Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 3 June 2026

1. Who We Are

Pint & Protect is a fundraising campaign supporting British veterans and community projects. For the purposes of UK data protection law, Pint & Protect is the data controller responsible for your personal data.

If you have any questions about this policy or how we handle your data, please contact us at [email protected].

2. What Data We Collect

We may collect the following personal data:

  • Donation information: your name, email address, donation amount, and payment details (processed securely by Stripe — we never see or store your full card number)
  • QR code scan data: a one-way hash of your IP address, browser type, and timestamp when you scan a pub QR code
  • Session data: temporary session identifiers and CSRF tokens to keep the site secure
  • Pub attribution: if you visit via a pub's QR code, we store a cookie linking your visit to that pub
  • Newsletter subscription: your email address if you sign up for campaign updates, along with a one-way hash of your IP address and the date you subscribed
  • Cookie preferences: your choice to accept or decline cookies

3. How We Use Your Data

We use your personal data to:

  • Process your donations securely via Stripe
  • Attribute donations to participating pubs for the league table
  • Maintain campaign statistics (total raised, number of donors)
  • Send you a receipt or confirmation of your donation (via Stripe)
  • Manage subscription donations
  • Ensure the security and proper functioning of our website
  • Send you campaign updates and news if you have opted in to our newsletter (you can unsubscribe at any time)

4. Legal Basis for Processing

Under UK GDPR, we process your data on the following bases:

  • Contract: to process your donation and fulfil our obligations to you
  • Legitimate interest: to maintain campaign statistics, prevent fraud, and improve our services
  • Consent: for any optional cookies or communications you opt into

5. Payment Processing

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. When you make a donation, your payment details are transmitted directly to Stripe's secure servers. We receive only a confirmation of the payment, your name, and email address. We never have access to your full card details.

Stripe's privacy policy can be found at stripe.com/privacy.

6. Data Sharing

We do not sell, trade, or rent your personal data. We share data only with:

  • Stripe: to process payments securely
  • Google Fonts: font files are loaded from Google's servers (subject to Google's privacy policy)

7. Data Retention

  • Donation records: retained for 7 years as required by UK financial record-keeping obligations
  • QR scan data: IP hashes are retained for 12 months for analytics, then deleted
  • Session data: expires after 8 hours or when you close your browser
  • Newsletter subscriptions: retained until you unsubscribe, after which your record is marked inactive and your email is retained for 30 days to prevent accidental re-subscription, then deleted
  • Cookie preferences: retained for 1 year

8. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify any inaccurate or incomplete data
  • Erase your data (where there is no legal obligation to retain it)
  • Restrict or object to processing of your data
  • Data portability — receive your data in a structured, commonly used format
  • Withdraw consent at any time where consent is the basis for processing

To exercise any of these rights, contact us at [email protected].

9. Cookies

For full details on how we use cookies, please see our Cookie Policy.

10. Security

We take the security of your data seriously. We use HTTPS encryption, CSRF protection, secure session handling, and one-way hashing of IP addresses. Payment data is handled exclusively by Stripe's PCI-compliant infrastructure.

11. Changes to This Policy

We may update this policy from time to time. Any changes will be posted on this page with an updated date. We encourage you to review this page periodically.

12. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.