Booster Box UK
Booster Box UK

Privacy Policy

Last updated: 11/9/2025

This Privacy Policy explains how Booster Box UK ("we", "us", "our") collects, uses, shares, and protects your information when you use our website, databases, community features, and shop (the "Services"). By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

Who we are

Booster Box UK is a UK-based TCG hub providing card databases and an e-commerce shop. For privacy queries, contactprivacy@boosterbox.uk.

Data we collect

  • Account information: email address, password hash or login verification codes, session identifiers.
  • Profile and contact details: phone number, name (if provided), shipping/billing address fields (address lines, city, region, postal code, country).
  • Order and checkout data: items purchased, amounts, shipping method and cost, voucher and credit usage, Stripe Checkout session identifiers.
  • Technical data: IP address and user-agent (captured at session creation and for rate limiting), cookies (e.g., session_token), request metadata.
  • Media: images hosted via Cloudinary where applicable (product and brand assets).
  • Communications: emails we send (verification, order confirmations, shipment notifications) and your replies if you contact us.

How we use your data

  • Provide, operate, and improve the Services and our TCG databases.
  • Process orders and payments, manage credits and vouchers, and handle shipping.
  • Authenticate users, maintain sessions, detect and prevent fraud and abuse.
  • Send service emails (verification, receipts, shipping updates) and respond to support requests.
  • Comply with legal obligations and enforce our Terms of Service.

Legal bases (UK/EU GDPR)

  • Contract: to create your account, process orders, deliver purchases.
  • Legitimate interests: to secure our Services, prevent abuse, improve features, and market responsibly.
  • Consent: where required for optional features (e.g., marketing cookies/ads where implemented).
  • Legal obligation: tax, accounting, anti-fraud, and regulatory requirements.

Third-party processors and partners

We share limited data with trusted partners to operate core features. Each partner processes data subject to their own privacy policy:

  • Stripe (payments and Checkout sessions): payment method handling, fraud checks, Checkout session URLs and identifiers. Data may be transferred outside the UK/EU under appropriate safeguards. See Stripe’s policy at stripe.com/privacy.
  • SMTP Email (Nodemailer with your configured provider): sends verification, order confirmation, and shipment emails. We share recipient address and relevant order metadata needed to compose messages.
  • Cloudinary (media hosting/CDN): hosts product and brand images. When images are viewed, Cloudinary may receive standard request metadata (e.g., IP, user-agent). See cloudinary.com/privacy.
  • Advertising/Analytics: We plan to support Google Ads/AdSense and related advertising in certain areas. Where enabled, Google may set cookies or use similar technologies for ad personalisation/measurement subject to your consent where required. See Google’s policy at policies.google.com/technologies/ads.

Cookies and similar technologies

We use strictly necessary cookies to operate the site, including a session cookie ("session_token") for authentication. If and when advertising or analytics cookies are introduced, we will request consent where required and provide controls to manage your preferences.

Data retention

We retain account, order, and shipping data for as long as your account is active and for a reasonable period thereafter to comply with legal and accounting obligations. Session records and IP/user-agent logs used for security are retained for shorter periods consistent with their purpose. We periodically anonymise or delete data that is no longer required.

International transfers

Some partners (e.g., Stripe, Cloudinary, email providers, Google) may process data in jurisdictions outside the UK/EU. Where applicable, transfers rely on adequacy decisions, standard contractual clauses, or comparable safeguards.

Your rights

  • Access the personal data we hold about you.
  • Request correction or deletion of your data.
  • Object to or restrict certain processing.
  • Data portability, where applicable.
  • Withdraw consent at any time (where processing is based on consent).

To exercise these rights, contact privacy@boosterbox.uk. We may request verification of your identity to protect your data.

Security

We implement technical and organisational measures appropriate to the risks, including hashed session tokens, secure cookies (HttpOnly, SameSite=Strict, Secure), and partner integrations through TLS. No method of transmission or storage is 100% secure.

Children

Our Services are intended for users aged 13+ and are not directed to children under 13. We do not knowingly collect personal data from children under 13.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date.

/* Overlay panel for TCGs and Shop (keeps bottom nav visible) */Privacy Policy • Booster Box UK | Booster Box UK