Reuni
Back to Reuni

Privacy Policy

Last updated: June 27, 2026

1. Overview

Reuni is committed to protecting the privacy and security of our users' personal data. This Privacy Policy explains how we collect, use, store, and process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

For the purposes of the UK GDPR, the Data Controller is the Reuni Application Team. If you have any questions, concerns, or requests regarding your personal data, you can contact us at:

Email: [email protected]

3. Personal Data We Collect & Lawful Basis

We collect and process the following personal data to operate the circular marketplace:

  • Account Identifiers: Name and university email address. (Lawful basis: Performance of a Contract).
  • Verification Details: University domain mapping (to restrict membership to authorized students and staff). (Lawful basis: Legitimate Interests).
  • In-App Messages: Communication logs, timestamps, and read receipts exchanged between buyers and sellers to coordinate meetups. (Lawful basis: Performance of a Contract & Legitimate Interests).
  • Marketplace Activity: Items listed, claimed, purchased, sold, and cancellation metrics. (Lawful basis: Performance of a Contract & Legitimate Interests).

4. How We Use Cookies

We strictly limit our use of cookies to protect your privacy. We do not use any tracking, advertising, or analytical cookies.

Our application only utilizes strictly functional, essential session cookies (stored with HTTPOnly, SameSite=Lax, and Secure flags in production) to handle user authentication, prevent Cross-Site Request Forgery (CSRF) attacks, and temporarily cache active exchange transaction PINs. Because these cookies are strictly necessary to provide the service requested, they do not require a cookie consent banner.

5. Data Retention & Erasure (30-Day Queue)

To maintain marketplace safety and prevent reputation-washing or system abuse, when you request account deletion:

  • Your active listings are removed, and pending exchange claims are cancelled immediately.
  • Your account enters a 30-day deactivation cool-down period during which you cannot log in or register a new account using the same email address.
  • After 30 days, your personal identifiers (name, email, password, institutional domain) are permanently wiped and anonymised.
  • In-app message logs for completed or cancelled transactions are permanently purged from the database after 30 days. When an account is deleted, sent message content is immediately scrubbed and anonymised, retaining only metadata.
  • Completed transaction records (items sold, carbon/landfill metrics saved) are preserved in a fully anonymised format to protect the integrity of university ESG circular economy reporting.

6. Your Rights & Subject Access Requests (SAR)

Under the UK GDPR, you have the right to access, rectify, or erase your personal data, or to restrict or object to its processing.

Right of Access (Article 15): You have the right to obtain a copy of the personal data we process about you. To submit a formal Subject Access Request (SAR), please contact our support team at [email protected] from your registered university email. We will process and export your data free of charge within 30 days of verifying your identity.

If you are not satisfied with how we process your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).