Privacy notice

1. Who we are

For UK data protection law, we are the data controller for personal data processed through the Service.

• Legal entity: Furryflitchers Limited
• Registered office: 13 Bright Road, Dunmow, Essex, CM6 3GU
• Company number (if applicable): 09963675
• Contact (including privacy questions): privacy@reefx.net
• Data Protection Officer: Ty Fairclough (contact us at the email above, marking your message for the DPO where helpful).

When and where this notice applies to your use of REEFxCHANGE.

2. Scope

This notice covers personal data we process when you visit the Service, create or use an account, complete onboarding, join or take part in exchanges (events or groups), list corals, arrange trades, or contact us. It does not cover third-party websites or apps that we link to; those services have their own notices.

The types of personal information we may collect when you use the service.

3. Data we collect

Depending on how you use the Service, we may process:

• Account and profile: email address, optional display name or alias, optional profile image or emoji, contact preferences, onboarding choices, and related account metadata.
• Address and location context: postal address fields you provide (for example line, town, region, postcode, country). We may derive approximate town-centre coordinates from town and country to support coarse distance or discovery features; we do not use this as a precise map of your home.
• Security and sign-in: session identifiers (stored in hashed form where applicable), magic-link request details, and limited technical data such as request timestamps or IP address associated with authentication events.
• Your content: text, images, and descriptions you add to listings or profile inventory (for example coral names and notes).
• External sale fields: when you choose a for-sale listing intent, sale price, currency, and external listing URL.
• Exchanges, invites, and trades: membership of exchanges, roles (such as member or event manager), invite records (including invitee email), and information needed to operate trades between members on an exchange.
• Legal and compliance records: timestamps and version references when you accept our Terms or this notice.
• Platform administration: where permitted by law, audit-style records of certain administrative actions taken by our team to operate or secure the platform.
• Analytics and similar technologies: usage and diagnostic information collected through PostHog, Google Analytics, and similar tools where used, which may include device and browser data, approximate location, and on-site behaviour (subject to your cookie choices where applicable).

Why we use your data and the main things we do with it.

4. How we use your data

We use personal data to:

• provide, operate, and improve the Service (accounts, discovery, listings, exchanges, trades);
• authenticate you, protect accounts, detect abuse, and maintain security;
• send service emails (for example sign-in links and operational messages) via our email provider;
• validate or complete address information using our postcode lookup provider;
• optionally assist with listing content using artificial intelligence features powered by our LLM provider (where enabled in the product);
• measure use of the Service and improve performance and design (analytics);
• show external-sale disclaimers and route users safely to third-party sale URLs;
• comply with law, respond to lawful requests, and enforce our Terms;
• keep records of consent and legal acceptance where required.

The legal grounds that let us process your data under UK privacy law.

5. Legal bases (UK GDPR)

Where UK GDPR applies, we rely on one or more of the following:

• Contract — to provide the Service you asked for.
• Legitimate interests — for example securing the Service, understanding aggregate usage, product improvement, and limited administrative access as described below, where not overridden by your rights.
• Legal obligation — where we must process data to comply with law.
• Consent — where we ask for it (for example non-essential cookies or specific optional features), you may withdraw consent at any time without affecting earlier processing that was lawful.

Who we share data with to run REEFxCHANGE, and that we never sell it.

6. Sharing, subprocessors, and sales

We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing in exchange for money.

We share data with service providers who process it on our instructions ("processors" / subprocessors) to run the Service. They must protect the data and use it only for the services they provide to us. Current categories include:

• Hostinger — hosting and infrastructure.
• Mailtrap — email delivery and related messaging infrastructure.
• Ideal Postcodes — address lookup and validation.
• OpenAI — large language model features used for optional product functionality (for example assisting with coral descriptions), where implemented.
• Google — analytics and related measurement tools (for example Google Analytics).
• PostHog — product analytics on the web app (EU region where configured), including page views and related usage events when you opt in to analytics cookies.

We may also disclose data if required by law, to protect rights and safety, or as part of a business transfer (for example merger or asset sale) subject to appropriate safeguards.

What organisers and our staff may see compared with everyday members.

7. Exchange operators and platform administrators

Exchange operators. People who create or manage an exchange (for example event managers) may see limited information about members and activity needed to run that exchange — such as membership, roles, listings visible within the exchange, and trade-related information tied to that exchange. They should use that information only for legitimate exchange-related purposes.

Platform administrators. Our authorised staff may access personal data to operate, secure, and support the Service (for example troubleshooting, fraud prevention, and audit trails). Access is limited to what is reasonably needed for those purposes.

What happens if your data is stored or processed outside the United Kingdom.

8. International transfers

We are based in the United Kingdom. Some subprocessors may process data in other countries. Where personal data is transferred outside the UK or EEA, we use appropriate safeguards required by applicable law (for example adequacy regulations or standard contractual clauses), and we assess risks where required.

How long we keep your information and when we remove or anonymise it.

9. Retention

We keep personal data only as long as needed for the purposes in this notice, including providing the Service, meeting legal, tax, or accounting requirements, resolving disputes, and securing our systems. Retention periods vary by data type; for example account data is generally kept while your account exists, and some records may be kept longer where the law requires backups or audit trails. We delete or anonymise data when it is no longer needed, unless a longer period is justified.

How we protect your data and simple steps you can take to stay safer.

10. Security

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, or alteration. No online service can guarantee perfect security; please use a strong password where applicable and protect access to your email account used for sign-in.

Your choices under UK law: access, fixes, deletion, and how to complain.

11. Your rights

Under UK data protection law you may have rights including to:

• access a copy of your personal data;
• ask us to correct inaccurate data;
• ask us to erase data in certain circumstances;
• restrict or object to certain processing;
• data portability for information you provided, where applicable;
• withdraw consent where processing is based on consent;
• lodge a complaint with the ICO (Information Commissioner's Office) in the UK.

To exercise your rights, contact us at privacy@reefx.net. We may need to verify your identity before responding.

REEFxCHANGE is for adults aged 18 and over; we do not target children here.

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will take appropriate steps.

Cookies and similar tools for running the site and measuring usage overall.

13. Cookies and similar technologies

We use cookies and similar technologies that are necessary for the Service to function, and — only if you accept analytics cookies in the in-app banner — PostHog cookies and local storage for product analytics. Other analytics tools (such as Google Analytics) may use cookies or identifiers where implemented. Where required, we ask for your consent before using non-essential cookies.

13.1 Strictly necessary (no consent required)

These are required to operate the Service (for example authentication session cookies). They are not used for optional analytics or marketing.

13.2 Analytics (consent required)

PostHog is only loaded with analytics persistence after you click "Accept analytics" on the cookie banner. Cookie and storage names depend on your browser and our PostHog project key; they commonly include the prefixes below.

Where enabled, analytics events may include external-sale interaction metadata (for example disclaimer accepted, outbound click, listing and exchange identifiers) to help us monitor misuse and improve safety messaging.

13.3 Changing your preferences

When you first visit REEFxCHANGE, you can accept or decline analytics cookies using the banner at the bottom of the screen. To withdraw consent or choose again, clear site data for REEFxCHANGE in your browser settings, or use the button below (this clears PostHog's opt-in/opt-out state for this browser and reloads the page so the banner can appear again).

How we will tell you if we update this notice or ask you to read it again.

14. Changes to this notice

We may update this notice from time to time. We will post the updated version on this page and change the effective date above. If changes are material, we will take additional steps where required (for example asking you to accept an updated notice during onboarding or in-product prompts).