Privacy Notice
Last updated: 2026-04-30. Version 1.0.
This notice tells you what personal data MAX•330 collects, why, who we share it with, and what rights you have. We're a small hobby project so we've kept this short and human-readable, but it covers everything UK GDPR requires.
1. Who's collecting your data
The data controller is Rob Llewellyn. MAX•330. Domain: max330.games. Email: rob@llewellyn.io.
2. Contact details for data questions
Same email: rob@llewellyn.io. We don't have a Data Protection Officer because we're not legally required to have one (small-scale, non-systematic processing). Email Rob directly.
3. What data we collect and why
| Data | Why we collect it | Lawful basis |
|---|---|---|
| Email address | To create your account and contact you about listings. | Contract (UK GDPR 6(1)(b)) |
| Display name + handle | To attribute your listings publicly. | Contract |
| Listing photos | To show buyers what you're selling. | Contract |
| Reputation ratings (Good / Fine / Bad) | To help buyers assess sellers and vice versa. | Legitimate interest (UK GDPR 6(1)(f)) |
| UKVAC handle (optional) | To verify forum identity for image-to-listing imports. | Consent (UK GDPR 6(1)(a)) |
| IP address (logged briefly for rate limits) | To prevent abuse. | Legitimate interest |
| Browser errors (via Sentry) | To fix bugs. | Legitimate interest |
4. Recipients (subprocessors)
We use the following third-party services to run the site. Each one sees a limited slice of your data — what they see and why is listed below, with a link to their own privacy policy.
Hosting, web analytics, Speed Insights, Blob storage for listing photos.
Postgres database — stores accounts, listings, ratings.
Browser-side error tracking. Captures stack traces and the URL where the error happened.
Transactional email (sign-in links, listing notifications). Sees your email address.
Claude AI runs the image classifier on listing photos only. We don't send your account data, name, email, or any other PII — just the photo bytes and the cart_type the seller picked.
Redis cache for rate limits and Claude budget counters. No PII; we store IP-derived hashes for rate-limit windows.
5. International transfers
Several subprocessors are based in the US (Vercel, Sentry, Resend, Anthropic, Upstash). They self-certify under the EU-US Data Privacy Framework (or its UK extension), which the UK Information Commissioner's Office recognises as providing adequate protection. Neon's UK data is stored in EU regions.
6. How long we keep your data
- Account: until you delete it.
- Listings:until you delete them. Sold listings retain their pricing data point row forever (this is the dataset's purpose), but we anonymise the seller link 12 months after the sale.
- Browser errors in Sentry: 90 days.
- Server logs: 30 days.
7. Your rights
Under UK GDPR you have the right to:
- access your data;
- correct it;
- erase it;
- restrict processing;
- object to processing;
- data portability; and
- withdraw consent (where consent is the lawful basis).
Email rob@llewellyn.io with the request and we'll respond within 30 days.
8. Right to complain
You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or 0303 123 1113.
9. Whether providing data is mandatory
Email and display name are required to create an account and list a cart. UKVAC handle is optional. Without an account, you can browse the catalogue and read listings, but you can't list, contact sellers, or rate.
10. Automated decisions
We don't make solely-automated decisions that significantly affect you. The AI classifier suggests authenticity verdicts, but final publish or hide decisions are made by humans (the seller, you, or the admin) — never by the model alone.
11. Cookies
We use a session cookie (httpOnly, SameSite=Lax) to keep you signed in. We don't use third-party tracking cookies. Vercel Analytics uses a first-party cookie-less hashing approach. We don't display a cookie banner because we don't need consent for the strictly-necessary session cookie.
12. Changes to this notice
We can update this notice at any time. Material changes will be notified via email to registered users at least 14 days before they take effect.