Privacy Policy

Last updated: 14 April 2026

RateMySetup ("we", "us", "our") operates the website ratemysetup.co.uk. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data We Collect

1.1 Information you provide

• Account registration — email address, username, display name, and password.
• Profile — optional biography and profile picture.
• Setups — titles, descriptions, photos (up to 4 per setup), tags, and gear lists you upload.
• Comments & ratings — text content and star ratings you leave on other users' setups.
• Support requests — name, email address, request type, and message content submitted via our contact form.
• Two-factor authentication — if you enable 2FA, we store a TOTP secret and hashed backup codes linked to your account.

1.2 Information collected automatically

• Cookies — we set strictly essential cookies only: Supabase authentication session cookies and, if you enable 2FA, a verification cookie. We do not use analytics, advertising, or tracking cookies.
• Error & performance data — we use Sentry to capture errors and performance metrics. This may include your IP address, browser type, operating system, and the page where the error occurred. Sentry may also record anonymised session replays when an error occurs.
• Server logs — our hosting provider (Vercel) may log IP addresses, request timestamps, and URLs as part of normal server operation.

2. How We Use Your Data

• To create and manage your account.
• To display your profile, setups, comments, and ratings to other users.
• To send transactional emails (account confirmation, password resets, strike/ban notifications, support correspondence).
• To run competitions and display results.
• To enforce our Terms of Service, including content moderation, strike issuance, and account bans.
• To diagnose errors and improve site performance.

3. Legal Basis for Processing

Under UK GDPR, we process your data on the following grounds:

• Contract — processing necessary to provide you with the service you signed up for (account, uploads, ratings).
• Legitimate interests — error monitoring, security, and fraud prevention.
• Legal obligation — where required by law.

4. Third-Party Services

We share data with the following processors, all of which have their own privacy policies:

• Supabase (database, authentication, file storage) — your account data, uploads, and content are stored on Supabase infrastructure.
• Vercel (hosting) — serves the website and may process server logs.
• Resend (email delivery) — sends transactional emails on our behalf.
• Sentry (error tracking) — receives error reports and performance data.
• Amazon Associates — gear links on setups may contain Amazon affiliate tags. If you click an affiliate link, Amazon's own privacy policy applies to that interaction.
• api.qrserver.com — generates QR code images during 2FA setup. Your TOTP URI is sent to this service to render the QR code.

We do not sell your personal data to any third party.

5. Data Retention

• Account data — retained for as long as your account exists.
• Content (setups, comments, ratings) — retained until you delete them or your account is deleted.
• Support tickets — retained for moderation and audit purposes.
• Moderation records (strikes, bans, audit logs) — retained indefinitely for safety and compliance.
• Email verification codes — automatically expire after 24 hours.

6. Your Rights

Under UK GDPR you have the right to:

• Access your personal data.
• Rectify inaccurate data (you can update your email, username, display name, bio, and avatar in Settings).
• Erase your data — you can permanently delete your account and all associated content from the Settings page. This is irreversible.
• Object to or restrict processing in certain circumstances.
• Data portability — request a copy of your data in a structured format.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at support@ratemysetup.co.uk.

7. Data Security

We protect your data with HTTPS encryption in transit, hashed passwords, Content Security Policy headers, rate limiting on sensitive endpoints, and row-level security on our database. Two-factor authentication is available for additional account security.

8. Children

RateMySetup is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.

9. International Transfers

Some of our third-party processors (Supabase, Vercel, Sentry, Resend) may store or process data outside the UK. Where this occurs, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the site after changes constitutes acceptance of the updated policy.

11. Contact

If you have any questions about this Privacy Policy or how we handle your data, contact us at support@ratemysetup.co.uk or use the contact form.