MintedModels

Privacy Policy

Last updated 1 April 2026

1. Who We Are

MintedModels.com is operated by Minted Models LTD, a company registered in England and Wales. We are the data controller for personal data collected through this platform. If you have questions about this policy or your data, contact us at privacy@mintedmodels.com.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, password (stored as a secure hash), date of birth, phone number, and account type (model or professional).
  • Profile data: photographs, physical measurements, skills, location, biography, and portfolio content that you choose to publish.
  • Transaction data: subscription purchases, booking records, and payment history processed via Stripe. We do not store card details ourselves.
  • Communications: messages sent through the platform inbox.
  • Usage data: pages visited, search queries, and device/browser information collected via analytics cookies and Sentry error monitoring.

3. How We Use Your Data

  • To operate your account and provide the marketplace service.
  • To process payments and manage subscriptions through Stripe.
  • To moderate content and ensure platform safety.
  • To send transactional notifications — in-app and email — such as booking confirmations, application updates, and password resets. Email delivery uses Resend; in-app notification routing and subscriber management use Novu.
  • To monitor platform health and debug errors via Sentry.
  • To comply with our legal obligations under UK law.

4. Third Parties We Share Data With

  • Stripe — payment processing. Your card data is handled by Stripe under their own PCI-compliant privacy policy.
  • Cloudflare — media storage (R2) and image delivery (Cloudflare Images). Uploaded files are stored on Cloudflare infrastructure.
  • Vercel — hosting and serverless execution of the application.
  • Sentry — error monitoring. Error reports may include partial request data.
  • Neon — database hosting (PostgreSQL).
  • Novu — notification delivery (in-app notifications and email coordination). We share your user identifier, email address, and first name with Novu to create and manage a notification subscriber record on your behalf. This is necessary to deliver notifications that are inherent to the service, such as booking confirmations and application updates (Art. 6(1)(b) — contract performance). Novu is operated by Novu Inc.; their privacy policy is available at novu.co/privacy.
  • Resend — transactional email delivery.

We do not sell your personal data to third parties.

5. Cookies

We use functional cookies required for authentication and security, and optional analytics cookies to understand how the platform is used. See our Cookie Policy for full details.

6. Your Rights (UK GDPR)

Under UK GDPR you have the following rights:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure (Article 17) — request deletion of your account and personal data. You can do this directly from your account settings — see "Account Closure Options" below.
  • Right to portability — download your data in machine-readable format from your account settings.
  • Right to object — object to processing based on legitimate interests.
  • Right to restrict processing — request that we limit how we use your data.

To exercise any of these rights, email privacy@mintedmodels.com. We will respond within 30 days. You may also lodge a complaint with the ICO at ico.org.uk.

7. Account Closure Options

We offer two account closure options from the Privacy & Data page in your account settings:

7.1 Deactivate (reversible, 30 days)

Deactivation hides your profile from search and the directory, anonymises your email address to a generated placeholder, and clears your password hash so the account can no longer sign in. The underlying database record is retained for up to 30 days. During that window, you may request reinstatement by emailing support@mintedmodels.com.

7.2 Permanently Delete (Article 17 right to erasure, irreversible)

Permanent deletion exercises your right to erasure under UK GDPR Article 17. The following data is destroyed and cannot be recovered:

  • Your account record — name, email, password hash, role, status
  • Your model or professional profile and all profile fields
  • Your portfolio images, avatar and cover image — deleted from Cloudflare R2 and Cloudflare Images via an asynchronous cleanup job
  • Your job applications and bookings
  • The text of messages you sent — replaced with "[deleted]". The conversation thread structure persists so the other party can still see their own messages
  • Your active sessions, notifications, OAuth account links, and any password-reset or email-verification tokens
  • Your notification subscriber record held by Novu — deleted from Novu's systems as part of the same erasure flow. This deletion is best-effort: if the Novu API is unavailable at the time of your request, the failure is logged, and operations will retry the deletion. The in-product erasure is not conditional on Novu being available and will proceed regardless.
  • Your subscription record and payment history (subject to the exception below)

7.3 Retention exceptions

UK GDPR Article 17(3) permits retention where it is necessary for compliance with a legal obligation, the establishment of legal claims, or for archiving in the public interest. The following data may be retained even after permanent deletion:

  • Audit log entries — where you were the subject of a moderation or admin action, the audit record is preserved for forensic purposes. Your user id reference becomes orphaned (no longer joinable to a User row) and the actor reference is anonymised when the actor account is itself deleted.
  • Evidence of reported illegal content — where required by law or regulator request, we may preserve a forensic copy of content that was reported as illegal (for example, child sexual abuse material or non-consensual intimate imagery). This is a narrow exception aligned with our obligations under the UK Online Safety Act and other applicable law.
  • Payment records — if you held a paid subscription, payment transaction records may be retained for up to 6 years to comply with HMRC financial reporting requirements (Companies Act 2006, s.388).
  • Aggregated and anonymised analytics — usage statistics that no longer identify you may be retained for product analysis.

8. Data Retention

We retain your account data for as long as your account is active. If you deactivate your account, the record is anonymised and held for up to 30 days. If you exercise your right to erasure (permanent deletion), data is removed immediately, subject to the retention exceptions in section 7.3 above. Transaction records may be retained for up to 6 years to comply with UK financial reporting law.

9. Data Protection Officer

For data protection enquiries, contact our DPO at dpo@mintedmodels.com.

10. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email or a prominent notice on the platform. Continued use of MintedModels after the effective date constitutes acceptance of the updated policy.