This Privacy Policy explains how Celestial AI Agents Ltd (trading as Celestial Verity) collects, uses, stores, and protects your personal data when you use the Platform at celestialverity.com. Read it carefully.
We are committed to processing your data lawfully, fairly, and transparently. This Policy is compliant with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
The data controller for this Platform is:
Celestial AI Agents Ltd (trading as Celestial Verity)
Company No. 16511006
27 Streatfield Road, Harrow, HA3 9BP, England
ICO Registration: ZB921838
Email: support@celestialverity.com
As data controller, we determine the purposes and means of processing your personal data. We are registered with the Information Commissioner's Office (ICO) under registration number ZB921838.
We have not appointed a Data Protection Officer (DPO) as we do not meet the thresholds that make this mandatory under UK GDPR Article 37. All data protection queries are handled directly by the Platform's management team at support@celestialverity.com.
In accordance with UK GDPR Article 13, this Privacy Policy is provided to Users at the point of account creation and is linked on the Platform's checkout page, so that Users are informed of the Platform's data processing activities at the point their personal data is first collected.
We collect personal data in the following categories depending on how you use the Platform:
Name, email address, password (hashed), account creation date, and account type (Buyer, Specialist, or both).
For Specialists: display name, profile description, portfolio items, service listings, and verification status. For all Users: any profile information voluntarily added.
Order details including order reference, service purchased, agreed price, Platform Service Fee charged, delivery date, and order status. We do not store card details; these are handled entirely by Stripe.
All messages exchanged through the Platform's messaging system, including pre-order briefs, Pre-Offer Disclosure Messages, Custom Offers, order communications, revision requests, and dispute submissions. These are retained as the Inbox Record and form part of every Order Record.
For Buyers: billing address and payment confirmation data from Stripe. For Specialists: Stripe Connect account identifiers, payout confirmation data, and bank country. We never hold or see full card numbers or bank account details.
IP address, browser type and version, device type, operating system, time zone, pages visited, session duration, and referral source. This data is collected automatically when you use the Platform.
For Specialists: portfolio submissions, skills evidence, and any additional material submitted during the verification process.
Communications submitted to support@celestialverity.com, dispute and complaint submissions, and any documentation submitted as part of the Platform's formal dispute or complaint process.
When a Specialist sends a Custom Offer and a Buyer accepts it at checkout, the Platform records the timestamp and account identifiers of both actions. These constitute electronic signatures under the Electronic Communications Act 2000 and are retained as part of the Order Record.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Registration data, profile data | Contract |
| Processing orders and payments | Transaction data, payment data | Contract |
| Generating Order Records | Transaction data, communication data, electronic signature data | Contract / Legal obligation |
| Facilitating Specialist verification | Verification data, profile data | Contract |
| Processing Specialist payouts via Stripe Connect | Payout data, transaction data | Contract |
| Responding to support requests | Support data, account data | Contract / Legitimate interest |
| Resolving disputes and complaints | Communication data, transaction data, support data | Contract / Legal obligation |
| AI-assisted dispute review | Communication data (inbox thread), transaction data | Contract performance |
| Contact information detection | Communication data (automated pattern scan only) | Legitimate interest |
| Anti-money laundering monitoring | Transaction data, account data | Legal obligation (POCA 2002) |
| Admin inbox access for dispute or safeguarding review | Communication data (logged, purpose-limited) | Contract / Legal obligation |
| Legal and regulatory compliance | All categories as required | Legal obligation |
| Fraud detection and platform security | Technical data, transaction data, account data | Legitimate interest |
| Improving Platform performance | Technical data (aggregated and anonymised only) | Legitimate interest |
| Platform communications (service notices) | Email address, account data | Contract / Legitimate interest |
We do not sell your personal data to any third party. We do not use your personal data for advertising, profiling for commercial purposes, or for any purpose beyond those listed above.
We will never use the content of inbox threads, briefs, Order materials, or dispute submissions to train, fine-tune, or improve any AI model — whether operated by Celestial Verity or any third party. This commitment applies without exception and survives any change in Platform ownership.
We process your personal data on the following legal bases under Article 6 UK GDPR:
The majority of our processing is necessary to perform our contract with you — operating your account, processing orders, generating Order Records, facilitating payouts, resolving disputes, and operating the AI-assisted dispute review process. Without this processing we cannot provide the Platform services.
We retain certain transaction and communication data for a minimum of 7 years to comply with financial record-keeping requirements under UK law. We also process data as required by the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017, and in response to lawful requests from regulatory authorities including the National Crime Agency, the ICO, and the CMA.
We process technical data for fraud detection and platform security, and use automated pattern scanning of messages to detect contact information sharing in breach of our Terms. Our legitimate interest in maintaining a secure, compliant, and functional marketplace for all Users is balanced against your rights. We do not rely on legitimate interest for any processing that has a material adverse impact on your rights or freedoms.
We rely on consent only for non-essential cookies. Consent is obtained through our cookie consent banner, which allows granular control over each cookie category. You may withdraw consent at any time — this does not affect the lawfulness of processing carried out before withdrawal and does not affect your use of the Platform.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our retention periods are as follows:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account + 30 days | Contract performance |
| Completed order data | 7 years from completion | Legal / financial record-keeping |
| Order Records (including Custom Offers) | 7 years minimum | Legal / contractual obligation |
| Communication data (inbox messages) | 7 years from order completion | Dispute evidence / legal obligation |
| Dispute and complaint records | 7 years from determination | Legal obligation |
| Electronic signature data | 7 years from order completion | Contractual / legal obligation |
| Pending / failed orders | 30 days from creation | Operational only |
| Cancelled orders | 6 months from cancellation | Dispute window |
| Verification data | Duration of account + 2 years | Verification integrity |
| Technical / log data | 90 days | Security and operational monitoring |
| Support correspondence | 3 years from last contact | Dispute and service continuity |
| Admin inbox access log | 7 years | Accountability / legal obligation |
| AML monitoring records | 5 years minimum (MLR 2017) | Legal obligation |
Where data is retained beyond the active account period for legal purposes, it is stored securely and access is restricted to authorised personnel only.
We share personal data only where necessary for Platform operation. We do not sell data. We do not share data for advertising purposes.
Payment and payout processing. Stripe processes payment data as an independent data controller for its own services and as our data processor for payout-related functions. Payment events processed include payment authorisation, payment confirmation (payment_intent.succeeded), payment failure (payment_intent.payment_failed), and refund processing (charge.refunded). Transactions appear on statements as "CELESTIAL VERITY". Stripe's privacy policy applies to data it processes as controller: stripe.com/privacy.
The Platform's messaging inbox is operated by a third-party messaging provider. All inbox messages, Custom Offers, Pre-Offer Disclosure Messages, and order communications are stored on that provider's servers. The Platform only uses messaging providers who have entered into a Data Processing Agreement (DPA) under UK GDPR Article 28, confirming that message content will not be used for the provider's own purposes beyond delivering the messaging service and will not be used to train AI models. Details of the current messaging provider and their DPA are available on request at support@celestialverity.com.
When a dispute or complaint is raised, the Platform copies the relevant inbox thread into a third-party AI system for analysis as part of the dispute review process described in Section 10. The Platform only uses AI providers for this purpose who have entered into a Data Processing Agreement under UK GDPR Article 28, confirming that data submitted for dispute review will not be used to train, fine-tune, or improve the provider's AI models and will not be retained beyond the immediate analysis. The Platform does not commit to using any specific AI provider — it commits to ensuring any provider used meets these DPA requirements.
E-commerce platform infrastructure used to operate the Platform's ordering system. Personal data is processed in accordance with WooCommerce's data processing agreement.
The Platform's WordPress installation and database are hosted by a third-party hosting provider under a data processing agreement. Server-level personal data (including account data and order data stored in the WordPress database) is processed within the terms of that agreement. Details of the current hosting provider are available on request.
We will disclose personal data to law enforcement, regulatory bodies, or other authorities where required by law or where we have a reasonable belief that disclosure is necessary to protect legal rights, prevent fraud, or respond to a lawful court order or regulatory request.
The Platform is subject to the Proceeds of Crime Act 2002 (POCA) and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Where we are required to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA), we are legally prohibited from informing the person concerned that a report has been made (the "tipping-off" restriction under POCA 2002 s333A). In these circumstances the Platform may restrict, suspend, or close an account without being able to provide reasons at the time. This processing is carried out under our legal obligation lawful basis. Where an account is suspended for AML compliance reasons, the Platform will review the suspension as soon as it is legally permitted to do so following the lifting of any applicable legal restriction, and will notify the User of the outcome within a reasonable time. We cannot provide further information about specific AML reports or the legal restrictions in force.
Platform display names are visible to other Users. For Order fulfilment, the Specialist sees the Buyer's display name and order details. The Buyer sees the Specialist's profile and listing details. Email addresses and personal contact information are never shared between Buyers and Specialists through the Platform. Sharing contact information through the Platform's messaging system is prohibited under the Terms of Use.
Business Buyers who act as data controllers in respect of personal data contained in their briefs or Order materials — for example, where a brief contains personal data relating to the Buyer's own customers, employees, or service users — should request a formal Data Processing Agreement (DPA) under UK GDPR Article 28 before submitting any such brief through the Platform's messaging inbox. Under UK GDPR Article 28, the DPA must be in place before processing of that personal data begins. The Platform will provide a DPA within 10 Business Days of a written request to support@celestialverity.com. Business Buyers who are uncertain whether their brief contains personal data within the meaning of the UK GDPR are advised to seek independent legal advice before submitting the brief.
In the event of a merger, acquisition, or sale of all or part of Celestial AI Agents Ltd's business, personal data may be transferred to the acquiring entity as part of that transaction. Users will be notified of any such transfer and their rights will be preserved. The commitment in Section 3 not to use inbox content for AI training survives any change in ownership.
The Platform serves Users globally. Some of our third-party service providers process data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including adequacy decisions by the UK Government, Standard Contractual Clauses (SCCs) approved for UK use, or binding corporate rules.
Stripe, Inc. is headquartered in the United States. Stripe's international transfer arrangements are governed by Stripe's own privacy framework, which includes Standard Contractual Clauses and participation in applicable data transfer frameworks. Details are available at stripe.com/privacy.
Automattic (WooCommerce) processes data in the United States under Standard Contractual Clauses incorporated into their data processing agreement.
Messaging provider. Our messaging provider processes inbox data in accordance with its DPA with the Platform. Where data leaves the UK, the DPA includes appropriate transfer safeguards including Standard Contractual Clauses or equivalent mechanisms.
AI dispute review provider. The AI provider used for dispute review processes data under a DPA that includes appropriate international transfer safeguards where applicable.
You can request details of the specific safeguards in place for any data transfer by contacting support@celestialverity.com.
Under the UK GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights by contacting support@celestialverity.com. We will respond within one calendar month of receiving your request.
Request a copy of the personal data we hold about you (Subject Access Request).
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data where we no longer have a lawful basis to retain it.
Request that we restrict processing of your data in certain circumstances.
Request your personal data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interest, including the contact information detection system and fraud monitoring.
Withdraw consent for consent-based processing (non-essential cookies) at any time without detriment to your use of the Platform.
Rights under Article 22 where decisions are made solely by automated means with significant effects. See Section 10 for how this applies on this Platform.
Please note that some rights are subject to conditions. The right to erasure does not apply where we are required by law to retain the data — for example, 7-year financial record-keeping requirements or AML obligations under POCA 2002. We will explain any limitation that applies when responding to your request.
No fees. We do not charge a fee for exercising your data rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act.
If you wish to report suspected unlawful conduct by Celestial Verity to a regulatory authority — including the ICO (data protection), the CMA (consumer protection and competition), the FCA (financial services), or the NCA (financial crime) — you may do so without any adverse consequence to your account. The Platform will not restrict, suspend, or penalise your account because you have made, or indicated an intention to make, a complaint or report about the Platform to any regulatory authority. This protection applies regardless of whether the authority upholds your complaint.
The Platform uses cookies and similar technologies. Full details are set out in our Cookie Policy at celestialverity.com/cookies.
In summary: we use strictly necessary cookies to operate the Platform (session management, login state, cart); functional cookies to remember your preferences; and analytics cookies to understand how the Platform is used in aggregate. We do not use advertising or tracking cookies.
You may manage your cookie preferences through our cookie consent banner, which appears on your first visit and allows granular control over non-essential cookie categories. You may also manage preferences through your browser settings. Your cookie consent choice is recorded with a timestamp. Disabling strictly necessary cookies will affect Platform functionality.
The Platform does not make automated decisions about Users that produce legal or similarly significant effects without human review. Specialist verification, Specialist level assessments, and dispute determinations all involve human review by Celestial Verity staff.
Where automated processing is used as a tool to support human review — for example, in fraud detection, spam filtering, or contact information detection — a human reviewer makes the final determination in any case where automated processing flags an account, message, or transaction for review.
In accordance with Article 22 UK GDPR, you have the right to request human review of any decision that has been made about you using automated means, to express your view, and to contest the decision. Contact support@celestialverity.com to exercise this right.
AI is a tool on this Platform, not a judge. Every decision that affects your account, your listing, or your Order is made or confirmed by a human being at Celestial Verity.
When a dispute or complaint is raised, a member of the Celestial Verity team manually locates and reads the relevant inbox thread in full. The team member then copies the thread into the best available AI system for analysis. The AI produces a finding. The team member reviews that finding and issues the Platform's final determination by email to all parties. The AI's finding informs but does not substitute for the human determination.
The lawful basis for this processing is contract performance — resolving disputes is a core part of the Platform's service obligations to all Users. The Platform only uses AI providers for dispute review who have entered into a Data Processing Agreement under UK GDPR Article 28, confirming the data will not be used for model training or retained beyond the immediate analysis.
The Platform operates an automated system that scans outgoing messages in the inbox for patterns consistent with contact information — including email addresses, telephone numbers, social media handles, and similar. Messages flagged by this system are reviewed by a human administrator before any action is taken. No message is blocked automatically without human review. The lawful basis is legitimate interest — maintaining the integrity, safety, and commercial structure of the Platform's closed messaging environment.
The Platform will never use the content of User inbox threads, Pre-Offer Disclosure Messages, Custom Offers, briefs, Order materials, Deliverables, or dispute submissions to train, fine-tune, or improve any AI model — whether operated by Celestial Verity or by any third party. This commitment is stated in the Platform's Terms of Use (Section 34.5) and applies without exception. It survives any change in Platform ownership or management.
Platform administrators may access User inbox threads only for the following four purposes: dispute resolution, safeguarding investigations, investigation of suspected Terms of Use breaches, and legal compliance. Every access is logged with the timestamp, administrator account identifier, and the stated purpose. This log is retained for 7 years. Access is not granted for any commercial, marketing, product development, or AI training purpose.
The Platform is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from anyone under 18. Users must confirm at registration that they are 18 or older. If you believe that a person under 18 has provided us with personal data or created an account, please contact us at support@celestialverity.com and we will take steps to delete that data and close the account promptly.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include encrypted data transmission (TLS/HTTPS), password hashing, access controls limiting data access to authorised personnel, admin access logging, and regular security reviews.
Inbox access logging. Platform administrator access to User inbox threads is logged with timestamp, administrator identity, and stated purpose. Access is restricted to four purposes only: dispute resolution, safeguarding investigations, Terms breach investigations, and legal compliance. This log is retained for 7 years and is itself subject to access controls.
Payment data is handled exclusively by Stripe, which is PCI DSS compliant. We do not store card numbers, CVV codes, or full bank account details.
No transmission over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.
Data breach notification. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with Article 34, describing the nature of the breach and the steps we are taking.
We may update this Privacy Policy where required by law, where our processing activities change, where we add new service providers, or where we need to correct an error or improve clarity.
Where a change reduces your rights or materially affects how we process your data, you will be given at least 30 days' notice by email and the right to close your account before the change takes effect. For other changes, we will provide at least 14 days' notice by email before the effective date. The effective date at the top of this document will be updated with each revision.
Continued use of the Platform after the effective date of a change constitutes acknowledgement of the updated Policy. It does not waive any of your statutory rights under the UK GDPR.
For any question, request, or concern about this Privacy Policy or how we handle your personal data, contact us at:
Celestial AI Agents Ltd (data controller)
Email: support@celestialverity.com
Post: 27 Streatfield Road, Harrow, HA3 9BP, England
We aim to respond to all data rights requests within one calendar month. Complex requests may take up to three calendar months — we will notify you within one month if an extension is required and explain why.
If you are not satisfied with our response, or if you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to resolve any concern directly before you approach the ICO.