Privacy Policy
1. Who we are
Scoffers App is a trading name of Design Superheroes Ltd, a company registered in England and Wales. We operate the website and platform at scoffers.app.
For the purposes of UK data protection law, Design Superheroes Ltd is the data controller for personal information collected through this platform.
If you have any questions about this policy or how we handle your data, contact us at:
2. What data we collect and why
Account registration
When you create a Scoffers account we collect:
- Your first and last name
- Your email address (used as your login username)
- A hashed (encrypted) version of your password — we never store your password in plain text
Legal basis: performance of a contract — this information is necessary to create and manage your account.
Venue and offer information
When you create a venue or offer listing we collect:
- Business name, description, and contact details
- Address and geolocation data (latitude and longitude) sourced via Google Places
- Images you upload (stored on Cloudinary)
- Offer details: title, description, pricing, schedules or event dates
Legal basis: performance of a contract — this information is required to publish and manage your listings on the platform.
Payment information
Payments are processed by Stripe. We do not store your card number, CVV, or full payment details. We retain:
- The Stripe payment or subscription ID
- Payment status and amount
- Invoice URLs (links to Stripe-hosted receipts)
- Your Stripe customer ID (to link future payments to your account)
Legal basis: performance of a contract and compliance with legal obligations (financial record-keeping).
Location data
If you allow location access when browsing offers, your device's approximate latitude and longitude are stored locally in your browser (localStorage) to show distances to venues. This data is never transmitted to our servers and is cleared when you remove it via the "Clear location" button or clear your browser data.
Legal basis: consent — you explicitly trigger geolocation sharing via the location banner.
Usage and analytics data
We use Vercel Analytics and Vercel Speed Insights to understand how the platform is used and how it performs. These tools collect anonymised data such as page views, referrer URLs, browser type, and device type. They are designed to be privacy-respecting and do not use persistent tracking cookies or cross-site identifiers.
Legal basis: legitimate interests — understanding site usage helps us improve the platform.
Email communications
We send transactional emails via Resend, including:
- Account registration confirmation
- Account approval notification
- Offer and venue creation confirmations
- Payment and subscription updates
- Password reset links
Legal basis: performance of a contract — these emails are directly related to your use of the platform.
3. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account, then soft-deleted immediately; permanently purged within 90 days |
| Venue and offer data | Until you delete the venue/offer or your account |
| Payment records | 7 years (required for UK financial record-keeping obligations) |
| Session tokens | 1 day (standard login) or 30 days ("Remember me"), then deleted automatically |
| Location data | Stored only in your browser; removed when you clear it or clear browser data |
| Analytics data | Retained by Vercel per their data retention policy (anonymised) |
4. Who we share your data with
We share personal data with the following third-party processors only to the extent necessary to operate the platform. All processors are contractually bound to handle data securely and in accordance with applicable law.
| Provider | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | EU / US (Standard Contractual Clauses) |
| Stripe | Payment processing and subscription management | US (adequacy decision / SCCs) |
| Cloudinary | Image storage and delivery | US (SCCs) |
| Maps, Places address search and venue geolocation | US (SCCs) | |
| Resend | Transactional email delivery | US (SCCs) |
| Vercel | Website hosting, analytics and performance monitoring | US (SCCs) |
We do not sell your personal data to any third party, and we do not use it for advertising purposes.
5. International transfers
Some of our third-party processors are based outside the UK. Where data is transferred to countries not covered by a UK adequacy decision, we rely on UK International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses to ensure an appropriate level of protection.
6. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can request deletion of your personal data. You can delete your account directly from Dashboard → Account → Delete account.
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interests.
- Rights related to automated decision-making — we do not make solely automated decisions that have a legal or significant effect on you.
To exercise any of these rights, email us at . We will respond within one calendar month.
7. Security
We take reasonable technical and organisational measures to protect your data, including:
- Passwords are hashed using bcrypt — they are never stored in plain text
- Session cookies are set as httpOnly, Secure, and SameSite=Lax
- All data in transit is encrypted via TLS/HTTPS
- Database access is restricted and credentials are never exposed client-side
8. Complaints
If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO.
9. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top of this page reflects when changes were last made. Significant changes will be communicated by email or a notice on the platform.