or exceed either threshold, Dukanoh will ask you to provide your tax identification details before your listings remain visible on the platform.

8.2 Data we collect for PIRRR reporting

Data Element	Purpose
Legal full name	Identity of reportable seller for HMRC submission
Date of birth	Seller identification as required by UK PIRRR Reg. 14
Primary residential address	UK tax residence determination
Tax identification number (NI or UTR)	Linking seller to HMRC records; mandatory for report
Gross proceeds per reporting period	Reportable consideration as defined in UK PIRRR Schedule 2
Number of relevant activities (sales)	Reported alongside proceeds to HMRC

This processing is carried out under legal obligation (Art. 6(1)(c) UK GDPR) — compliance with the UK Platform Information Reporting Regulations 2023 is not optional for Dukanoh.

8.3 How we use and share this data

Tax reporting data is used solely to compile the annual PIRRR report submitted to HMRC by 31 January each year for the preceding calendar year.
We share the required data elements directly with HMRC as the UK competent authority for DAC7 purposes.
HMRC may further share this data with other tax authorities under international exchange-of-information agreements where the seller is tax-resident outside the UK.
We do not use your tax identification data for any commercial purpose.

8.4 Seller notification

We will notify you by in-app notice when your transaction count or gross proceeds approach the reporting threshold. Once the threshold is met, you will receive a separate notice confirming that your details have been (or will be) included in the annual HMRC report. You may request a copy of the data reported about you by contacting legal@dukanoh.com.

8.5 Listing suspension

Where a seller has reached the reporting threshold but has not provided their tax identification details, Dukanoh is required under UK PIRRR 2023 to suspend that seller’s listings until the details are provided. This is a legal requirement and not a discretionary enforcement measure. Listings will be reinstated promptly upon receipt of the required information.

9. Marketplace Transactions & Payment Escrow

When a buyer completes a purchase on Dukanoh, the following data processing occurs in connection with our escrow payment model:

Payment is collected from the buyer and held securely by our payment processor on behalf of Dukanoh until the transaction is confirmed.
Seller bank account details (provided during seller onboarding) are stored in encrypted form by our payment processor to facilitate payouts.
Transaction metadata (amount, timestamp, item reference, buyer and seller identifiers) is retained for 7 years to satisfy HMRC obligations.
If a dispute is raised, payment may be held beyond the standard release window for the duration of the dispute. A legal hold may extend this further if proceedings are initiated.

Our payment processor acts as a separate data controller for payment fraud prevention purposes. Their privacy policy governs that processing.

10. In-App Messaging

Dukanoh provides an in-app messaging feature allowing buyers and sellers to communicate about listings. In connection with this:

Message content is stored on our servers for as long as both parties’ accounts remain active, then deleted within 90 days of account closure.
Messages may be reviewed by our Trust & Safety team where a report of abuse, prohibited content, or fraud has been made.
We do not read messages for commercial purposes or use them to serve advertising. Automated scanning may occur solely to detect illegal content as required under the Online Safety Act 2023.
End-to-end encryption is not currently applied to in-app messages. Do not share sensitive personal or financial information via messages.

11. Cookies and Tracking Technologies

The App uses cookies, device identifiers, and similar technologies:

Type	Purpose	Consent Required?
Strictly Necessary	Session management, authentication, security, cart state	No
Functional	Saved preferences, language, recently viewed listings	No
Analytics (e.g. Firebase)	Usage patterns, crash reporting, feature performance	Yes
Marketing	Personalised ads and retargeting on third-party platforms	Yes

A detailed breakdown of all cookies and SDKs used is available in our separate Cookie Policy at www.dukanoh.com/cookie-policy. You can manage preferences via the in-app privacy settings.

We do not sell your personal data. We share it only in the following circumstances:

Payment Processor (e.g. Stripe): To collect payments, manage escrow, and process seller payouts. PCI-DSS compliant. Independent data controller for fraud prevention.
Identity Verification Provider: To perform KYC checks where required. Biometric data is processed and discarded by them, not stored by Dukanoh.
Cloud Infrastructure (e.g. AWS): To host the App, store data, and deliver the service.
Analytics Providers (e.g. Firebase): To understand App usage, subject to your consent.
Delivery / Logistics Partners: Name, address, and order reference shared with couriers solely for the purpose of fulfilling deliveries.
Buyer and Seller (each other): To complete a transaction, we share necessary fulfilment information (e.g. delivery address with seller, seller display name and rating with buyer). Full contact details are not shared outside of what is needed to fulfil the order.
HMRC (UK Platform Tax Reporting): Seller name, date of birth, address, tax identification number, and annual gross proceeds, as required by the UK Platform Information Reporting Regulations 2023 (UK PIRRR / DAC7). This disclosure is mandatory where the reporting threshold is met. See section 8 for full details.
Legal & Regulatory Authorities: Where required by law, court order, or to protect our legal rights or the safety of users.
Dispute Resolution: Where a dispute is escalated, relevant transaction and communication records may be shared with the other party or a mediator to the extent necessary for resolution.
Business Transfers: In the event of a merger or acquisition, under equivalent data protection obligations.

13. International Data Transfers

Some service providers operate outside the UK. Where transfers occur to non-adequate countries, we rely on UK IDTAs or UK Addenda to EU SCCs. Contact legal@dukanoh.com to request a copy of applicable safeguards.

14. Data Retention

We retain data only as long as necessary:

Category	Retention Period	Basis
Account data	Active period + 2 years post-closure	Contract / Legitimate interests
Transaction records	7 years from transaction date	Legal obligation (HMRC)
Escrow / payment data	7 years from transaction date	Legal obligation
In-app messages	Active period + 90 days post-closure	Contract
Dispute records	6 years from resolution	Legitimate interests (limitation period)
Trust & safety logs	3 years from last relevant event	Legitimate interests / Legal obligation
KYC verification result	5 years from verification date	Legal obligation (AML Regs)
Tax / TIN data (NI/UTR, DOB, address collected for PIRRR)	5 years from end of reporting year	Legal obligation (UK PIRRR 2023, Reg. 23)
Analytics data	Up to 26 months	Legitimate interests
Marketing consent records	Until withdrawn + 1 year	ICO guidance
User-generated content	Until deleted by user or account closure	Contract
Pro subscription records	Duration of subscription + 2 years post-cancellation	Contract / Legitimate interests
In-app purchase records	7 years from purchase date	Legal obligation (HMRC)
Boost & Story analytics	26 months rolling	Legitimate interests

Where data cannot be deleted due to a live legal hold or ongoing dispute, we will inform you of the hold and its expected duration. Where possible, we will anonymise data rather than delete it where anonymisation satisfies the underlying retention purpose — anonymised data is no longer personal data under UK GDPR.

15. Your Rights Under UK GDPR

You have the following rights. Contact us at legal@dukanoh.com to exercise them. We respond within one calendar month:

Right	What it means	Limitations
Access (Art. 15)	Request a copy of all data we hold about you	Must verify identity; cannot include third-party data
Rectification (Art. 16)	Correct inaccurate or incomplete data	Cannot alter records required for legal compliance
Erasure (Art. 17)	Request deletion where no compelling reason to retain	Does not apply during legal holds or where legal obligation requires retention
Restriction (Art. 18)	Limit how we process your data	Processing may continue for legal claims or public interest
Portability (Art. 20)	Receive your data in machine-readable format	Applies only to data processed by consent or contract
Object (Art. 21)	Object to processing based on legitimate interests	We may continue if compelling legitimate grounds exist
Object to profiling	Object to trust & safety or recommendation profiling	We may continue if necessary to protect platform integrity
Withdraw consent	Withdraw consent at any time without affecting prior processing	Affects only consent-based processing

16. Right to Complain

You have the right to complain to the Information Commissioner’s Office (ICO):

Website	www.ico.org.uk
Helpline	0303 123 1113
Address	Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We ask that you contact us first at legal@dukanoh.com to try to resolve any concern before escalating to the ICO.

17. Online Safety Act 2023 & Content Moderation

As an online marketplace that hosts user-generated content, TAFSI LTD is subject to duties under the Online Safety Act 2023 (OSA). In fulfilling these duties we:

Maintain and publish a Prohibited Items Policy setting out content and listings that are not permitted on the platform.
Operate systems to identify, remove, and report illegal content — including listings for prohibited goods — in a timely manner.
Process user reports of illegal or harmful content and action them promptly.
Conduct regular illegal content risk assessments and maintain a record of our safety measures.
Provide accessible mechanisms for users to report content and to appeal moderation decisions.

Processing of content for moderation purposes is carried out under legal obligation (Art. 6(1)(c)). Automated screening may be used as a first step, but removal decisions on disputed content involve human review.

18. Data Security

Encryption of all data in transit (TLS 1.2+) and at rest.
Tokenisation of payment card data by our PCI-DSS compliant processor.
Role-based access controls — staff access data on a strict need-to-know basis.
Regular penetration testing and vulnerability assessments.
ICO breach notification within 72 hours where required under UK GDPR Article 33.
Internal incident response plan and post-incident review procedures.

Notifying you of a breach: Where a personal data breach is likely to result in a high risk to your rights and freedoms (for example, exposure of payment data, identity documents, or account credentials), we will notify you directly without undue delay in accordance with UK GDPR Article 34. Notification will be sent to the email address associated with your account and will describe the nature of the breach, the data affected, the likely consequences, and the steps we are taking to address it.

You are responsible for keeping your login credentials secure. Report any suspected unauthorised access to support@dukanoh.com immediately.

19. Children’s Privacy

Dukanoh is for users aged 18 and over only. We do not knowingly collect data from under-18s. If you believe a minor has registered, contact legal@dukanoh.com and we will delete the account without undue delay.

20. Automated Decision-Making

We use automated processes for listing screening, fraud scoring, and recommendation ranking. Where an automated decision produces a significant legal or similarly significant effect on you (such as account suspension), a human review is always available. Contact legal@dukanoh.com to request a human review of any automated decision.

21. Changes to This Policy

We will notify you of material changes via the App or email at least 14 days before they take effect. The Effective Date above indicates the current version.

22. Contact Us

For all privacy and data protection enquiries:

Data Protection	legal@dukanoh.com
Support	support@dukanoh.com
Post	TAFSI LTD, 29 Chapel Street, Hyde, SK14 1JB