This privacy policy explains how ECM Collectables Ltd (company number 17170378) collects, uses, and protects your personal data when you use ecmafia.co.uk. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
ECMafia and Eccles Cake Mafia are trading names of ECM Collectables Ltd, a private limited company registered in England and Wales.
For the purposes of UK GDPR, ECM Collectables Ltd is the data controller of your personal information.
2. What Data We Collect
When you use our website and enter our competitions, we may collect the following categories of personal data:
Information you provide directly
Name — used on competition entries and winner records
Email address — for account login, entry confirmations, winner notifications, and support
Postal address — used to deliver prizes to winners
Phone number (optional) — used to contact winners where delivery issues arise
Date of birth or age confirmation — to verify you are 18 or over (required by our Terms)
Password — stored in hashed form; we cannot see or retrieve your password
Skill question answers — submitted as part of competition entries
Support messages — when you contact us via email or our contact form
Information collected automatically
Purchase records — competition entries, ticket numbers, order numbers, payment references
Session tokens — small identifiers stored in your browser to keep you logged in
Technical data — IP address, browser type, device, and referrer (from standard web server logs)
Purchase IP address — the IP address used for each completed competition entry, stored alongside the purchase record. Used as evidence in payment disputes (e.g. chargebacks) and for fraud investigation
Failed entry attempts — when you submit an entry that is rejected (for example, a wrong answer to the skill question, an account restriction, a sold-out competition, or a payment issue), we keep a short record of the attempt for up to 30 days. This record includes your email, name (if provided), the answer given, your IP address, and the reason for rejection. Used for customer support, skill-gate audit evidence, and fraud detection. See section 5 for retention details.
Information from third parties
Payment confirmation — Stripe (our payment processor) confirms successful payments and provides the last four digits of your card for receipts. We never see, store, or have access to your full card number
3. Why We Use Your Data
We process your personal data only for the following purposes, each of which has a lawful basis under UK GDPR:
To operate your account and process entries — legal basis: performance of a contract
To process payments securely via Stripe — legal basis: performance of a contract
To deliver prizes to winners — legal basis: performance of a contract
To send you competition confirmations and winner notifications — legal basis: performance of a contract
To respond to support enquiries — legal basis: legitimate interests
To prevent fraud, abuse, and chargebacks — including reviewing IP addresses, failed entry attempts, and unusual patterns of activity — legal basis: legitimate interests
To demonstrate compliance with the Gambling Act 2005 §14 skill exemption — including retaining evidence of skill-question rejections, which may be shared with HMRC, the Gambling Commission, or our bank if requested as part of a regulatory review — legal basis: legal obligation
To comply with our legal obligations such as HMRC tax records, Companies House filings, and anti-fraud checks — legal basis: legal obligation
To send promotional or marketing emails (only if you opt in) — legal basis: consent, which you can withdraw at any time
4. Who We Share Data With
We do not sell your personal data. We share it only with trusted third-party service providers where necessary to operate our service:
Stripe Payments Europe Ltd — payment processing (they act as an independent data controller for payment data)
Hetzner Online GmbH — website hosting (data stored on servers in the EU/UK)
Royal Mail and courier partners — where needed to deliver physical prizes
Email delivery service — to send transactional emails (confirmations, winner notifications)
Our accountant and HMRC — for tax compliance
Law enforcement or regulators — only when legally required to disclose information
We require all third parties to keep your data secure and use it only for the specific purpose we've engaged them for.
5. How Long We Keep Your Data
Account data — for as long as your account is active. If you request account deletion, we remove personal identifiers within 30 days, subject to legal retention below
Competition records, winner records, and financial transactions — retained for 6 years as required by HMRC and UK company law. This includes the IP address used to make each purchase, kept as evidence for payment disputes
Failed entry attempts — automatically deleted after 30 days (sliding window). After this period, only summary statistics are retained for skill-gate audit logs
Support correspondence — typically 2 years after the matter is resolved
Server logs — typically 30-90 days
6. How We Protect Your Data
All transmission between your browser and our servers is encrypted using HTTPS (SSL/TLS)
Passwords are stored using industry-standard one-way hashing — not even we can see them
Payment card details are handled exclusively by Stripe, a PCI DSS Level 1 certified processor. We never handle full card numbers
Access to personal data is restricted to authorised staff on a need-to-know basis
Our servers are hosted in secure data centres with physical and network security controls
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Ask us to correct data that is inaccurate or incomplete.
Right to erasure
Request deletion of your data, subject to legal retention obligations.
Right to restrict processing
Ask us to limit how we use your data in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on our legitimate interests.
Right to withdraw consent
Withdraw marketing consent at any time via an unsubscribe link.
Right to complain
Lodge a complaint with the UK Information Commissioner's Office (ICO).
To exercise any of these rights, please email ecmafiasupport@gmail.com. We will respond within one month.
8. Cookies and Local Storage
We use a small number of essential technologies to operate the site:
Session tokens — stored in your browser's local storage to keep you logged in. Strictly necessary and not used for tracking
Payment processing cookies — set by Stripe when you make a payment. These are required to complete the transaction securely
We do not use advertising cookies, tracking pixels, or third-party analytics that share data with marketing networks.
9. Age Restrictions
Our services are for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we discover that we have collected data from a child, we will delete it immediately.
10. International Transfers
Your data is primarily stored and processed within the UK and EU. Where data is transferred outside these regions (for example, if Stripe routes data via other jurisdictions), we ensure appropriate safeguards are in place, including standard contractual clauses and adequacy decisions.
11. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. The latest version will always be available at ecmafia.co.uk/privacy.html with the updated date at the top. Significant changes will be notified to registered users by email.
12. Contact Us
Data protection queries
For any question about this policy, your data, or to exercise your rights: