COP·DROP
Legal

Privacy Policy

Last updated: Pending counsel review
Plain English version below.
Reviewed by counsel before launch.
01

Who's the data controller

The data controller is [Company name TBC], registered in England and Wales. We're registered with the Information Commissioner's Office (ICO) under reference [ICO ref TBC].

Placeholder · ICO registration costs ~£40-60/year and is required before processing personal data commercially. Register at ico.org.uk.
02

What we collect

When you sign up:

  • Email address (via Google sign-in or directly)
  • Name (from your Google profile, if used)
  • Account ID and session data (managed by Clerk)

When you buy a ticket:

  • Card details — these go directly to Stripe, we never see or store them
  • Billing address (collected by Stripe)
  • Drop, size, and quantity selected

When you win:

  • Shipping address
  • Phone number (for delivery)

Automatically:

  • IP address, browser type, device
  • Pages visited, timing, referrer (basic analytics)
03

Why we collect it

To run the raffle. Lawful basis: contract performance (UK GDPR Art. 6(1)(b)). We need email to tell you if you won, address to ship.

To prevent fraud. Lawful basis: legitimate interest. IP/device data lets us detect multi-account abuse.

To comply with the law. Lawful basis: legal obligation. Tax records (HMRC requires 6 years).

To send marketing. Lawful basis: consent. Only if you opt in. You can unsubscribe any time.

04

Who we share with

  • Clerk — handles authentication. Data stays in EU/US under SCCs.
  • Stripe — handles payment. PCI DSS Level 1.
  • Vercel — hosts the website.
  • Resend / [email provider TBC] — sends transactional and marketing emails.
  • [Shipping carrier TBC] — ships sneakers to winners.

We don't sell your data. We don't share with advertisers. Beyond this list, we'd only share if legally compelled (court order, HMRC).

05

How long we keep it

  • Account data: until you delete your account, plus 6 years for tax records of any purchases.
  • Marketing consent: until you withdraw it.
  • Logs and analytics: 12 months.
06

Your rights

Under UK GDPR you have the right to:

  • Access — get a copy of your data
  • Rectify — fix wrong data
  • Erase — delete your data (subject to legal retention)
  • Restrict — pause processing
  • Object — to legitimate-interest processing
  • Data portability — get your data in a portable format
  • Withdraw consent — for anything we process by consent

Email hello@copdrop.example to exercise any right. We'll respond within 30 days.

You can also complain to the ICO at ico.org.uk/make-a-complaint.

07

Cookies

We use strictly-necessary cookies for the site to work (authentication session). We don't use marketing or third-party tracking cookies without your consent. We may add basic analytics (Vercel Analytics or similar) — you'll be asked.

Placeholder · Add cookie banner before adding any non-essential cookies. PECR requires consent for non-strictly-necessary cookies.
08

Changes

We may update this policy. We'll publish changes here with the "Last updated" date at the top.