Privacy policy

The Service is operated by Looky Collectibles in the United Kingdom. For data protection enquiries, you can contact us by opening a support ticket from your dashboard after you sign in, or reach out through any contact details we publish on the site.

Depending on how you use the Service, we may process:

• Account & authentication — Email address and authentication data processed by our auth provider (Supabase), including password or magic-link sign-in. If you use invite-only sign-up, we store the invite code used at registration where applicable.
• Profile — Username, optional avatar image (stored in our storage), optional bio, and optional phone number if you choose to add or verify one.
• Giveaways — Entries per card, entry status (including free or paid entries where premium draws exist), and related timestamps.
• Shipping & winners — If you win a prize in a draw, we collect the name and address details you provide so we can fulfil postage (and in-person collection where offered). On competitions with several winners, we process shipping and winner records per prize slot. Winner status and fulfilment updates are stored to run shipping and support.
• Payments — For paid entry fees or postage, payments are processed by GoCardless (open banking / instant bank payment flows as implemented in the app). We receive payment status and references needed to match payments to your account and entries; we do not store your full bank login on our servers.
• Community & content — Comments and replies on card pages, optional community photos submitted for moderation, and likes where the feature exists. Public-facing text may be screened using automated profanity filters (including third-party list/API usage configured in admin tools).
• Support — Messages and metadata for support tickets you create in the app, including optional links to external tools (e.g. GitHub) where we use them for bug tracking.
• Email & marketing — If you subscribe to trainer updates / newsletter, we store your subscription status and send email via our configured provider (Mailgun, EU region where configured). You can unsubscribe using links in those emails or through your preferences where available.
• Technical & security — Server logs, security and rate-limiting data, a long-lived device cookie (__did) set in your browser to help protect against abuse, session cookies for signed-in use, and optional Cloudflare Turnstile tokens when bot protection is enabled (e.g. sign-in or comments).
• Analytics — We use Vercel Analytics to understand page views and performance in aggregate (hosted on Vercel alongside the site).
• Theme — If you toggle light/dark theme, your preference may be stored in browser local storage for convenience.

• To run daily giveaways, entries, winner selection, and fulfilment.
• To authenticate you, secure accounts, and enforce one-entry and fair-use rules.
• To send service emails (e.g. auth, winner, shipping) and, if you opt in, marketing emails.
• To moderate content, investigate abuse, and comply with law.
• To improve reliability, security, and product experience (including aggregate analytics).

Where UK GDPR applies, we rely on one or more of:

• Performance of a contract — Providing the Service, entries, winners, and postage.
• Legitimate interests — Security, fraud prevention, moderation, analytics, and improving the Service (balanced against your rights).
• Consent — Where required (e.g. non-essential marketing emails or optional cookies beyond strict necessity), we ask for consent and you may withdraw it.
• Legal obligation — Where we must retain or disclose data for compliance.

We use trusted service providers to host and operate the Service. They process data only on our instructions where they act as processors. These include, as applicable in our current deployment:

• Supabase — Database, authentication, file storage (e.g. avatars, card images, community photos).
• Vercel — Hosting and web analytics.
• GoCardless — Payment initiation and status for bank payments.
• Mailgun — Transactional and marketing email delivery (configuration is admin-controlled).
• Cloudflare — Turnstile for bot protection when enabled.

We may also embed third-party content (for example a Trustpilot reviews widget when configured), which is subject to that provider’s own privacy policy. External links (e.g. to Discord) are not embedded trackers on our pages by default.

We do not sell your personal data.

Data may be processed on infrastructure outside the UK (for example EU or US regions offered by Supabase, Vercel, or Mailgun). Where we transfer personal data internationally, we rely on appropriate safeguards such as the UK extension to the EU–US Data Privacy Framework, standard contractual clauses, or other mechanisms as required by UK law.

We keep personal data only as long as needed for the purposes above, including legal, tax, and dispute resolution. Account data is generally retained while your account exists; some logs and backups may persist for a limited period afterward.

Under UK data protection law you may have the right to:

• Access, correct, or delete your personal data;
• Restrict or object to certain processing;
• Data portability (where applicable);
• Lodge a complaint with the ICO (Information Commissioner’s Office) in the UK.

Signed-in users can download a copy of their account-related data in JSON format from /account/export (subject to rate limits). For other requests, contact us via support in the dashboard.

We use industry-standard measures including HTTPS, access controls, and encrypted storage for sensitive secrets where applicable. No online service is completely secure; please use a strong password and protect your account.

The Service is not aimed at children under 13. If you believe a child has provided personal data, contact us and we will take steps to delete it where appropriate.

We may update this policy from time to time. The “Last updated” date at the top will change when we do; continued use of the Service after changes means you acknowledge the updated policy.

See also our Terms of Service.