Privacy Policy

Data controllerMark Stanners

Contactlegal@oneoffx.uk

Effective date10 April 2026

Governing lawEngland & Wales (UK GDPR / Data Protection Act 2018)

1. Who we are

OneOffX is a personal project operated by Mark Stanners ('I', 'me', or 'the controller'). It is not operated by a registered company. You can contact me at any time at legal@oneoffx.uk.

2. What data we collect and why

I collect only what is necessary to provide the service. The table below summarises each category of data, why I collect it, and the lawful basis under UK GDPR.

Account and identity data

EBU membership number and name — collected when you sign in via the EBU API. Lawful basis: contract (to provide your account).
Email address — collected from the EBU API if your EBU record contains one. Used only for service-critical communications. Lawful basis: contract.
EBU county/region and NGS grade — collected from the EBU API and displayed in your profile. Lawful basis: contract.

Authentication data

Your EBU password is never stored by OneOffX. It is sent directly to the EBU API to verify your identity and then discarded. A short-lived session token is stored in your browser. Lawful basis: contract.

Usage data

Tournaments and players you follow — stored to power the My Follows feature. Lawful basis: contract.
Comments you post — stored to display in the hand commentary system. Lawful basis: contract.
Standard server logs (IP address, timestamp, request path) — retained for up to 30 days for security and debugging. Lawful basis: legitimate interests.

3. What we do not collect

We do not use advertising or analytics tracking cookies.
We do not sell or share your data with third parties for marketing.
We do not store payment information of any kind.
We do not use automated profiling or decision-making that produces legal effects.

4. Third parties

The following third parties are involved in delivering the service:

English Bridge Union (EBU) — your credentials are used to authenticate via their API. Your use of OneOffX is also subject to the EBU's own privacy policy at ebu.co.uk.
Cloudflare, Inc. — the application and database are hosted on Cloudflare's infrastructure (Workers and D1). Cloudflare may process request data as a data processor. See cloudflare.com/privacypolicy.

I do not transfer personal data outside the UK or European Economic Area except as inherent in the use of Cloudflare's globally distributed infrastructure, which is covered by appropriate safeguards under UK GDPR Article 46.

5. How long we keep your data

Account data — retained for as long as you have an account. If you ask me to delete your account, I will remove your personal data within 30 days.
Comments — retained indefinitely unless you request deletion or a moderator removes them.
Server logs — deleted after 30 days.

6. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email legal@oneoffx.uk.

Right of access — you can request a copy of the personal data I hold about you.
Right to rectification — you can ask me to correct inaccurate data.
Right to erasure — you can ask me to delete your account and associated personal data.
Right to restriction — you can ask me to stop processing your data in certain circumstances.
Right to portability — you can request your data in a machine-readable format.
Right to object — you can object to processing based on legitimate interests.

I will respond to all requests within one calendar month. If you are unhappy with my response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

OneOffX uses a single session token stored in your browser's local storage to keep you signed in. This is strictly necessary for the service to function and does not require your consent under PECR.

No third-party tracking or advertising cookies are used.

8. Security

I take reasonable technical measures to protect your data, including HTTPS encryption in transit and access controls on the database. However, no system is completely secure, and I cannot guarantee absolute security.

Your EBU password is never transmitted to OneOffX servers — authentication is handled directly between your browser and the EBU API.

9. Children

OneOffX is not directed at children under 13. I do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact me and I will delete it promptly.

10. Changes to this policy

I may update this policy from time to time. When I do, I will update the effective date at the top and, where the changes are material, notify registered users by email. Continued use of OneOffX after a change constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights, contact:

Mark Stanners

legal@oneoffx.uk

Also see: Terms of Service