Sign up & get 5% off every order
Shop Blog Contact FAQ Coming Soon New

Privacy Policy

Last updated: 31 March 2026

1. Who we are

CardDeckr Ltd (Company No. 17076419), 124-128 City Road, London, EC1V 2NX ("we", "us", "our"). We are the data controller for personal data collected through carddeckr.com. For any privacy-related queries, contact our Data Protection Lead at [email protected].

2. What data we collect

We collect the following categories of personal data:

  • Account data — name, email address, and password (stored in hashed form) when you create an account.
  • Order & payment data — shipping and billing address, order history, and payment references. We never store full card numbers; all payment processing is handled by our payment processor (see section 6).
  • Technical data — IP address, browser type, device type, and pages visited (collected via server logs and, with your consent, analytics cookies).
  • User-generated content — product reviews, wishlist selections, and customer support correspondence.

3. Lawful basis for processing

We process your data under the following legal bases (Article 6, UK GDPR):

  • Contract — processing your orders, managing your account, and providing customer support.
  • Legitimate interest — fraud prevention, site security, service improvement, and anonymous analytics.
  • Consent — analytics cookies, marketing emails, and restock notifications. You can withdraw consent at any time.
  • Legal obligation — retaining order and tax records as required by HMRC.

4. How we use your data

We use your personal data to:

  • Process and fulfil your orders
  • Manage your account and provide customer support
  • Send order confirmations and shipping updates
  • Prevent fraud and maintain site security
  • Understand how visitors use our site (with consent) to improve our products and services
  • Send marketing communications and restock notifications (with consent)

5. Cookies & analytics

We use the following types of cookies:

Cookie Type Purpose Duration
Session cookie Essential Authentication and cart tracking 30 days
Cookie consent Essential Remembers your cookie preference Persistent
Google Analytics Analytics Anonymous usage statistics Up to 2 years
PostHog (EU) Analytics Product analytics, session replay (form inputs masked), error tracking. IP not collected. Up to 1 year

Essential cookies cannot be disabled as they are necessary for the site to function.

Analytics cookies (via Google Analytics and PostHog) are only loaded if you accept non-essential cookies via the consent banner shown on your first visit. These cookies collect anonymous data about page visits and do not identify you personally. PostHog is hosted in the European Union, runs with IP collection disabled, and all form inputs are masked in session recordings. You can change your preference at any time by clearing your browser's local storage.

6. Third-party service providers

We share personal data with the following categories of service providers, solely to deliver our services. Each provider processes data under their own privacy policy:

  • Payment processing — to securely handle card payments and refunds. Card details are sent directly to the payment processor and never pass through or are stored on our servers.
  • Email delivery — to send order confirmations, shipping updates, and (with your consent) marketing emails.
  • Analytics — to collect anonymous usage statistics (with your consent, see section 5).
  • Hosting & delivery — to serve and protect our website.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7. Data retention

We retain your personal data as follows:

  • Account data — for as long as your account is active. You can request deletion at any time.
  • Order & payment records — up to 6 years after your last order, in line with UK tax record-keeping requirements (HMRC).
  • Guest cart data — automatically deleted after 30 days of inactivity.
  • Analytics data — retained in anonymous, aggregated form.

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of your personal data. You can use the data export feature in your account settings.
  • Right to rectification — correct inaccurate data via your account settings or by contacting us.
  • Right to erasure — request deletion of your data ("right to be forgotten"). We will comply unless we have a legal obligation to retain it.
  • Right to data portability — receive your data in a machine-readable format (JSON) via the data export feature.
  • Right to object — opt out of processing based on legitimate interest, including direct marketing.
  • Right to restrict processing — limit how we use your data in certain circumstances.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Fraud prevention checks may flag unusual transactions for manual review, but no automated decisions are made without human oversight.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS/HTTPS), hashed passwords, access controls, and regular security assessments. In the event of a personal data breach, we will notify the ICO and affected individuals as required by UK GDPR within 72 hours.

11. International transfers

Your data may be processed outside the UK where our service providers operate (including the EU and the United States). We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), or adequacy decisions recognised by the UK Government.

12. Children's privacy

Our services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.

13. Complaints

If you are unhappy with how we handle your data, we encourage you to contact us first at [email protected]. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

14. Changes to this policy

We may update this policy from time to time. The latest version will always be available on this page with an updated date. Where changes are significant, we will notify you by email or via a notice on our website.