EGPK.info
Prestwick Spotting

Privacy Policy

Last updated: April 2026

1. Data Controller

EGPK.info is the data controller for the personal data processed through this website. For any data protection enquiries, contact us at hello@egpk.info.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

We collect the following categories of personal data:

Account Information

  • Email address and password (hashed) when you create an account
  • Display name and profile preferences you choose to provide

Payment Data

  • Subscription and transaction records
  • Stripe customer and subscription identifiers
  • We do not store your full card number, CVV, or bank details. All payment processing is handled by Stripe, Inc. who act as an independent data controller for payment card data. See Stripe's Privacy Policy.

Photo Uploads (Creators)

  • Photographs you upload, including any embedded EXIF metadata (camera model, GPS coordinates, timestamps)
  • We strip GPS EXIF data from photos before public display but may retain original files for moderation purposes

ADS-B & Aircraft Data

  • ADS-B data is sourced from community volunteer receivers and contains aircraft transponder broadcasts (callsign, position, altitude, speed). This data does not contain personal data of passengers or crew.
  • If you contribute ADS-B receiver data, we may process the approximate location of your receiver for attribution and coverage mapping.

Usage & Technical Data

  • IP address, browser type, operating system, and device information
  • Pages visited, time spent, clicks, and referral source
  • API usage logs for subscribers (endpoints called, request counts, timestamps)

3. Lawful Basis for Processing

We process your data under the following lawful bases defined in UK GDPR Article 6(1):

  • Contract: To provide your account, subscription, and creator pool participation.
  • Legitimate interest: To operate, improve, and secure the platform; to provide analytics; to prevent abuse.
  • Consent: For non-essential cookies and marketing communications, where applicable.
  • Legal obligation: To comply with tax, fraud prevention, and other legal requirements.

4. How We Use Your Data

  • To create and manage your account and authenticate sessions
  • To process subscription payments and creator revenue payouts
  • To display your uploaded photos in the gallery with proper attribution
  • To monitor API usage and enforce rate limits for subscribers
  • To analyse site usage and improve the platform
  • To detect and prevent fraud, abuse, and security threats
  • To send service-related communications (e.g. subscription confirmations, payout notifications)

5. Cookies

We use cookies and similar technologies for authentication, preferences, and analytics. For full details, see our Cookie Policy.

6. Data Sharing & Third Parties

We share personal data only with the following categories of recipient, and only to the extent necessary:

  • Stripe, Inc. — Payment processing and creator payouts (Stripe Connect). Stripe is an independent data controller.
  • Hosting & infrastructure providers — Servers located in the United States. Data is protected under appropriate safeguards including the UK-US Data Bridge.
  • Analytics providers — Aggregated and, where necessary, pseudonymised usage data.

We do not sell your personal data to any third party.

7. International Transfers

Some of our service providers operate outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including adequacy decisions, standard contractual clauses, or the UK-US Data Bridge as applicable under UK GDPR Chapter V.

8. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion request.
  • Payment records: Retained for 7 years to comply with HMRC tax obligations.
  • Photo uploads: Retained until you remove them or delete your account, unless required for legal proceedings.
  • Analytics data: Aggregated data retained indefinitely; identifiable analytics logs deleted after 26 months.
  • API logs: Retained for 90 days for abuse detection, then deleted or anonymised.

9. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data where there is no compelling reason for continued processing.
  • Restriction: Request that we limit how we use your data in certain circumstances.
  • Portability: Request a machine-readable copy of data you have provided to us.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at hello@egpk.info. We will respond within one month as required by law.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS), hashed passwords, access controls, and regular security reviews. No system is entirely secure, and we cannot guarantee absolute security of your data.

11. Children

EGPK.info is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the site. The “Last updated” date at the top of this page indicates when the policy was last revised.