Home โ€บ Privacy Policy
ReGraded Demo

Privacy Policy

Your data, in plain English. This policy explains what information we collect when you use our buyback service, how we use it, who we share it with, and the rights you have under UK GDPR.

Who we are

ReGraded operates a phone trade-in and buyback service. When we refer to "we", "us" or "our" in this policy, we mean ReGraded. When we refer to "you" or "your", we mean a customer using our website or trade-in service.

We are the data controller for the personal information described in this policy. If you have any questions about how we handle your data, get in touch via the contact details on our Contact page.

What information we collect

When you get a quote, we collect the device details you enter (make, model, storage, condition) along with the IP address and browser used to access the site. This information is not personally identifiable on its own.

When you book a trade-in or create an account, we additionally collect your name, email address, phone number, postal address, and chosen payment details (bank sort code and account number, or PayPal email).

When you send us a device, we record its IMEI or serial number, photographs taken during our testing process, and the final grading outcome. We also receive parcel-tracking events from our carrier (Royal Mail) for the duration of transit.

If you contact our support team, we keep a copy of that correspondence and any attachments you send.

How we use your information

We use your information to provide the trade-in service you've requested: locating your device in our catalogue, generating a postage label addressed to you, processing the device when it arrives, paying you for it, and sending the email updates that go with each of those steps.

We use anonymous usage data to understand which devices customers are searching for, which pages they visit, and how the site is performing โ€” that lets us improve the product and the prices we offer.

We do not use your data to build advertising profiles, sell it to third parties, or share it with anyone for purposes unrelated to the trade-in you've requested.

Lawful basis under UK GDPR

Most of what we do with your data is necessary to perform the contract you entered into when you booked a trade-in โ€” sending you a postage label, processing your device, and paying you all qualify under Article 6(1)(b) of UK GDPR.

A small amount of processing โ€” such as fraud-prevention checks on IMEI numbers and retention of records after a transaction completes โ€” relies on our legitimate interest in operating a safe and auditable service. You can object to this processing; see "Your rights" below.

Who we share it with

Royal Mail โ€” your name and address are passed to Royal Mail so they can generate the tracked postage label. We do not share device details with them.

Our payment processor โ€” for return-fee charges, your name and email are sent to Stripe to mint a checkout session. We do not store your card details ourselves; Stripe handles them under their own privacy policy.

IMEI verification services โ€” for fraud prevention, we check device IMEI numbers against industry blocklists (CheckMEND). Only the IMEI is shared, never your personal details.

We do not use any other data processors or share your information outside the UK / EEA.

How long we keep your information

Trade-in records are retained for seven years from the date of payment. This is in line with HMRC record-keeping requirements for our accounts and provides a basis for resolving disputes about historical transactions.

Account data (name, email, address, payment details) is retained while your account is active. If you delete your account, we keep a minimal record (just enough to identify completed trade-ins) and delete the contactable fields.

Device photographs taken during testing are retained for 90 days, then automatically purged.

Marketing-related cookies and analytics data have shorter retention periods documented in our Cookie Policy.

How we keep your information secure

All data is stored on UK-based servers with TLS encryption in transit and AES-256 encryption at rest for sensitive fields (payment details, IMEI numbers).

Access to your data within our team is role-based โ€” most operators see only the information needed to do their specific job (e.g. our grading team can see device photos but not your payment details).

We log every access to sensitive data and audit it routinely. If we ever detect a breach affecting your data, we will notify you and the Information Commissioner's Office within 72 hours as required by UK GDPR.

Your rights

Under UK GDPR you have the right to:

  • Access โ€” request a copy of the personal data we hold about you.
  • Rectification โ€” ask us to correct anything inaccurate.
  • Erasure โ€” ask us to delete your data (subject to the seven-year retention requirement for completed trade-ins).
  • Restriction โ€” ask us to stop processing your data while we investigate a complaint.
  • Objection โ€” object to processing based on legitimate interest (e.g. fraud checks).
  • Portability โ€” receive your data in a structured, machine-readable format.

To exercise any of these rights, contact us via the email address on the Contact page. We will respond within one calendar month.

If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office at ico.org.uk.

Changes to this policy

We may update this policy occasionally โ€” for example to reflect changes in the services we offer, the third parties we work with, or applicable law. The date at the bottom of this page shows when it was last revised. Material changes will be notified by email to existing customers before they take effect.

Ready to turn your phone into cash?

Takes 60 seconds to get a price. No commitment needed.

Get my instant price โ†’ How it works