Privacy Policy

Who We Are

Foil Society is a trading name of Codú Limited, registered in Ireland. We sell Pokémon Trading Card Game products online at www.foilsociety.com.

For data protection queries, contact us at hi@foilsociety.com.

Data We Collect

We collect the following personal data:

• Account data: name, email address, and hashed password when you register
• Order data: shipping address, order history, and payment details (processed by Stripe — we never store card numbers)
• Analytics data: anonymised usage data via Google Analytics (only with your consent)
• Communication data: email address for order confirmations and shipping notifications

Legal Basis for Processing

• Contract: processing your orders and managing your account
• Consent: analytics cookies (Google Analytics)
• Legitimate interest: fraud prevention and site security

Third-Party Services

We share data with the following third parties as necessary:

• Stripe — payment processing (PCI-DSS compliant)
• Google Analytics — anonymised website analytics (only with consent)
• Amazon Web Services (SES) — transactional email delivery
• Amazon Web Services (S3/CloudFront) — image hosting and CDN

Cookies

We use the following cookies:

• Essential cookies: session authentication and cart data (localStorage) — required for the site to function
• Analytics cookies: Google Analytics — only set when you accept cookies via our consent banner

You can change your cookie preferences at any time by clearing your browser's local storage for this site.

Your Rights (GDPR)

Under GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

To exercise any of these rights, email hi@foilsociety.com. We will respond within 30 days.

Data Retention

We retain account data for as long as your account is active. Order data is retained for 7 years for tax and legal compliance. Analytics data is retained for 26 months (Google Analytics default).

Data Security

We use industry-standard security measures including HTTPS encryption, hashed passwords, and secure third-party payment processing. We never store payment card details on our servers.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our website.