Privacy Policy

Last updated: 17/04/2026.

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

We use Your Personal Data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

Please read this Privacy Policy carefully before using Our Service.

1 - Interpretation and Definitions

1.1 - Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in the singular or in the plural.

1.2 - Definitions

For the purposes of this Privacy Policy:

  • Account means a unique account created for You to access our Service or parts of our Service.
  • Affiliate means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.
  • Application means any software program provided by the Company that may be made available for download on any electronic device, under the name HiFiHub.
  • Buyer refers to a User of the Service who purchases or seeks to purchase Goods through the Service.
  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to HiFiHub S.à r.l.-S, 26a Rue Melicksheck, L-6214 Consdorf, Luxembourg, RCS number: B304990. For the purpose of the GDPR, the Company is the Data Controller.
  • Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
  • Country refers to Luxembourg.
  • Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
  • Data Processor refers to any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
  • Device means any device that can access the Service such as a computer, a cellphone, or a digital tablet.
  • Goods refers to the second-hand high-fidelity audio equipment listed for sale by Sellers on the Service.
  • GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • Personal Data is any information that relates to an identified or identifiable individual. For the purposes of the GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
  • Seller refers to a User of the Service who lists Goods for sale through the Service.
  • Service refers to the Website, the Application, or both.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service, or to assist the Company in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.
  • Transaction Data refers to Personal Data exchanged between Buyers and Sellers in the course of a transaction facilitated through the Service, including but not limited to shipping addresses, contact details, and order information.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
  • Website refers to the HiFiHub marketplace, accessible from https://hifihub.market/.
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under the GDPR, You can be referred to as the Data Subject or as the User.

2 - Contact Us

If you have any questions about this Privacy Policy, You can contact us:

  • By email: customerservice@hifihub.market
  • By visiting this page on our website: https://hifihub.market/p/contact-us

3 - Collecting and Using Your Personal Data

3.1 - Types of Data Collected

3.1.1 - Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Phone number
  • Address, ZIP/Postal code, City, Country
  • Bank account information (for Sellers, collected and processed by Stripe Connect)
  • Payment card details (collected and processed directly by Stripe Connect; We do not store or access this information)
  • Identity verification documents (collected and processed directly by Stripe Connect on Our behalf; see Section 3.1.4)
  • Usage Data

3.1.2 - Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

Where We use Plausible Analytics, IP addresses are processed in memory only to derive a non-identifying daily hash and are never stored. No cross-site tracking, fingerprinting, or persistent identifiers are used.

3.1.3 - Transaction Data

When a transaction is concluded between a Buyer and a Seller through the Service, certain Personal Data is exchanged between the parties to enable fulfilment of the transaction. This may include:

  • The Buyer's shipping address and contact details, which are transmitted to the Seller to enable dispatch of the Goods.
  • The Seller's display name, listing information, and contact details, which are made available to the Buyer in connection with the transaction.

This exchange is a necessary part of the performance of the contract between the Buyer and the Seller. Buyers and Sellers are each independently responsible as Data Controllers for handling any Personal Data they receive from the other party in compliance with applicable data protection law. Such data must not be used for any purpose other than fulfilling the transaction.

3.1.4 - Identity Verification

To comply with applicable financial regulations and to protect the integrity of the marketplace, Sellers may be required to complete an identity verification process before listing Goods or receiving payouts. This verification process is conducted entirely by Stripe Connect, Our third-party Payment Processor, acting as a Data Processor on Our behalf.

Stripe Connect may collect identity documents such as government-issued ID and may perform checks against applicable databases, in accordance with their own privacy policy and applicable law. We do not store or have direct access to the identity documents submitted. For more information on how Stripe processes this data, please refer to Stripe's Privacy Policy at https://stripe.com/privacy.

3.1.5 - Information Collected from Sellers under DAC7

As a Luxembourg-resident digital platform operator facilitating the sale of goods to Users in the European Union, We are subject to the reporting obligations of Council Directive (EU) 2021/514 ("DAC7"), as transposed into Luxembourg law by the Law of 16 May 2023. Under this framework, We are required to collect, verify, and report to the Luxembourg Tax Authority (Administration des Contributions Directes, "ACD") certain information about Sellers who use the Service to sell Goods.

The information We collect from Reportable Sellers, either directly or through Stripe Connect acting on Our behalf, includes:

  • For individuals: legal first and last name, primary residential address, country of tax residence, Tax Identification Number (TIN) and the Member State that issued it, date of birth, and where applicable, VAT identification number.
  • For entities: legal name, primary registered address, country of tax residence, TIN and the Member State that issued it, business registration number, and where applicable, VAT identification number and the existence of any permanent establishments in the Member States through which Relevant Activities are carried out.
  • For all Reportable Sellers: the financial account identifier (e.g. bank account or payment account) used to receive payouts, the name of the holder of that account if different, the total consideration paid or credited per quarter, the number of Relevant Activities carried out per quarter, and any fees, commissions, or taxes withheld by Us per quarter.

This information is collected at the moment You activate Your Seller account through the Stripe Connect onboarding process, which is required before You can list Goods or receive payouts. Creating a basic User account on the Service does not require You to provide this information; it is requested only when You decide to act as a Seller.

A Seller is a "Reportable Seller" unless they qualify as an "Excluded Seller" under DAC7. The principal exclusion relevant to Our Service applies to Sellers who, in a given calendar year, have completed fewer than 30 sales of Goods AND received total consideration of less than EUR 2,000 through the Service.

We report this information to the ACD by 31 January of each year for the preceding calendar year. The ACD then automatically exchanges the information with the tax authorities of the Member State in which each Reportable Seller is resident, in accordance with DAC7. We will provide each Reportable Seller with a copy of the information reported about them, in accordance with Article 25(4) of DAC7.

Where a Seller fails to provide the required DAC7 information after Our initial request and two subsequent reminders, and a period of sixty (60) days has elapsed since the last reminder without a response, We are required by the DAC7 Law to either (i) close the Seller's account and prevent re-registration until the information is provided, or (ii) withhold any payment of consideration owed to the Seller until the information is provided. We will still include the Seller in Our annual report to the ACD, noting that the required information could not be collected despite Our requests.

3.1.6 - Cookies and Similar Technologies

We take a minimal approach to cookies. We do not use advertising, marketing, social media, or cross-site tracking cookies. The only cookies set when You use the Service are strictly necessary for the Service to function or to process payments You have actively requested.

Under Article 5(3) of the EU ePrivacy Directive (2002/58/EC), strictly necessary cookies do not require Your prior consent. Because We use no other cookies, We do not display a cookie consent banner.

The cookies used on the Service are:

  • st-hosted-token — Set by Sharetribe, the platform that powers the Service. Purpose: session management and user authentication. Type: Session cookie. This cookie is essential to provide You with the Service. It does not store personal information.
  • Stripe checkout cookies — Set by Stripe during the payment process. Purpose: secure payment processing and fraud prevention. Type: a mix of session and persistent cookies, governed by Stripe's cookie policy. These cookies are set only when You actively initiate a payment, are strictly necessary for the service You requested, and fall under the ePrivacy "strictly necessary" exemption. For details, see Stripe's Cookie Policy at https://stripe.com/legal/cookies-policy.

We use Plausible Analytics to understand aggregate usage of the Service. Plausible is a privacy-focused analytics tool hosted in the European Union (Germany). It does not use cookies, does not track You across websites, and does not collect any personal information that could identify You. No consent is required for its use.

If We add any non-essential cookies in the future (for example, third-party embedded content, social login, or marketing tools), We will update this Privacy Policy and implement an appropriate consent mechanism before doing so.

You can configure Your browser to refuse all cookies or to alert You when cookies are being sent. However, if You disable strictly necessary cookies, parts of the Service may not function correctly.

3.2 - Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service, including to monitor the usage of our Service.
  • To manage Your Account: to manage Your registration as a User of the Service and to provide access to the functionalities available to registered users.
  • For the performance of a contract: the development, compliance, and undertaking of the purchase contract for the Goods You have purchased or of any other contract with Us through the Service.
  • To facilitate transactions between Buyers and Sellers, including the secure exchange of Personal Data necessary to complete and fulfil orders, the processing of payments through Stripe Connect, and the resolution of disputes.
  • To contact You: by email or other equivalent forms of electronic communication regarding service updates, transactional notifications (such as account, listing, message, and order notifications), or security notifications related to the Service.
  • To manage Your requests: to attend and manage Your requests to Us, including data subject rights requests under the GDPR.
  • To comply with legal obligations: including obligations under tax, accounting, anti-money laundering, and consumer protection law.
  • For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, in which Personal Data held by Us is among the assets transferred.
  • For analytics and improvement: We may use anonymous and aggregate Usage Data, processed via Plausible Analytics, to understand how the Service is used and improve it.

We may share Your Personal Data in the following situations:

  • With Service Providers: We share Your Personal Data with the Data Processors listed in Section 6.2, who process data on Our behalf under written data processing agreements.
  • Between Buyers and Sellers: as described in Section 3.1.3, certain Personal Data is shared between transacting parties to enable fulfilment of orders.
  • With other users: when You share Personal Data or otherwise interact in the public areas of the Service, such information may be viewed by other users. Your public profile, listings, and reviews are visible to other users of the Service.
  • For business transfers: We may share or transfer Your Personal Data in connection with any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business.
  • With Affiliates: We may share Your information with Our affiliates, in which case We will require those affiliates to honor this Privacy Policy.
  • For legal and regulatory reasons: as set out in Section 3.6.
  • With Your consent: We may disclose Your Personal Data for any other purpose with Your prior consent.

3.3 - Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy:

  • Account data: retained for the duration of Your account and for a reasonable period thereafter to allow account recovery and resolve any outstanding matters. Typically deleted within thirty (30) days of account closure, subject to the retention obligations below.
  • Transaction Data and accounting records: retained for ten (10) years from the date of the transaction in accordance with Article 16 of the Luxembourg Commercial Code and applicable accounting and tax law.
  • Identity verification records: retained by Stripe on Our behalf for the period required by anti-money laundering law (typically five (5) years from the end of the business relationship).
  • DAC7 Reportable Seller information: retained for ten (10) years from the end of the calendar year to which the report relates, in accordance with the Luxembourg DAC7 Law of 16 May 2023.
  • Usage Data: processed only in aggregate, anonymous form via Plausible Analytics. No individual usage records are stored.

When Personal Data is no longer required, We will delete or irreversibly anonymise it.

3.4 - Transfer of Your Personal Data

Your Personal Data is primarily processed within the European Union and the European Economic Area (EEA), where the Service is operated and most of Our Data Processors are located.

Some Data Processors, including Stripe and Google Workspace, may process Personal Data in countries outside the EEA, including the United States. In such cases, We rely on appropriate safeguards under Chapter V of the GDPR, including Standard Contractual Clauses approved by the European Commission and, where available, certification under the EU-U.S. Data Privacy Framework.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy.

3.5 - Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

You may update, amend, or delete Your information at any time by signing in to Your Account and visiting the account settings section. You may also contact Us to request access to, correct, or delete any Personal Data that You have provided to Us.

Please note that We may need to retain certain information when We have a legal obligation or lawful basis to do so, in particular for the retention periods set out in Section 3.3.

3.6 - Disclosure of Your Personal Data

3.6.1 - Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

3.6.2 - Tax Authorities (DAC7)

As described in Section 3.1.5, We are required by law to disclose certain Personal Data of Reportable Sellers to the Luxembourg Tax Authority (Administration des Contributions Directes), which then automatically exchanges this information with the tax authorities of the Member States in which the Reportable Sellers are tax resident, in accordance with DAC7.

3.6.3 - Law Enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

3.6.4 - Other Legal Requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users of the Service or the public
  • Protect against legal liability

3.7 - Security of Your Personal Data

The security of Your Personal Data is important to Us. We rely on the technical and organisational security measures provided by Sharetribe (platform infrastructure) and Stripe (payments and identity verification), both of which apply industry-standard practices including encryption in transit (TLS), encryption at rest, access controls, and regular security audits. Stripe is certified as a PCI Service Provider Level 1.

No method of transmission over the Internet or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

3.8 - Personal Data Breach Notification

In the event of a Personal Data breach, We will:

  • Notify the Commission Nationale pour la Protection des Données (CNPD) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR, where the breach is likely to result in a risk to the rights and freedoms of data subjects.
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR.

4 - Detailed Information on the Processing of Your Personal Data

The Service Providers We use may have access to Your Personal Data. These third-party vendors collect, store, use, process and transfer information about Your activity on Our Service in accordance with their Privacy Policies and the data processing agreements entered into with Us.

4.1 - Platform Infrastructure

Our Service is built on the Sharetribe marketplace platform, which acts as a Data Processor on Our behalf. Sharetribe processes Personal Data necessary to operate the marketplace, including user accounts, listings, transactions, and messaging. Sharetribe Oy is established in Helsinki, Finland (European Union). For more information, please refer to Sharetribe's Privacy Policy at https://www.sharetribe.com/privacy-policy/.

4.2 - Analytics

We use Plausible Analytics to understand aggregate usage of the Service. Plausible is a privacy-focused, open-source analytics service operated by Plausible Insights OÜ (Estonia) and hosted in the European Union (Germany). Plausible does not use cookies, does not collect personal information, and does not track users across websites or devices. No consent is required for its use under the EU ePrivacy Directive. For more information, please refer to Plausible's Privacy Policy at https://plausible.io/privacy.

4.3 - Transactional Emails

The Service sends automatic notification emails relating to Your account and Your activity on the marketplace, including registration confirmations, message notifications, listing notifications, order and payment notifications, and security alerts. These emails are sent from the @hifihub.market domain and are necessary for the operation of the Service and the performance of Our contract with You. They are not marketing communications and are not subject to consent.

Outgoing emails are routed through Our Sharetribe platform and Our Google Workspace business email infrastructure (see Sections 4.1 and 4.5). We do not currently operate a newsletter or marketing email programme. Should this change in the future, We will update this Privacy Policy and obtain Your prior consent before sending any marketing communications.

4.4 - Payments and Identity Verification

We use Stripe Connect for payment processing, escrow, and identity verification. We do not store or collect Your payment card details or identity documents. That information is provided directly to Stripe Connect and is governed by Stripe's Privacy Policy. Stripe Connect adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

  • Stripe Connect — Privacy Policy: https://stripe.com/privacy

4.5 - Business Communications

  • Google Workspace (Google Ireland Limited, with onward transfers to Google LLC) — hosting of Our business email (@hifihub.market) and related business communications.

5 - Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

6 - GDPR Privacy

6.1 - Legal Basis for Processing Personal Data under GDPR

We process Personal Data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR): for account creation and management, processing transactions between Buyers and Sellers, payment processing, dispute resolution, and provision of the Service.
  • Compliance with legal obligations (Article 6(1)(c) GDPR): for tax, accounting, anti-money laundering, and consumer protection requirements, including identity verification of Sellers, retention of transaction records, and the collection and reporting of Reportable Seller information to the Luxembourg Tax Authority under DAC7 (Council Directive (EU) 2021/514 and the Luxembourg Law of 16 May 2023).
  • Legitimate interests (Article 6(1)(f) GDPR): for ensuring the security and integrity of the Service, preventing fraud, conducting aggregate analytics through Plausible, and managing Our business operations. Our legitimate interests are balanced against Your rights and freedoms in each case, and You may object as set out in Section 6.3.
  • Consent (Article 6(1)(a) GDPR): where We rely on Your consent for any specific processing activity. We do not currently rely on consent for ongoing processing, but should this become applicable (for example, if We later introduce optional features or marketing communications), You will be asked to give consent expressly and may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

6.2 - Data Processors

As a Data Controller, We engage the following principal Data Processors to provide the Service:

  • Sharetribe Oy (Finland) — marketplace platform infrastructure. Processes account, listing, transaction, and messaging data.
  • Stripe Payments Europe Ltd (Ireland), with onward transfer to Stripe, Inc. (United States) — payment processing, escrow, and identity verification. Processes payment data and identity documents.
  • Plausible Insights OÜ (Estonia / Germany) — privacy-focused analytics. Processes aggregate, anonymised usage data only.
  • Google Ireland Limited / Google LLC — business email and document hosting through Google Workspace.

All Data Processors are bound by data processing agreements that meet the requirements of Article 28 GDPR. Where data is transferred outside the EEA, transfers rely on Standard Contractual Clauses or other appropriate safeguards under Chapter V of the GDPR.

6.3 - Your Rights under the GDPR

The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.

You have the right under this Privacy Policy, and by law if You are within the EU, to:

  • Request access to Your Personal Data. You have the right to access, update or delete the information We have on You. Whenever made possible, You can access, update or request deletion of Your Personal Data directly within Your account settings section. If You are unable to perform these actions yourself, please contact Us to assist You. This also enables You to receive a copy of the Personal Data We hold about You.
  • Request correction of the Personal Data that We hold about You. You have the right to have any incomplete or inaccurate information We hold about You corrected.
  • Object to processing of Your Personal Data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation which makes You want to object to Our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.
  • Request restriction of processing of Your Personal Data. You have the right to ask Us to suspend the processing of Your Personal Data in certain circumstances, for example if You want Us to establish its accuracy or the reason for processing it.
  • Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it, subject to the retention periods set out in Section 3.3.
  • Request the transfer of Your Personal Data. We will provide to You, or to a third party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.
  • Withdraw Your consent. You have the right to withdraw Your consent to the use of Your Personal Data at any time. If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.

6.4 - Exercising of Your GDPR Data Protection Rights

You may exercise Your rights by contacting Us at customerservice@hifihub.market. Please note that We may ask You to verify Your identity before responding to such requests. We will respond to Your request within one (1) month of receipt, in accordance with Article 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

You have the right to lodge a complaint with a Data Protection Authority about Our collection and use of Your Personal Data. If You are in the European Economic Area (EEA), please contact Your local data protection authority. In Luxembourg, the supervisory authority is the Commission Nationale pour la Protection des Données (CNPD): https://cnpd.public.lu.

7 - Children's Privacy

Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 16 without verification of parental consent, We take steps to remove that information from Our servers.

8 - Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective, and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.