Login £0.00
Buy & sell online at our sister site, Glastonbury Market
Small print

Privacy policy.

What we collect when you book a pitch, visit a market, or sign up for an account, why we collect it, and what you can do about it.

Last updated June 2026
1. Who we are

The Tor Collective.

This website (https://thetorcollective.co.uk) is operated by The Tor Collective, an independent market organiser based in Glastonbury, Somerset. For the purposes of UK GDPR and the Data Protection Act 2018, The Tor Collective is the data controller for personal data collected through this site.

If you have any questions about this policy or how we handle your data, you can reach us at thetorcollective@gmail.com.

2. What we collect

Only what we need to run the markets.

  1. Account & trader details. When you register as a trader we store your name, business name, email address, phone number, a hashed password, and the description of what you sell. If you provide a public maker profile (photos, bio, social links) those are stored too and shown on the site.
  2. Booking history. For every booking we keep a record of the market, the pitch you chose, the price, the booking and cancellation dates, and any store credit balance. We need this to run the market and to settle refunds and credits later.
  3. Documents you upload. Insurance certificates, food hygiene paperwork, electrical safety records and similar documents you upload to your trader dashboard are stored on our server and shown only to you and to organisers.
  4. Payment details. Card payments are handled entirely by Stripe. We never see or store your full card number, expiry date or CVC. Stripe returns to us only the transaction reference, the amount, the last four digits of the card, and the card brand.
  5. Performer registrations. If you sign up as a performer we keep your name, contact details, performance description, and any photos or links you provide. These are shown to organisers when reviewing slot requests.
  6. Messages & emails. Any message you send through the site or by email to the inbox is stored so we can reply and refer back to it.
  7. Server & security logs. Our web server records standard request information (IP address, user agent, page requested, timestamp) for a short period to help us spot abuse and debug issues.
3. How we use it

The lawful basis for each thing we do.

  1. To run your bookings (contract). Account, booking, payment and document data is used to take and manage your pitch booking, issue refunds or store credit, and communicate practical information about the market.
  2. To meet our legal duties (legal obligation). We keep enough booking and payment data to comply with HMRC record-keeping rules and to respond to lawful requests from authorities (e.g. environmental health, trading standards).
  3. To run the website itself (legitimate interests). Server logs, session cookies and security records are used to keep the site running, prevent abuse, and protect both you and us.
  4. To send you booking-related emails (contract). Receipts, pitch-allocation emails, cancellation confirmations and set-up information are sent to the email address on your trader account.
  5. To send you marketing emails (consent). We only send newsletters or promotional emails if you have ticked an opt-in. You can withdraw consent at any time by using the unsubscribe link in any newsletter or by emailing us.
4. Who we share it with

The handful of processors that help us run things.

We don't sell your data. We share the minimum needed with the following processors, each of whom acts on our instructions under a contract:

Payments

Stripe Payments Europe Ltd

Processes all card payments. Stripe holds your card details, not us. See stripe.com/gb/privacy.

Email delivery

Google (Gmail / Google Workspace)

Sends transactional and inbox email from the thetorcollective@gmail.com address.

Hosting

Our UK-based VPS provider

Stores the database, uploaded documents and server logs on a dedicated server we control.

Authorities

HMRC, environmental health, police

Where we are legally required to disclose information, or where we need to in order to defend a legal claim.

We do not use Google Analytics, Facebook Pixel, or other third-party advertising trackers on this site.

5. Cookies

Strictly the ones we need to keep you logged in.

We use a small number of first-party cookies. We don't set advertising or tracking cookies.

  1. Session cookie. Keeps you logged in to your trader or organiser account while you move between pages. Expires when you close your browser, or after a period of inactivity.
  2. CSRF token cookie. A short random value the site checks on form submissions to stop other websites posting forms on your behalf. Standard security measure.
  3. Cart cookie. If you add a pitch to your basket without logging in, we use a cookie to remember the basket while it's held for you. The hold itself expires after 15 minutes.
  4. Stripe. When you reach the payment step, Stripe sets its own cookies to operate the secure payment form and to prevent card fraud. These are governed by Stripe's privacy policy.
6. How long we keep it

Long enough to be useful, no longer.

  1. Active trader accounts. Held for as long as your account is open. You can close your account at any time by asking us.
  2. Booking & payment records. Kept for at least 6 years after the booking, to comply with HMRC and accounting record-keeping rules.
  3. Marketing consent. Held until you unsubscribe or withdraw consent. We then keep a minimal "do not email" suppression record so we don't accidentally email you again.
  4. Server logs. Rotated and deleted within 30 days unless they form part of an active security investigation.
  5. Closed accounts. When you close your account we delete the public-facing profile and contact details, but keep the underlying booking/payment records for the retention period above.
7. Your rights

What you can ask us to do.

Under UK GDPR you have the following rights, and you can exercise any of them by emailing us:

  1. Access. Ask for a copy of the personal data we hold about you.
  2. Correction. Ask us to correct anything that's wrong. You can also edit most of this yourself from your trader dashboard.
  3. Erasure. Ask us to delete your data. We have to keep booking and payment records for tax purposes, but we'll delete or anonymise everything we're not legally required to retain.
  4. Objection & restriction. Ask us to stop or limit a particular use of your data, including marketing.
  5. Portability. Ask for a machine-readable export of the data you've provided to us.
  6. Complaint. If you're not happy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd appreciate the chance to put it right first.
8. Contact

Get in touch about your data.

For anything related to this policy — data access requests, corrections, deletions, or just questions — email thetorcollective@gmail.com and we'll come back to you within a few working days.

We may update this policy from time to time. The "last updated" date at the top of the page reflects the most recent change.

Anything unclear?

We're happy to explain.

Privacy law gets jargony fast. If there's anything in here you'd like in plain English, just ask and we'll talk you through it.

Contact us → Terms & conditions