Legal

Privacy Policy

Last updated: 21 June 2026 · opinionpick.com

This Privacy Policy explains how OpinionPick collects, uses, shares and protects your personal data, and explains the rights you have in relation to it.

01  Controller identity

The data controller for your personal data is:

  • Controller: OpinionPick
  • Based in: England & Wales
  • Address: Suite RA01, 195-197 Wood Street, London, E17 3NU
  • Privacy contact: [email protected]

We do not have a statutory obligation to appoint a Data Protection Officer, but our privacy team handles all data-related queries. You may contact them at the address above.

02  Data we collect

We collect the following categories of personal data, limited to what is necessary for the purposes described in this policy:

  • Account and identity: name, email address, username, password (hashed), and any profile information you choose to provide.
  • Case content and evidence: the text, images and other material you submit when creating or joining a challenge or case; your chosen side and any arguments or evidence you upload.
  • Points, service fees and challenge history: records of service-fee transactions, points awarded or redeemed, and the outcomes of cases you have participated in.
  • Device and usage data: IP address, device type, operating system, browser, session duration and navigation patterns, collected only where you have given consent to analytics cookies.
  • Communications: messages you send to our support team, feedback you provide, and marketing preferences you set.
  • Security and fraud-prevention logs: login timestamps, failed authentication attempts and similar technical records.

We do not request or intentionally collect special-category data (such as health, political, or religious data), and we ask that you do not submit any in case content or evidence.

03  Lawful bases (Article 6 UK GDPR)

We only process your personal data where we have a valid lawful basis. The table below maps each processing purpose to its legal basis, the data categories used, and our standard retention period.

Purpose Lawful basis Data categories Retention
Running challenges and cases — providing the core service Article 6(1)(b) — performance of a contract Account, case content, evidence, challenge history Account lifetime + 3 years
Processing service-fee payments Article 6(1)(b) — performance of a contract Transaction records (processed by Stripe; we do not store full card data) 7 years (financial/tax obligations)
Preventing abuse, fraud and ensuring platform security Article 6(1)(f) — legitimate interests (keeping users and the platform safe) Security logs, login records, usage patterns 3 years
Analytics — understanding how the site is used Article 6(1)(a) — consent Device and usage data (via Google Analytics / GTM) Until consent is withdrawn; anonymised after 26 months
Marketing emails and waitlist communications Article 6(1)(a) — consent Email address, marketing preferences Until consent is withdrawn + 1 year

Legitimate interests: Where we rely on legitimate interests, we have assessed that our interests (security, fraud prevention, service integrity) are not overridden by your rights and freedoms. You may object to processing on legitimate-interests grounds at any time — see section 08.

04  Automated decision-making (Article 22 UK GDPR)

OpinionPick uses automated processing — including AI-generated verdicts — as part of its challenge resolution feature. Where a case is routed to our AI verdict system rather than community Jurors, the outcome is determined by automated analysis of the case content and evidence submitted by both sides.

Because OpinionPick verdicts are for entertainment and have no legal or similarly significant effect, we do not consider them to fall within the scope of Article 22 UK GDPR. Nonetheless, to be transparent and to keep results fair, we provide the following safeguards:

  • Entertainment purpose only: AI verdicts are used solely for entertainment. They have no legal effect whatsoever and do not constitute arbitration, mediation or any form of binding decision.
  • Right to human review: You may request that your case be escalated to community Jurors rather than resolved by the AI. Contact us at [email protected] to make such a request before a verdict is issued.
  • No profiling with legal effects: We do not use automated processing to make decisions about you that produce legal or similarly significant effects in any domain other than the in-app entertainment outcome of a specific case.

05  Sharing & processors

We do not sell your personal data. We share it only in the following circumstances:

  • Stripe (payment processing): service-fee and card data is handled by Stripe, Inc., a PCI-DSS-compliant payment processor, under a data-processing agreement. We do not store full card numbers.
  • Hosting and infrastructure provider: our application and databases are hosted with a cloud provider (EU/UK data centres where possible) under a data-processing agreement.
  • Cloudflare (Turnstile anti-bot and CDN): Cloudflare, Inc. processes connection metadata to protect the site from automated abuse, under a data-processing agreement.
  • Google (GTM / GA4 analytics): where you consent to analytics cookies, Google LLC processes usage and device data on our behalf under a data-processing agreement and the Google Ads Data Processing Terms.
  • Law and regulatory requirements: we may disclose personal data where required by law, court order or a legitimate request from a law-enforcement or regulatory authority.
  • Business transfers: if we merge, are acquired or sell assets, personal data may be transferred to the acquiring entity subject to equivalent privacy protections and advance notice to you.

All processors act only on our documented instructions and are contractually required to implement appropriate security measures.

06  International transfers

Some of our processors (including Stripe, Cloudflare and Google) are based in the United States or operate globally. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, which may include:

  • UK International Data Transfer Agreements or EU Standard Contractual Clauses (SCCs) approved by the European Commission and adopted for UK transfers;
  • adequacy decisions made by the UK Secretary of State or the European Commission in respect of the recipient country; or
  • participation by the recipient in the EU–US or UK–US Data Privacy Framework (DPF), where applicable.

You may request a copy of the specific safeguards applicable to any transfer by contacting [email protected].

07  Security

We implement technical and organisational measures appropriate to the risks of processing your personal data, including:

  • Technical measures: encryption of data in transit and at rest; access controls and authentication requirements; regular security patching and vulnerability monitoring; automated threat detection.
  • Organisational measures: staff training on data protection and information security; confidentiality obligations for personnel with access to personal data; internal data-protection policies and incident response procedures.

No transmission over the internet or electronic storage is completely secure. If you believe your account has been compromised, please contact us immediately at [email protected].

08  Your rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: to receive a copy of the personal data we hold about you.
  • Right to rectification: to have inaccurate personal data corrected.
  • Right to erasure: to request deletion of your personal data in certain circumstances (for example, where it is no longer needed for the purpose for which it was collected).
  • Right to restriction: to request that we limit processing of your personal data in certain circumstances.
  • Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
  • Right to object: to object to processing based on legitimate interests; we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights in relation to automated decision-making: to request human review of an automated AI verdict — see section 04.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights: Submit a request by email to [email protected]. Please include your name, registered email address and a description of your request. We may ask for proof of identity before processing your request.

Response time: We will respond within one month of receiving a valid request. For complex or numerous requests, we may extend this period by a further two months, in which case we will notify you within the first month and explain the reason for the extension.

Exercising your rights is free of charge. We may decline requests that are manifestly unfounded or excessive; if so, we will explain our reasons.

09  Data retention

We retain your personal data only for as long as is necessary for the purposes described in this policy, or as required by law. The table in section 03 sets out the standard retention periods for each category. In summary:

  • Account and profile data: retained while your account is active and for 3 years thereafter (to handle residual queries and legal claims).
  • Financial and transaction records: 7 years from the date of the transaction (UK tax and financial-record obligations).
  • Security and audit logs: 3 years.
  • Analytics data: anonymised after 26 months; raw data deleted upon consent withdrawal.
  • Marketing data: until you withdraw consent, then deleted within 30 days (plus 1 year of suppressed-consent records for compliance purposes).

Where you request deletion of your account, we will delete or anonymise your personal data within a reasonable period, subject to any legal obligations that require us to retain certain records.

10  Children

OpinionPick is intended for adults aged 18 and over. The service involves optional service fees and is not directed at children or minors. We do not knowingly collect personal data from anyone under the age of 18. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete that information promptly.

11  Cookies

We use cookies and similar tracking technologies on our website. Essential cookies are required for the site to function; all other cookies (analytics, functional, marketing) are used only with your consent. For full details of which cookies we use and how to manage them, please see our Cookie Policy.

12  Breach handling

We maintain incident-response procedures for personal data breaches. In the event of a breach, we will:

  • assess the nature, scope and likely impact of the breach promptly;
  • notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach, where that breach is likely to result in a risk to the rights and freedoms of individuals, as required by UK GDPR Article 33;
  • notify affected individuals directly where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34; and
  • document all breaches and remediation steps taken.

If you believe your personal data has been involved in a security incident, please contact us immediately at [email protected].

13  Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services or legal requirements. Where changes are material, we will notify you by email or in-app notification before they take effect, and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of OpinionPick after any changes constitutes acceptance of the updated policy, subject to any additional consent requirements.

14  Supervisory authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you consider that our processing of your personal data infringes UK data protection law.

  • UK Information Commissioner's Office (ICO): ico.org.uk
  • Helpline: 0303 123 1113

We would always appreciate the opportunity to address your concerns directly before you contact the ICO. Please contact our privacy team first at [email protected].

If you are located in the EEA, you also have the right to contact your local data protection supervisory authority.

15  Contact

For any questions, concerns or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

  • Email: [email protected]
  • Post: Privacy Team, OpinionPick, Suite RA01, 195-197 Wood Street, London, E17 3NU

We will acknowledge your query promptly and aim to resolve it within one month.