Loading

Privacy Policy

Last updated: 17 July 2026

This Privacy Policy explains how WWPosts.com, operated under the trading name WWPosts ("we", "us", or "our"), collects, uses, and protects your personal data when you use the Platform.

We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller for the Platform is WWPosts (trading name).
Contact: [email protected]

2. Data We Collect
2a. Information you provide directly
  • Account registration: name, username, email address, password (stored as a hash — never in plaintext).
  • Profile: optional profile photo, biography, and location details you choose to share — including a precise preferred location (used to center your "near me" searches and search radius) and, if provided, your date of birth and phone number.
  • Photo location data (EXIF GPS): if your device embeds GPS coordinates in a photo you upload, we may read and store those coordinates to place the photo on the map for that post. You can avoid this by removing location data from a photo before uploading (most phone camera apps offer this option), or by not tagging a location when prompted.
  • User-generated content: posts, events, market listings, trail entries, bug reports, and feature requests you submit.
  • Payments: Payment processing is not currently active — all features are free. If payment features are enabled in future, billing name, address, and payment tokens would be processed via Stripe. We would never store full card numbers on our servers.
  • Communications: messages you send us via email or support forms.
2b. Information collected automatically
  • IP addresses: logged when you access the Platform, submit content, or when our servers detect a potential security incident. IP addresses are considered personal data and are handled as described below.
  • Content Security Policy (CSP) violation reports: automatically sent by your browser when a security policy violation is detected. These reports include the page URL, blocked resource URL, and your IP address.
  • Log data: server access logs (timestamps, request paths, HTTP status codes, browser/device type).
  • Live location sharing ("Track"): if you choose to start a live location-tracking session, we record GPS coordinates (with timestamps and accuracy) for the duration of the session so it can be displayed to the people you share it with. A Track session is viewable by anyone who has the session's unique share link — treat that link as sensitive and only share it with people you trust to see your live location.
  • Cookies & session data: see Section 7 below.
3. How We Use Your Data
PurposeLawful Basis (UK GDPR Art. 6)
Providing and operating the Platform (account management, content display)Performance of a contract (Art. 6(1)(b))
Processing subscription paymentsPerformance of a contract (Art. 6(1)(b))
Detecting and preventing fraud, abuse, and security attacks; CSP report analysisLegitimate interests (Art. 6(1)(f))
Linking IP addresses to registered user accounts for security investigationsLegitimate interests (Art. 6(1)(f))
Sending transactional emails (account confirmation, password reset, receipts)Performance of a contract (Art. 6(1)(b))
Sending service updates or material changes to these policiesLegitimate interests (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

We do not build individual advertising profiles from your browsing behaviour, track you across other websites for ad purposes, or sell your data to third parties. Advertisers may choose to target ad placement using general criteria — a specific community/region on the Platform, or a geographic radius around a location — but this is placement configuration by the advertiser, not profiling of individual users.

4. IP Addresses & Security Logging

We log IP addresses for security and fraud-prevention purposes, including to:

  • Detect brute-force login attempts and account takeover attacks.
  • Investigate CSP violation reports and identify potentially malicious domains.
  • Associate suspicious activity with registered accounts where necessary for an investigation.

Security logs are retained for a maximum of 90 days, after which they are automatically purged. IP addresses are not used to track your browsing behaviour beyond what is reasonably necessary for security purposes.

5. Data Retention
  • Account data: retained for as long as your account is active, plus up to 30 days after deletion to allow recovery, then permanently deleted.
  • Payment records: retained for 7 years as required by UK financial record-keeping obligations.
  • Security/IP logs (including IP addresses and browser details attached to bug reports and feature requests): maximum 90 days.
  • CSP violation reports: maximum 90 days.
  • Live location-tracking data (GPS pings): maximum 90 days.
  • Deleted content: removed from public view immediately. Residual copies may persist in encrypted database backups until those backups expire under our rolling retention schedule (most backups expire within weeks; longer-term archive backups are kept for up to 24 months). Backups are used only for disaster recovery and are not used to restore deleted content to public view.
6. Sharing Your Data

We share personal data only with:

  • Stripe, Inc. — payment processing infrastructure is present but not currently active (all features are free). If payments are activated in future, Stripe would process transaction data. Stripe is certified to PCI-DSS Level 1. See Stripe's Privacy Policy.
  • DigitalOcean, LLC — hosting provider; our servers and encrypted database backups run on DigitalOcean infrastructure. See DigitalOcean's Privacy Policy.
  • Mailgun Technologies, Inc. (Sinch) — sends our transactional email (account verification, password resets, notifications) and receives inbound email you send to Platform addresses; processes recipient email addresses and message content. See Mailgun's Privacy Policy.
  • Google LLC — Google Maps Platform (maps display, place search, geocoding). Location queries you type and coordinates needed to render maps or resolve addresses are sent to Google. See Google's Privacy Policy.
  • OpenAI, L.L.C. — when you use the image-based listing import tool, the product images you upload for that feature are sent to OpenAI's vision API to extract listing details. Images are not sent to OpenAI for any other feature. See OpenAI's Privacy Policy.
  • Hosting & infrastructure providers — other servers and services on which the Platform runs, bound by data processing agreements.
  • Law enforcement or regulatory authorities — when required by law or to protect the rights, property, or safety of us or others.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

7. Cookies

The Platform uses the following categories of cookies:

  • Strictly necessary: session cookies required for authentication and security (CSRF token). These cannot be disabled.
  • Functional/preference: cookies that remember your theme preference (light/dark mode) and other UI settings.

We do not use advertising or third-party tracking cookies. No consent banner is required for strictly necessary cookies under UK PECR, but we have disclosed all cookies above in line with transparency requirements.

8. International Transfers

Our servers and some third-party processors may be located outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g. UK adequacy regulations, or the UK International Data Transfer Agreement).

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing — ask us to limit how we process your data.
  • Right to data portability — receive your data in a machine-readable format. You can self-serve this from Account Settings → Download your data, which exports your profile, posts, listings, favorites, ratings, and feedback submissions as a JSON file.
  • Right to object — object to processing based on legitimate interests.
  • Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects on you.

To exercise any right, email us at [email protected]. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted connections (HTTPS/TLS), hashed password storage, and automated security monitoring. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

11. Children

The Platform is not directed at or intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the Platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

13. Contact

For any privacy-related queries, requests, or complaints:
Email: [email protected]

See also our Terms & Conditions.