Diecastry

Legal

Privacy Policy

Last updated: 1 June 2026

This is a clear-language draft written by the Diecastry team. It reflects how the service actually works today and what the GDPR requires us to disclose, but it has not yet been reviewed by an external lawyer. If you depend on something specific in here for compliance reasons, please email us first at hello@bigposting.com.

1. Who we are

Diecastry is operated by Bigposting, the data controller for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). You can reach us about anything in this policy at hello@bigposting.com.

We don't have a Data Protection Officer because we're below the size that requires one, but the same email address reaches the person responsible for privacy matters.

2. What data we collect

We only collect what we need to run the service. Concretely:

Information you give us

  • Account data — email address, username, password (stored hashed via Supabase Auth, never plaintext), display name, optional avatar, optional country and preferred currency.
  • Collection data — the diecast models you catalogue, photos you upload, prices you paid, prices you sold at, notes, reviews, and any other content you choose to add.
  • Profile preferences — visibility settings, currency, notification preferences.
  • Communications — if you message another collector or contact support, we store the message text so the conversation works.

Information we collect automatically

  • Technical data — IP address, browser type, timestamps, the page you requested. Used to deliver the service, prevent abuse, and diagnose errors. Stored in our hosting provider's standard request logs and in our application logs.
  • Cookies and similar technologies — see Section 6.

Information we do NOT collect

We don't run third-party advertising trackers. We don't sell your data. We don't use your photos or collection data to train AI models. We don't collect special-category data (health, political, religious, etc.) — please don't put any in your profile.

3. Why we use it (legal basis)

Under the GDPR we need a legal basis for every use of your data. Ours are:

  • Performance of a contract (Art. 6(1)(b)) — running your account, displaying your collection, processing messages and listings. Without this we can't actually be Diecastry.
  • Legitimate interest (Art. 6(1)(f)) — preventing fraud and abuse, keeping the platform secure, basic analytics on aggregate usage, error monitoring. We've weighed these interests against your rights and consider them reasonable for a community catalogue.
  • Consent (Art. 6(1)(a)) — only used where the law requires it (e.g. non-essential cookies, marketing emails if we ever send them). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — responding to lawful requests from authorities, complying with tax / record-keeping rules.

4. Who we share it with

We share data with a small list of processors strictly needed to run the service:

  • Supabase (Supabase Inc.) — our database, authentication, and file storage provider. Hosted in the EU. Bound by a Data Processing Agreement.
  • Vercel (Vercel Inc.) — our hosting / serverless function provider. Standard Contractual Clauses are in place for any necessary US transfers (see Section 9).
  • Email delivery — when we send transactional emails (password reset, digest), we use Supabase's built-in email or a transactional-email provider.

Other than these, we share data only when (a) you publicly publish content yourself (your public profile, public models, marketplace listings) so the rest of the community can see it, or (b) the law requires us to.

We do not sell personal data. We never have.

5. Public vs private content

Diecastry is a community. By default, your profile and your collection have privacy settings you control. Anything you mark public (your profile, public models, reviews, marketplace listings) is visible to the whole internet and indexable by search engines. Anything marked private is visible only to you.

If you change a public item to private, search engines will eventually remove it from their index, but cached copies may persist for some time — this is outside our control.

6. Cookies and similar technologies

We use cookies and the browser's localStorage only for things essential to making the site work:

  • Authentication — keeping you logged in across page loads.
  • Preferences — your saved filter state, currency, feed mode (so the page remembers your last choice).

These are technically necessary and fall under the strict-necessity exemption in ePrivacy / GDPR — we don't need a banner for them. If we add analytics or any non-essential cookies in the future, we'll add a consent banner and won't drop them before you opt in.

7. How long we keep your data

  • Account + collection — as long as your account is open. If you delete your account (see Section 8), we remove your personal data within 30 days, except where we're legally required to keep some records longer (e.g. transaction records for accounting).
  • Application logs — up to 90 days, then deleted.
  • Backups — rolling 30-day backups. Deleted content may persist in backups during that window before being overwritten.

8. Your rights under the GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") — including by deleting your account from Settings, which removes your profile and personal content.
  • Restrict processing while a dispute is being resolved.
  • Object to processing based on legitimate interest.
  • Portability — receive your data in a machine-readable format. Email us and we'll export your collection.
  • Withdraw consent at any time, where the legal basis is consent.
  • Lodge a complaint with your national data protection authority if you believe we've broken the law.

To exercise any of these rights, email hello@bigposting.com. We'll respond within 30 days; usually much faster. There's no fee for normal requests.

9. International data transfers

Our database and storage are hosted in the European Union. Some of our processors (notably Vercel for hosting) may transfer data to the United States in the course of serving your requests. These transfers are covered by the Standard Contractual Clauses (SCCs) adopted by the European Commission, which provide an appropriate level of protection.

10. Children

Diecastry is not directed at children under 16. We don't knowingly collect personal data from under-16s. If you believe a child has registered, email us and we'll delete the account.

11. Changes to this policy

We may update this policy when the service changes or the law does. Material changes will be announced via the in-app notifications and / or email; minor ones (typos, clarifications) will just update the "last updated" date at the top.

12. Contact

Anything about this policy, your data, or your rights: hello@bigposting.com.

See also: Terms of Service.