Privacy Policy

Last updated: March 21, 2026

1. Introduction

This Privacy Policy explains how Callum Wallace ("we", "us") collects, uses, and protects your personal data when you use Ceap Council at ceapcouncil.com. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR).

2. Data We Collect

  • Account data: email address, username, password (stored as a bcrypt hash — never in plain text)
  • Profile data: full name, bio, avatar (optional, provided by you)
  • Usage data: strategies you create, backtest results, forum posts, comments
  • Technical data: IP address (for rate limiting and security), request logs (retained for 30 days)

3. How We Use Your Data

  • To provide and operate the Service
  • To send account verification and password reset emails
  • To notify you of activity relevant to your account (mentions, competition results)
  • To protect the security and integrity of the platform

We do not sell your data to third parties. We do not use your data for advertising.

4. Legal Basis for Processing (UK GDPR)

  • Contract: processing necessary to provide the Service you signed up for
  • Legitimate interests: security logging, fraud prevention
  • Consent: optional email notifications (you can opt out in dashboard settings)

5. Data Retention

  • Account data is retained while your account is active
  • You may request deletion of your account and associated data at any time
  • Security logs are retained for 30 days then deleted

6. Third Parties

We use the following third-party services:

  • Resend (resend.com) — email delivery. Your email address is passed to Resend solely to send transactional emails
  • Hetzner (hetzner.com) — server hosting in Germany (EU). Your data is stored on EU servers
  • Cloudflare (cloudflare.com) — DNS, DDoS protection, and email forwarding

7. Your Rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erasure ("right to be forgotten") — request deletion of your account and data
  • Portability — request a copy of your data in a machine-readable format
  • Object to processing based on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Security

We implement appropriate technical measures to protect your data including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Bcrypt password hashing
  • Encrypted 2FA secrets
  • Access controls limiting database access

9. Cookies

We use only essential session cookies required for authentication. We do not use tracking or advertising cookies.

10. Children

The Service is not directed at anyone under 18. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, contact us at [email protected].

11. Changes

We may update this Privacy Policy. We will notify users by email of any significant changes.

12. Contact and Complaints

For privacy queries: [email protected]

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.

View Terms of Service →