Privacy Policy

Controller

Gunpla Deals is the data controller for the personal data we collect. For data protection inquiries, exercise your rights, or contact us about this policy, please use our Contact Us page or the contact details provided there.

Data We Collect

We collect and process the following personal data:

  • Account data: Email, name, profile image, and OAuth provider information when you sign in (e.g. Google, GitHub).
  • Usage data: Wishlists, collections, price alerts, notifications, and preferences you set (e.g. currency, email notifications).
  • Cookie and consent choices: Your cookie consent selection (essential only vs. analytics) when you use our cookie banner.
  • Analytics (legitimate interest): We use privacy-respecting analytics that store only hashed fingerprints (no raw IP address or user agent). This helps us understand aggregate usage (e.g. page views, retailer clicks) without identifying individuals.
  • Audit logging (retailer and admin only): When users with retailer or admin privileges edit site data (e.g. kit information, retailer URLs), we log IP address and user agent for security and fraud prevention. General visitors and standard account holders are not subject to this logging.

Legal Basis

We process your data on the following legal bases:

  • Contract: Account and service delivery (e.g. wishlists, alerts, profile).
  • Legitimate interest: Hashed-fingerprint analytics for aggregate usage and site improvement, with no raw identifiers stored.
  • Legitimate interest: Audit logs for admin and retailer edits to site data, for security and fraud prevention only.
  • Consent: Non-essential cookies (e.g. Google Analytics). We use Google Consent Mode so analytics run only when you choose "Accept all" in our cookie banner.

Retention

We keep your account and related data until you delete your account. Audit logs (for retailer and admin edits) are retained for a defined period (e.g. 12 months) for security and fraud purposes; the exact period is configured in one place and stated in our systems. Hashed analytics data is retained as needed for aggregate statistics.

Third Parties and Processors

We use the following as data processors: OAuth providers (e.g. Google, GitHub) for sign-in; Google Analytics (only with your consent) for analytics; and email delivery services for alerts and notifications. They process data in accordance with their own privacy policies and, where required, data processing agreements (DPAs) with us.

Your Rights

You have the right to access, rectify, erase, restrict processing, object, and to data portability. You may also lodge a complaint with a supervisory authority. To exercise these rights:

  • Access and portability: Use "Download my data" on your profile to receive a copy of your data.
  • Rectification: Update your profile and preferences in your account settings.
  • Erasure: Delete your account from your profile; we will anonymize and remove your data as described in this policy.
  • Other requests: Contact us via the Contact Us page.

Cookies

We use essential cookies (e.g. session, authentication, preferences such as currency) necessary for the service. Non-essential cookies (e.g. Google Analytics) are used only with your consent. You can choose "Essential only" or "Accept all" in our cookie banner; we do not load analytics until you accept.

Minors

This service is not directed at users under 16 (in the EU/EEA) or under 13 (in the US). If you believe we have collected data from a minor, please contact us and we will take steps to delete it.

We Do Not Sell Your Personal Information

We do not sell your personal information. This applies to all users, including those in California and other jurisdictions that require such disclosure.

Changes to This Policy

We may update this privacy policy from time to time. The current version is always available on this page. Continued use of the service after changes constitutes acceptance of the updated policy.