Skip to content
PandaPicks

Legal

Privacy Policy

This page explains what data PandaPicks collects, how we use it, and your privacy choices. Last updated: 4 May 2026.

Data Controller

PandaPicks is the data controller for personal data processed through this service. You can reach us at support@pandapicks.co.uk for any privacy-related questions, requests, or complaints.

Information We Collect

We collect account details you provide (such as email address and username), content you submit (deals, comments, votes), and usage data needed to operate and improve the platform. With your consent, we also collect analytics data including pages visited, clicks, session recordings, and device/browser information. Inputs in session recordings are automatically masked, so values you type into form fields (including passwords) are not captured.

Legal Bases for Processing

Under UK GDPR we rely on the following legal bases:

  • Performance of a contract - to create and maintain your account, deliver core features, and send transactional emails (such as sign-in confirmations, password resets, and deal alerts you have requested).
  • Legitimate interests - to keep the platform secure, prevent abuse and fraud, log errors, and improve the service. You can object to processing based on legitimate interests at any time.
  • Consent - for analytics, session recordings, and any non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation - where we must process data to comply with applicable law.

Age Requirement

PandaPicks is not intended for children under 13. By creating an account you confirm that you are at least 13 years old. If we become aware that we have collected personal data from a child under 13 without parental consent, we will delete it.

How We Use Information

We use your information to provide core product features, personalise your experience, keep the platform secure, and communicate important service updates. Analytics data is used solely to understand how the platform is used and to improve it.

Service Providers

We use trusted third-party processors to operate the platform. They process personal data on our behalf under contractual safeguards.

  • Supabase - hosts our database, authentication, and stored content. See Supabase's Privacy Policy.
  • Resend - sends transactional emails such as confirmations, password resets, and deal alerts. Emails may include tracked links so that we can understand which content is useful; tracking is limited to recording that a link was clicked and is served via a subdomain we control. See Resend's Privacy Policy.
  • Sentry - collects diagnostic information when errors occur (such as the page URL, browser version, and a stack trace) so we can fix bugs. See Sentry's Privacy Policy.

Cookies and Analytics

With your consent, we use two analytics services:

  • PostHog - a product analytics platform that collects pageviews, clicks, form interactions, and session recordings. PostHog may set cookies to identify returning visitors. Data is processed on PostHog's EU cloud infrastructure. See PostHog's Privacy Policy.
  • Google Analytics 4 - a web analytics service operated by Google LLC. It collects pageviews, session data, and device/browser information and may set cookies. Data may be processed by Google on servers in the US and other countries. See Google's Privacy Policy.

Neither service is loaded until you accept cookies via our consent banner. You can withdraw consent at any time using the "Manage cookies" link in the footer, which re-opens the banner. Withdrawal is as easy as the original consent and does not affect the lawfulness of any processing carried out before withdrawal.

Data Sharing and International Transfers

We do not sell personal information. Some of our service providers (notably Google Analytics, Sentry, and Resend) may process data outside the UK and EEA. Where this happens, transfers are protected by the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or another lawful transfer mechanism.

Data Retention

We retain personal data only as long as we have a lawful basis to do so:

  • Account and content data - kept while your account is active and for up to 30 days after deletion to allow recovery and to meet operational requirements.
  • Analytics and session recordings - retained for up to 12 months by PostHog and according to Google Analytics' default 14-month retention.
  • Error and security logs - kept for up to 90 days.
  • Email delivery logs - retained by Resend for up to 30 days for diagnostic purposes.

We may retain limited data for longer where required by law (for example, to respond to legal claims or comply with regulatory obligations).

Security

We apply reasonable technical and organisational safeguards to protect your data, including encryption in transit, role-based access controls, and database row-level security. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

Your Rights and Choices

Under UK GDPR you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. You can update account details, manage alerts, and request account removal through available settings or by emailing support@pandapicks.co.uk. You may decline or withdraw analytics consent at any time via the cookie banner or the "Manage cookies" link in the footer - this will not affect your ability to use PandaPicks.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the platform or email. The "Last updated" date at the top of this page shows when it was last revised.