Privacy Policy (Merchants)
Last updated: March 2026
This Privacy Policy is addressed to merchants who install and use the Tern Trade-in App ("the App"). It describes how Tern Circular Ltd collects, uses, and shares personal information about merchants in the operation of the App, and explains Tern's role as a data processor in relation to your customers' personal data.
If you are a customer using a trade-in service on a retailer's website, please refer to the Storefront Privacy Notice and the retailer's own privacy policy instead.
The App comprises two interfaces:
The Admin: A cloud-hosted merchant dashboard, operated by Tern Circular Ltd, used by merchants to manage trade-in programmes and view trade-in data.
The Storefront: A JavaScript module that can be embedded in any website — including a Shopify Online Store — to provide your customers with a trade-in interface.
Personal Information the App Collects
For All Merchants
Personal information is collected in two distinct contexts:
Your data (as merchant — Tern Circular Ltd is the data controller):
Your name, email address, and business details, collected when you register for and access the Admin.
Technical information from your use of the Admin, including IP addresses and browser details, retained in server logs for security and troubleshooting purposes.
Your customers' data (Tern Circular Ltd is data processor on your behalf):
Via the Storefront, we process personal information about your customers in order to operate the trade-in service. This includes names, email addresses, phone numbers, postal addresses, order details, product information, and condition assessments submitted during a trade-in. This processing is carried out under your instructions as data controller and is governed by our Data Processing Agreement.
We collect personal information directly from the relevant individual, through your Shopify account (where applicable), or using the following technologies:
"Cookies and local storage" — For customer sessions, we store details about your current trade-in session in your browser's local storage rather than in cookies. This data is used only to maintain session state during a trade-in and is not used for advertising or tracking purposes. Other session-related cookies may be set by third-party services embedded within the merchant's storefront. For more information about cookies, and how to disable them, visit http://www.allaboutcookies.org.
"Log files" — We collect server log data including IP addresses, browser type, Internet service provider, referring/exit pages, and date/time stamps, for security and troubleshooting purposes.
"Analytics events" — We send limited service usage events (such as the fact that a trade-in has been completed) to Google Analytics from our backend infrastructure. These are server-side events sent from our systems (they do not place Google Analytics cookies as part of the Tern Storefront widget). We do not send direct customer identifiers (such as names, email addresses, or postal addresses) in these events; however, events may include pseudonymous identifiers and internal transaction references (such as trade-in or order identifiers) for measurement and debugging.
Additionally, where a merchant has independently installed Google Analytics on their storefront — whether on Shopify or any other platform — GA may also fire in the context of that merchant's existing configuration when a customer interacts with the Storefront (including the setting of cookies by the merchant's own analytics implementation). This is governed by the merchant's own privacy policy and their relationship with Google, not by Tern Circular Ltd.
For Shopify Merchants (only)
Tern Circular Ltd is a registered Shopify Partner and the App is distributed via the Shopify App Store. When you install the App, you will be presented with Shopify's standard OAuth authorisation flow, which clearly lists the categories of store data the App is requesting access to. By installing the App and completing the OAuth authorisation flow, you authorise that access so we can provide and operate the App for you in accordance with this Privacy Policy, our agreement with you, and (where applicable) our Data Processing Agreement. This process is also governed by Shopify's Partner API Terms.
The categories of Shopify store data the App may access include: merchant account details; product and inventory data; order history and fulfilment information; customer records; online store configuration; and discounts. The specific API permissions requested are displayed in full during the installation flow.
How we use Shopify data — two distinct stages:
At installation
When you install the App, we retrieve your store's order and transaction history in order to support trade-in valuation under your configured rules and to match returning customers to their previous purchases. At this stage, we do not retrieve or store personally identifiable customer information (such as names, email addresses, or addresses). Only non-identifying transactional data is imported.
When a customer uses the Storefront
When one of your customers visits the trade-in Storefront and initiates a trade-in, we access the relevant customer record and order details from Shopify in order to facilitate that transaction. Personally identifiable information (such as name, email address, phone number, and postal address) is only retrieved and stored if the customer actively begins a trade-in. It is not collected on a bulk or speculative basis.
How Do We Use Your Personal Information?
The following table describes how we use the personal information we hold about you as a merchant. Processing of your customers' personal data is addressed separately in our Data Processing Agreement.
To operate the App and maintain your merchant account (onboarding, account management, transactional emails to you)
Performance of contract with the merchant
To communicate with you about your account, support requests, or operational matters
Performance of contract; legitimate interests
To improve and develop the App (using aggregated service analytics, bug fixing, product development)
Legitimate interests
To comply with legal obligations
Legal obligation
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests — see your rights below.
To the extent that Tern Circular Ltd processes personal information of your customers as a "data processor" or "service provider" under applicable data protection laws, including the EU or UK General Data Protection Regulation and applicable US state privacy laws (including the California Consumer Privacy Act), this is subject to our Data Processing Agreement. In that context, the merchant is the data controller and is responsible for:
ensuring a valid lawful basis exists for processing their customers' personal data;
providing customers with an appropriate privacy notice at the point of data collection (typically via the merchant's own privacy policy and disclosures on their website); and
responding to any data subject requests made by their customers.
Where we process end-customer personal data on your behalf, we do so as a data processor or service provider under the Data Processing Agreement. The merchant remains responsible for providing customer-facing privacy information and for responding to end-customer rights requests as data controller. Tern Circular Ltd will assist the merchant as required by the Data Processing Agreement and applicable law.
Sharing Your Personal Information
We share personal information with a number of third-party subprocessors in order to provide the Service and operate the App. This includes both your merchant account data and, where applicable in our role as your data processor, your customers' personal data processed under the Data Processing Agreement. A full list of our subprocessors is available on our Third Party Subprocessors page. These include:
Amazon Web Services (AWS)
Who host our app and provide the resources for storing data collected through the App.
Google LLC
Who provide additional cloud hosting infrastructure.
Amazon SES
Who provide email transmission services for transactional emails sent by the App.
Cloudflare
Who provide load balancing and DDoS protection services.
Popout, Inc. DBA Shippo and Auctane, Inc. DBA ShipEngine
Who provide trade-in fulfilment and logistics services.
Stripe Payments UK, Ltd.
Who provide payment processing services.
Finally, we may also share your personal information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
Your Rights as a Merchant
This section describes your rights in relation to the personal information that Tern Circular Ltd holds about you as a merchant (for example, your name, email address, and account details). It does not cover the rights of your customers in relation to the trade-in data you control — those rights are exercised through your own privacy policy and are your responsibility as data controller, as set out in the Data Processing Agreement.
UK and European Economic Area Residents
If you are a resident of the United Kingdom or European Economic Area, you have the following rights under the UK GDPR, EU GDPR, or equivalent applicable law:
Right of access — You may request a copy of the personal information we hold about you.
Right to rectification — You may ask us to correct inaccurate or incomplete personal information.
Right to erasure — You may ask us to delete your personal information in certain circumstances.
Right to restrict processing — You may ask us to pause processing of your personal information in certain circumstances, for example while accuracy is disputed.
Right to data portability — Where processing is based on your consent or a contract, you may request your data in a structured, machine-readable format.
Right to object — Where we rely on legitimate interests as our lawful basis, you have the right to object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent — Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Right to complain — You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. If you are an EU resident, you may contact your local data protection authority.
To exercise any of these rights, please contact us using the details in the Contact Us section below. We will respond within one month of receiving a valid request.
International transfers: Where your personal information is transferred outside of the UK or EEA — including to the United States — we ensure appropriate safeguards are in place in accordance with UK GDPR, including the use of International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO. Further details are set out in our Data Processing Agreement.
US State Residents (Including California)
This section applies to you if you are an individual or sole-trader merchant residing in California or another US state with applicable consumer privacy legislation. Corporate entities generally fall outside the scope of CCPA/CPRA as data subjects; however, if you are an individual merchant, you may have the following rights under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), or equivalent state law:
Right to know — You may request details of the personal information we have collected about you, the sources from which it was collected, the purposes for which it is used, and the third parties with whom it is shared.
Right to deletion — You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to correct — You may request that we correct inaccurate personal information.
Right to opt out of sale or sharing — We do not sell personal information, nor do we share it for cross-context behavioural advertising purposes.
Right to non-discrimination — We will not discriminate against you for exercising any of these rights. You will not receive a different level of service or be charged different prices as a result of making a rights request.
To submit a request, please contact us by email at [email protected] or via our contact form at tern.eco/contact. We will acknowledge your request within 10 business days and respond in full within 45 days. If we require additional time, we will notify you of the extension and the reason for it.
Age Restrictions
The App and its Services are directed solely at businesses (merchants) and are not intended for use by individuals under the age of 16 (children). We do not knowingly collect personal information from children. If you believe that a child has provided personal information through the App without appropriate consent, please contact us at [email protected] and we will take steps to delete that information promptly. Merchants are responsible for ensuring their use of the Storefront complies with applicable laws relating to children's data in their own jurisdiction.
Automated Decision-Making
Tern Circular Ltd does not set trade-in pricing, make valuation decisions, or determine the criteria used to generate trade-in offers. Any offer presented to an end customer is defined and directed by the merchant, and the App only applies the merchant's configured rules and eligibility criteria.
Data Retention
We retain different categories of data for different periods, in accordance with the principle of storage limitation:
Server and access logs
14 days, after which they are automatically deleted
Database backups
Retained on a rolling basis (daily backups for 7 days, weekly backups for 1 month, and monthly backups for 3 months), after which they are automatically purged
Customer personal data held in the database (names, email addresses, addresses)
Retained while the merchant's account is active and the relevant trade-in is being processed. If we receive a valid erasure request, we will remove direct identifiers from the trade-in record unless retention is required by law or needed to establish, exercise, or defend legal claims.
Trade-in submission records
Retained for up to 7 years from the date of submission to support merchant reporting, dispute resolution, and regulatory compliance. If the merchant's account is closed or the App is uninstalled, we remove direct identifiers and retain the remaining trade-in record in a de-identified form. After 7 years, records are deleted or anonymised.
Merchant account data (name, email address)
Retained for the duration of the merchant's active account and deleted upon account closure, subject to any legal obligation to retain business records
You may request deletion of your personal information at any time by contacting us using the details in the Contact Us section. Where we are required or permitted to retain a record (for example, for dispute resolution or legal compliance), we will remove direct identifiers where appropriate and retain only a de-identified record. We will respond to valid requests within one month.
Changes
We may update this privacy policy from time to time to reflect changes to our practices or for operational, legal, or regulatory reasons. Where changes are material, we will notify merchants by email to the address associated with their account prior to the changes taking effect. The "Last Updated" date at the top of this page will always reflect when the policy was most recently revised. We encourage you to review this policy periodically.
Contact Us
For more information about our privacy practices, if you have questions, or if you would like to make a complaint or exercise your data rights, please contact us by email at [email protected] or by mail using the details provided below:
Tern Circular Ltd 159 High Street, Barnet, United Kingdom, EN5 5SU
Last updated