Privacy Policy

The data controller is Cop Drop Ltd (registration in England and Wales pending), trading as Cop Drop, with a service address at London, United Kingdom. You can reach the data team at hello@copdrop.xyz.

ICO data-protection registration in progress; reference will be published here once issued.

When you enter as a guest. We collect the email address you provide at checkout, the drop, size, and quantity you selected, and the Stripe checkout session ID generated for your payment.

When you create an account. Email address, name (if signed in via Google or Apple), and a Clerk-generated user ID. We never see or store your password.

When you pay. Card details are entered on Stripe's hosted checkout page. We never see, handle, or store them. Stripe collects basic billing info (name, postcode, country) for fraud prevention and shares it back to us as part of the transaction record.

When you win. We ask for your shipping address and a phone number for the courier. These are kept only as long as needed to fulfil the prize and meet HMRC retention requirements (see Section 5).

Free-entry submissions. Emails sent to freeentry@copdrop.xyz are stored as ordinary email until the draw is processed, then deleted within 90 days.

Automatically. IP address, rough device and browser info, the pages you visit, and basic performance metrics. We don't use marketing cookies or third-party trackers.

To run the prize draw. Lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)). We need your email to notify you of the result and your address to ship the prize if you win.

To prevent fraud and abuse. Lawful basis: legitimate interest. IP and device data help us detect bots and multi-account entries that would unfairly disadvantage honest entrants.

To meet legal obligations. Lawful basis: legal obligation. HMRC requires retention of financial records for at least six years; the Gambling Commission may inspect free-entry records for compliance with the Gambling Act 2005.

For service emails. Lawful basis: legitimate interest. We send confirmation emails, winner notifications, and important account or refund updates only — never marketing without separate consent.

We use a small number of EU/US processors to operate the service. Data shared with each is the minimum required for that service, governed by Data Processing Agreements and UK/EU Standard Contractual Clauses where relevant.

• Stripe Payments UK Ltd — payment processing. PCI DSS Level 1.
• Clerk, Inc. — account authentication and session management.
• Resend, Inc. — transactional email delivery.
• Vercel Inc. — application hosting and edge delivery.
• Neon Inc. — managed Postgres database (entries, ticket numbers, account claims).
• UK courier — appointed at the time of shipping each prize; named in the winner email.

We don't sell your data, share it with advertisers, or use it for profiling. We disclose data outside this list only when legally compelled (court order, valid HMRC or Gambling Commission request).

• Account data: until you ask us to delete it, plus six years for financial records of any paid entries (HMRC requirement).
• Entry records (drop, size, ticket numbers, status): six years from the close of the relevant drop.
• Free-entry email submissions: deleted within 90 days of the corresponding draw.
• Logs and analytics: 12 months.
• Marketing consent records: until you withdraw, plus two years for our records.

Under UK GDPR you have the right to:

• Access — get a copy of the data we hold about you.
• Rectify — correct inaccurate or incomplete data.
• Erase — delete your data, subject to legal retention above.
• Restrict processing — pause our use of your data.
• Object — to processing we rely on legitimate interest for.
• Data portability — receive your data in a structured, common format.
• Withdraw consent — for any use we rely on consent for.

Email hello@copdrop.xyz to exercise any of these. We respond within 30 calendar days.

You can also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint if you think we've handled your data incorrectly.

Strictly-necessary cookies do not require consent under PECR: a session cookie set by Clerk to keep you signed in, and a checkout session reference set by Stripe during payment.

With your opt-in consent (the banner shown on first visit), we also load:

• Meta Pixel — measures how our marketing performs (Facebook/Instagram ads attribution).
• Microsoft Clarity — anonymous session analytics: heatmaps, scroll depth, and rage-click detection, plus pseudonymised session replays. Form inputs are masked by default, so we do not see what you type. Used only to improve the experience.

You can decline at the banner, and you can withdraw consent at any time using the "Manage cookies" button in the site footer — that clears your choice, reloads the page, and shows the banner again. We also use Vercel Web Analytics, which is aggregated and cookieless.

Cop Drop is strictly for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we learn that a minor has entered, we delete their data immediately and refund any paid entry to the original card.

Some of our processors (Clerk, Resend, Stripe, Vercel, Neon, Meta, Microsoft) host data in the United States. Transfers from the UK rely on the UK-US Data Bridge, the EU-US Data Privacy Framework, or UK/EU Standard Contractual Clauses, depending on the processor. Each processor publishes its safeguards on its public Trust or Privacy page.

We may update this policy as Cop Drop grows (for example, when we add a new processor or analytics provider). Material changes are flagged at the top with a new "Last updated" date, and where the change is significant we'll email account holders.