Privacy
Policy.
How we collect, use, and protect your personal data. Last updated: 14 May 2026.
Glitchdeals is operated from the United Kingdom. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We do not sell your personal data. For data requests, email privacy@glitchdeals.co.uk.
1. Who We Are
Glitchdeals ("we", "us", "our") operates the website www.glitchdeals.co.uk — a UK-based price-intelligence and deal-aggregation platform. We are the data controller for personal data collected through this website. For all data protection queries, contact us at: privacy@glitchdeals.co.uk. You also have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk if you have concerns about how we handle your personal data.
2. What Personal Data We Collect
We collect the following categories of personal data: • Account data (via Clerk): your name, email address, profile photo, and a unique user ID when you create an account. • Activity data: votes you cast on deals (deal identifier and vote value), comments you post (content and timestamp), and deal reports you submit — all linked to your Clerk user ID. • Analytics data: pages visited, session duration, button clicks, referrer URLs, and device/browser information, collected by PostHog and Google Analytics. • Performance data: Core Web Vitals and page load metrics collected by Vercel Speed Insights. This data is anonymised and not linked to your identity. • Technical data: your IP address, browser type, operating system, and cookie identifiers.
3. Legal Bases for Processing (UK GDPR Article 6)
We process your personal data on the following legal bases: • Contract (Art. 6(1)(b)): to provide account-gated features you have requested, including voting, commenting, saved deals (Vault), and deal submissions. • Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the platform; to detect and prevent fraud, abuse, and vote manipulation; to conduct product analytics that help us improve the service. Our legitimate interests do not override your fundamental rights — you may object to processing on this basis (see Section 8). • Consent (Art. 6(1)(a)): for non-essential analytics cookies (Google Analytics, PostHog) where consent is required.
5. Our Data Processors (Third Parties)
We share your data only with the following processors, bound by Data Processing Agreements (DPAs), solely to provide the service: • Clerk, Inc. (USA) — authentication and account management. Transfers governed by UK IDTA / SCCs. • Supabase, Inc. (USA) — database storage (comments, votes, deal reports, consent records). Transfers governed by UK IDTA / SCCs. • PostHog, Inc. (USA/EU) — product and behavioural analytics. Loaded only with consent. Transfers governed by UK IDTA / SCCs. • Microsoft Corporation (USA) — Microsoft Clarity (anonymised heatmaps and session replay). Loaded only with consent. Passwords and email fields are automatically masked. Transfers governed by Microsoft's standard DPA. • Google LLC (USA) — Google Analytics GA4 web analytics. Loaded only with consent. IP anonymisation enabled, Google Signals disabled. Transfers governed by Google's standard DPA. • Functional Software, Inc. d/b/a Sentry (USA/Germany) — error monitoring and session replay (sentry.io). Loaded only with consent. sendDefaultPii is disabled and replay is fully masked (text and media). Transfers governed by Sentry's standard DPA. • Vercel, Inc. (USA) — website hosting and Vercel Speed Insights. Transfers governed by UK IDTA / SCCs. We do not sell your personal data. We do not share personal data with advertisers or any third party for their own marketing purposes.
6. International Data Transfers
Some of our data processors are based outside the United Kingdom. Where personal data is transferred to countries that do not have an adequacy decision from the UK Secretary of State, we ensure appropriate safeguards are in place — specifically the UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs) — to ensure your data receives equivalent protection to that afforded under UK GDPR.
7. Data Retention
We retain your personal data for the following periods: • Account data: retained for the duration of your account and deleted within 30 days of a verified account deletion request. • Comments and votes: retained while your account is active; deleted within 30 days of a verified account deletion request. • Deal reports: retained for platform integrity purposes for up to 12 months, then deleted. • Analytics data: Google Analytics GA4 data is retained for 14 months (Google's default). PostHog data is retained for 12 months. Sentry event and session-replay data is retained for 90 days (Sentry default). • Technical/server logs: retained for up to 30 days for security and debugging purposes.
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data: • Right of access: request a copy of the personal data we hold about you (Subject Access Request). • Right to rectification: request correction of inaccurate or incomplete data. • Right to erasure ("right to be forgotten"): request deletion of your personal data where we have no overriding legitimate reason to retain it. • Right to restriction of processing: request that we restrict processing of your data in certain circumstances. • Right to data portability: receive your personal data in a structured, machine-readable format. • Right to object: object to processing based on legitimate interests or for direct marketing. • Right to withdraw consent: withdraw consent for analytics cookies at any time, without affecting the lawfulness of prior processing. • Right to lodge a complaint: with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. To exercise any of these rights, contact us at privacy@glitchdeals.co.uk. We will respond within one calendar month, extendable by up to two further months for complex or numerous requests as permitted by UK GDPR Article 12(3). We may ask you to verify your identity before processing your request. See also: /legal/consumer-rights for your statutory rights when buying through a Glitchdeals link, /legal/illegal-content for the illegal-content takedown route, and /accessibility for our WCAG 2.2 AA conformance statement.
9. Children
Glitchdeals is not directed at children under the age of 18. We do not knowingly collect or process personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@glitchdeals.co.uk and we will delete it promptly.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include encrypted connections (HTTPS/TLS), access controls, row-level security on our database (Supabase RLS) — with the service-role key held server-side only and all browser writes mediated by RLS policies bound to your Clerk JWT — a strict Content Security Policy on every response, and regular security reviews. No system is entirely secure; in the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects when the policy was last revised. For material changes — such as new processing purposes or new data processors — we will provide prominent notice via a site banner or email where practicable. Your continued use of Glitchdeals after such changes indicates your acceptance of the updated policy.
Exercise Your Rights
Subject Access Requests, erasure requests, and all other data enquiries. See also: Terms, Consumer Rights, Illegal-content takedown, and Accessibility.
Contact Data Protection