Privacy Policy
Last updated: 7 April 2026
This Privacy Policy explains how WWPosts.com, operated under the trading name WWPosts ("we", "us", or "our"), collects, uses, and protects your personal data when you use the Platform.
We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller for the Platform is WWPosts (trading name).
Contact: [email protected]
2. Data We Collect
2a. Information you provide directly
- Account registration: name, username, email address, password (stored as a hash — never in plaintext).
- Profile: optional profile photo, biography, location details you choose to share.
- User-generated content: posts, events, market listings, trail entries, bug reports, and feature requests you submit.
- Payments: Payment processing is not currently active — all features are free. If payment features are enabled in future, billing name, address, and payment tokens would be processed via Stripe. We would never store full card numbers on our servers.
- Communications: messages you send us via email or support forms.
2b. Information collected automatically
- IP addresses: logged when you access the Platform, submit content, or when our servers detect a potential security incident. IP addresses are considered personal data and are handled as described below.
- Content Security Policy (CSP) violation reports: automatically sent by your browser when a security policy violation is detected. These reports include the page URL, blocked resource URL, and your IP address.
- Log data: server access logs (timestamps, request paths, HTTP status codes, browser/device type).
- Cookies & session data: see Section 7 below.
3. How We Use Your Data
| Purpose | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Providing and operating the Platform (account management, content display) | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments | Performance of a contract (Art. 6(1)(b)) |
| Detecting and preventing fraud, abuse, and security attacks; CSP report analysis | Legitimate interests (Art. 6(1)(f)) |
| Linking IP addresses to registered user accounts for security investigations | Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails (account confirmation, password reset, receipts) | Performance of a contract (Art. 6(1)(b)) |
| Sending service updates or material changes to these policies | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising profiling or sell it to third parties.
4. IP Addresses & Security Logging
We log IP addresses for security and fraud-prevention purposes, including to:
- Detect brute-force login attempts and account takeover attacks.
- Investigate CSP violation reports and identify potentially malicious domains.
- Associate suspicious activity with registered accounts where necessary for an investigation.
Security logs are retained for a maximum of 90 days, after which they are automatically purged. IP addresses are not used to track your browsing behaviour beyond what is reasonably necessary for security purposes.
5. Data Retention
- Account data: retained for as long as your account is active, plus up to 30 days after deletion to allow recovery, then permanently deleted.
- Payment records: retained for 7 years as required by UK financial record-keeping obligations.
- Security/IP logs: maximum 90 days.
- CSP violation reports: maximum 90 days.
- Deleted content: removed from public view immediately; purged from backups within 30 days.
6. Sharing Your Data
We share personal data only with:
- Stripe, Inc. — payment processing infrastructure is present but not currently active (all features are free). If payments are activated in future, Stripe would process transaction data. Stripe is certified to PCI-DSS Level 1. See Stripe's Privacy Policy.
- Hosting & infrastructure providers — servers on which the Platform runs, bound by data processing agreements.
- Law enforcement or regulatory authorities — when required by law or to protect the rights, property, or safety of us or others.
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
7. Cookies
The Platform uses the following categories of cookies:
- Strictly necessary: session cookies required for authentication and security (CSRF token). These cannot be disabled.
- Functional/preference: cookies that remember your theme preference (light/dark mode) and other UI settings.
We do not use advertising or third-party tracking cookies. No consent banner is required for strictly necessary cookies under UK PECR, but we have disclosed all cookies above in line with transparency requirements.
8. International Transfers
Our servers and some third-party processors may be located outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g. UK adequacy regulations, or the UK International Data Transfer Agreement).
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — request a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing — ask us to limit how we process your data.
- Right to data portability — receive your data in a machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects on you.
To exercise any right, email us at [email protected]. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted connections (HTTPS/TLS), hashed password storage, and automated security monitoring. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
11. Children
The Platform is not directed at or intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the Platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
13. Contact
For any privacy-related queries, requests, or complaints:
Email: [email protected]
See also our Terms & Conditions.