Skip to main content
SoundOps

Privacy policy

SkriptKid is the data controller for the personal data described below. We handle your information under UK GDPR and the Data Protection Act 2018.

What we collect

  • Contact information — name, email, phone — when you sign up, place an order, or message us.
  • Marketing consent provenance — when, where and how you consented.
  • Engagement data — emails opened, links clicked, purchases made.
  • Order data — billing/shipping addresses, line items, payment status.
  • Device + location — IP address, browser type, approximate city (from IP). Optional, cookie-consent-gated.

    • Why we use it

  • To send you marketing communications you've opted in to (consent).
  • To fulfil orders, send receipts and respond to support enquiries (contract).
  • To prevent fraud and abuse (legitimate interest).
  • To comply with HMRC tax record obligations (legal obligation).
  • To measure how visitors use the site (consent — cookies).

    • How long we keep it

  • Marketing consent — while consent is valid. Dormant contacts (24 months no engagement) get a re-permission email; if no response within 30 days, marketing is suspended.
  • Orders and tax records — 6 years post-fulfilment (HMRC requirement).
  • Email/SMS engagement events — 180 days.
  • WhatsApp / Instagram messages — 30 days.

    • Who we share it with

    We use the following data processors:

  • Amazon Web Services — Object storage (S3), email sending (SES), SMS (Pinpoint), queues (SQS), event bus (EventBridge), DNS (Route53) (Ireland (eu-west-1); Within UK / EEA adequacy)
  • MongoDB Atlas — Database (one cluster, per-tenant databases) (Per-cluster (verify in Atlas console); EU Standard Contractual Clauses + UK Addendum)
  • Vercel — Hosting, edge compute, SSL termination (Global edge (default US, configurable EU regions); EU Standard Contractual Clauses + UK Addendum)
  • Stripe — Payment processing, subscription billing, Connect accounts (US + UK + Ireland; EU Standard Contractual Clauses + UK Addendum)
  • Meta Platforms (WhatsApp / Instagram / Facebook) — WhatsApp Cloud API messaging, Instagram Graph API, Conversions API (Ireland + US; EU Standard Contractual Clauses + UK Addendum)
  • Anthropic — Claude AI for AI Writer + support chatbot (US; EU Standard Contractual Clauses + UK Addendum)
  • Upstash — Redis cache (rate limiting, tenant resolution L2 cache) (Per-database (configurable); EU Standard Contractual Clauses + UK Addendum)
  • Cloudflare — Turnstile CAPTCHA (anti-abuse) (Global edge (US-headquartered); EU Standard Contractual Clauses + UK Addendum)
  • Sentry — Error tracking + performance monitoring (PII redacted via Pino) (US; EU Standard Contractual Clauses + UK Addendum)

    • For full details including data residency and transfer mechanisms see our sub-processor list.

    Your rights

    Under UK GDPR you have the right to:

  • Access your data (Article 15) — request a SAR via the preference centre link in any marketing email.
  • Rectification (Article 16) — correct anything that's wrong.
  • Erasure (Article 17) — ask us to delete your data.
  • Restriction (Article 18) — ask us to pause processing while a dispute is open.
  • Portability (Article 20) — receive a machine-readable copy of your data.
  • Objection (Article 21) — opt out of marketing or legitimate-interest processing.

    • To exercise any of these contact josh@skriptkid.com. You can also complain to the UK Information Commissioner's Office at https://ico.org.uk/.

    Contact

    For any privacy questions, contact josh@skriptkid.com.

    Privacy Policy | SkriptKid