PRIVACY NOTICE

Sealand Builders Program

How we collect, use, and protect your personal data

Controller: Sealand Services Ltd - Company No. 11234225

Registered Office: 95a Prince Avenue, Southend-on-Sea, Essex, SS2 6RL, England

Contact: ops@sealandgov.org (all privacy and Program enquiries)

Version: 1.2

Last Updated: 10 March 2026

Legal Framework: UK GDPR, Data Protection Act 2018, PECR 2003

Summary: We collect only what is necessary to run the Program. We do not sell your data. You have clear rights over your personal data. Send any privacy enquiry or rights request to ops@sealandgov.org, which routes internally to our privacy function.

1. Who We Are

Sealand Services Ltd (“we” / “us”) is the data controller for personal data processed in connection with the Sealand Builders Program (the “Program”). We are registered in England & Wales (Company No. 11234225) and operate in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

This notice applies to all Builders and describes how we collect, use, share, retain, and protect your personal data in connection with the Program. It supplements, and where it conflicts on Program matters supersedes, any general Sealand website privacy notice. All privacy enquiries, data subject rights requests, stop-active-marketing requests, and winner-publication objections should be sent to ops@sealandgov.org, which routes internally to the privacy function. You may also contact us by post at the registered address above.

You have the right to complain to the Information Commissioner’s Office (ICO) at any time: ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, SK9 5AF. We ask that you contact us first so we have the opportunity to resolve your concern.

This notice is made available at the point where personal data is collected, including through the Program site, hosted forum, and related submission flows. Where the Sealand Builders forum is hosted by Civilized Discourse Construction Kit, Inc. (CDCK), CDCK acts as a hosted forum service provider / processor for forum infrastructure and related functionality, subject to its platform hosting terms and the safeguards described in this notice.

2. Data We Collect

We collect only what is necessary for the purposes described in Section 3. The categories below describe the personal data we may hold.

Identity Data

Name, username, date of birth (for age verification), country of residence, and E-Citizenship ID where applicable.

Contact Data

Email address. Postal address and phone number where you choose to provide them.

Account Data

Login credentials (email address and hashed password), account status, and account creation date.

Program Activity Data

Mission entries and completions, Points and Badge history, tier status, Reward records, Prize Mission entries, and Community Vote records. Community Vote records are limited to vote records sufficient to administer voting, detect manipulation, and resolve disputes. We do not retain full per-user vote history beyond what is required for those purposes.

User Content

Text, images, video, and other creative material you submit to the Program. See Section 7.

Forum Visibility Data

Where you post or reply on the Program forum, your username, profile information, and submitted content may be visible to other users or to the public depending on the category settings and forum configuration. Public forum content may also be indexed by search engines or otherwise accessible outside the Program platform.

Verification Data

Age and identity verification records where required for a Mission. Where 16–17 year olds participate under an eligible Mission, verified parental or guardian consent records are retained for the duration of participation and 24 months thereafter.

Third-Party Platform Data

Where Missions involve Third-Party Platforms, we may review publicly available data, including social media handles, engagement metrics (likes, shares, views, comments), timestamps, and screenshots, solely for Mission verification and Program integrity purposes. This data is reviewed, not routinely downloaded. See Section 3 and Builders Terms Section 11.4.

Communications Data

Correspondence with us relating to support, appeals, and compliance matters.

Forum Messages

If you use forum private messaging features, message content and related metadata may be processed through the hosted forum service and may be accessible to forum administrators, as well as to message senders and recipients, in accordance with the platform’s hosted-service functionality and moderation controls.

Technical Data

IP address, device and browser type, session data, and access logs.

Payment and Tax Data

Name, address, and tax reference information where a Reward requires payment processing or tax reporting. Full card details are not stored by us; they are processed directly by our payment processor.

Special Category Data

We do not request or intentionally collect special category data (including health, ethnicity, religion, or biometric data) for Program participation. If you voluntarily include it in User Content or communications, we will handle it in accordance with applicable law and only where both a valid Article 6 lawful basis and, where required by Article 9 UK GDPR, an applicable Article 9 condition are established. If you are unsure, please avoid including such data in your submissions.

The Program is open to participants aged 16 and over. We do not knowingly collect personal data from persons under 16. If we become aware that data from an under-16 has been collected without appropriate parental consent, we will delete it promptly.

3. Why We Use Your Data and the Lawful Basis

We process personal data only where we have a lawful basis under UK GDPR Article 6. The purposes, bases, and retention periods are set out below. Legal basis codes used: C = Contract (Article 6(1)(b)); LI = Legitimate Interests (Article 6(1)(f)); LO = Legal Obligation (Article 6(1)(c)); Co = Consent (Article 6(1)(a), withdrawable at any time without affecting prior lawful processing).

3.1 Account creation and management. We process Identity, Contact, and Account Data to create and administer your Program account. Basis: Contract (C). Retention: account lifetime plus 12 months after closure.

3.2 Mission administration, eligibility, and verification. We process Identity, Account, Program Activity, and Verification Data to administer Missions, verify eligibility, and manage entries. Basis: Contract and Legitimate Interests (C/LI). Retention: Mission close plus 24 months.

3.3 Community Vote and Prize Mission administration. We process Program Activity Data (vote records and judging outcomes, retained to the minimum extent necessary for administration, anti-fraud, and dispute resolution) to run voting phases and Prize Missions. Basis: Contract and Legitimate Interests (C/LI). Retention: Mission close plus 36 months.

3.4 Third-Party Platform verification. We review publicly available Third-Party Platform Data to verify Mission completion and detect manipulation. Basis: Contract and Legitimate Interests (C/LI). Retention: Mission close plus 24 months. Our legitimate interest is running a fair and fraud-free Program; this interest is not overridden by your rights because only publicly available data is reviewed proportionately and solely for Program integrity.

3.5 Points, Badges, and tier tracking. We process Program Activity Data to record and display your community recognition status. Basis: Contract (C). Retention: account lifetime plus 12 months after closure.

3.6 Reward fulfilment. We process Identity, Contact, and Payment and Tax Data to deliver Rewards and comply with applicable tax and financial record-keeping requirements. Basis: Contract and Legal Obligation (C/LO). Legal Obligation applies specifically to tax reporting and financial record-keeping under the Taxes Management Act 1970 and related legislation. Retention: 6 years from the relevant tax year.

3.7 Age and identity verification. We process Verification Data to confirm that participants meet age eligibility requirements and to prevent fraud. Basis: Legitimate Interests (LI). Our legitimate interest is protecting minors from ineligible participation and maintaining Program integrity. Retention: 12 months post-verification.

3.8 Parental and guardian consent records (16 to 17 year olds). Where a Mission permits participation by 16–17 year olds and the Program requires parental or guardian consent as a participation safeguard, we retain consent records to evidence that safeguard and manage any future challenge. Basis: Legitimate Interests (LI). Our legitimate interest is protecting younger participants and maintaining clear Program records. Retention: duration of participation plus 24 months.

3.9 Program Communications (non-marketing). We process Identity and Contact Data to send service messages about the Program, account status, eligibility, Reward notifications, and appeals outcomes. Basis: Contract and Legitimate Interests (C/LI). Retention: Program relationship plus 12 months.

3.10 Fraud prevention and Program integrity. We process Technical, Program Activity, and Third-Party Platform Data to prevent manipulation, enforce fair play, and protect Builders and the Program. Basis: Legitimate Interests (LI). Our legitimate interest is maintaining a fair, secure, and trustworthy Program; this does not override your fundamental rights because processing is proportionate, targeted at identified risks, and subject to human review before enforcement. Retention: up to 36 months.

3.11 User Content hosting, moderation, and audit. We process User Content and Identity Data to host submissions, moderate content for compliance with Content Standards, and maintain an audit record. Basis: Contract and Legitimate Interests (C/LI). Retention: active use plus archival as described in Section 7.

3.12 Legal compliance, disputes, and claims. We process relevant categories of personal data where necessary to comply with applicable legal obligations, respond to regulators or lawful requests, and establish, exercise, or defend legal claims. Basis: Legitimate Interests and, where a specific law requires processing or retention, Legal Obligation (LI/LO). Our legitimate interest is maintaining appropriate records to resolve disputes and protect the Program and its participants. Retention: minimum 6 years from the relevant event, or longer where a specific law requires it.

3.13 Program Analytics. Where analytics involve personal data before anonymisation, we process that data on the lawful basis identified elsewhere in this notice and in accordance with the cookie choices you make under Section 6. We use anonymised, aggregated outputs to understand how the Program is used and to improve it. Once data has been irreversibly anonymised, it is no longer personal data. Retention: anonymised outputs may be retained indefinitely.

3.14 Marketing communications. Where you opt in, we process Identity and Contact Data to send promotional communications about the Program, new Missions, and Sealand community activities. Basis: Consent (Co). Retention: until consent is withdrawn plus 12 months for suppression management.

Legitimate interests summary: Our primary legitimate interests are running a fair and fraud-free Program; protecting Builders and brand integrity; verifying Mission completion using publicly available platform data; resolving disputes; improving the Program through anonymised analytics; and maintaining audit and compliance records. You may object to legitimate-interest processing at any time under Section 8.

4. Who We Share Your Data With

We do not sell your personal data. We share it only in the limited circumstances described below.

4.1 Service Processors

We use the following service providers acting as processors on our instructions and under applicable data processing terms:

Shopify Inc. - E-commerce and Reward delivery. Country: USA. Transfer safeguard: UK-US Data Bridge where current self-certification is confirmed; IDTA used as fallback where certification cannot be verified. Further details: Shopify Privacy Policy - Shopify .

Mailchimp (Intuit Inc.) - Email and marketing communications. Country: USA. Transfer safeguard: UK-US Data Bridge where current self-certification is confirmed; UK Addendum to EU SCCs used as fallback. Further details: Mailchimp Data Processing Addendum Preview | Mailchimp .

Google LLC - Analytics, reCAPTCHA, and platform tools. Country: USA. Transfer safeguard: UK-US Data Bridge under Google’s current self-certification and Google’s applicable data processing terms. Further details: policies.google.com/privacy.

Discord Inc. - Community platform. Country: USA. Transfer safeguard: UK Addendum to EU SCCs. Further details: Privacy Policy | Discord .

Civilized Discourse Construction Kit, Inc. (CDCK) / Discourse - Hosted community forum services, including forum account data, posts, replies, private messages, moderation-related data, session and security cookies, and related infrastructure where the Sealand Builders forum is hosted by CDCK. Country: United States, with possible processing in other jurisdictions used by CDCK and its sub-processors. Transfer safeguard: SCC-based hosted-forum data processing terms / UK Addendum where applicable under CDCK’s standard data processing terms. Further details: Privacy policy | Discourse - Civilized Discussion .

4.2 Other Disclosures

(a) Legal and regulatory: We may share data with courts, law enforcement, regulators, or the ICO where required or permitted by applicable law.

(b) Business transfer: If we sell, merge, or restructure the business, personal data may transfer to the new entity under equivalent protections. We will notify you in advance where practicable.

(c) Prize Mission winners: Winner names and general location (country or region) may be published in accordance with the applicable Prize Mission Rules. You will be notified before publication and may object within 7 days by contacting ops@sealandgov.org. We will publish only the minimum information reasonably necessary for the relevant announcement or promotional purpose.

5. International Transfers

Several processors are based in the United States and other countries outside the UK. Where personal data is transferred to a country not deemed adequate by the UK Government, we rely on one or more of the following safeguards:

– The UK-US Data Bridge, for US processors that have self-certified under the Data Bridge framework and whose certification is current at the time of transfer. We verify certification status before relying on this mechanism.

– UK International Data Transfer Agreements (IDTAs), entered into directly with processors or their sub-processors.

– UK Addenda to EU Standard Contractual Clauses (SCCs), where an IDTA is not available or is not the most appropriate mechanism.

Where required by applicable data protection terms, our contracts require processors to apply appropriate safeguards for any onward transfer of personal data to sub-processors, and to use sub-processors only in accordance with their obligations under those terms. The specific safeguard applicable to any transfer is available on request by contacting ops@sealandgov.org.

6. Cookies and Tracking Technologies

6.1 Non-essential cookies and tracking technologies are not set until you have given explicit opt-in consent through our consent management platform (CMP). We log and retain a record of your consent, including what you consented to and when, for as long as reasonably necessary to demonstrate compliance with PECR.

6.2 Under PECR, consent is required for cookies and similar technologies unless they are strictly necessary for the service you have requested. We assess each technology against that standard and categorise them as follows:

Strictly Necessary: Technologies used only where required to deliver the service you have requested or to ensure essential security, for example login session management and security controls. These do not require consent under PECR.

Preferences and Functional: Technologies used for convenience or personalisation features where not strictly necessary for the core service. These require consent and are blocked until consent is given.

Analytics: Analytics cookies and similar technologies require consent where they are not strictly necessary. Where we use analytics technologies such as Google Analytics, they are blocked until consent is given and our consent management implementation is configured to enforce that block.

Third-Party and Social: Platform integrations, social sharing, and embedded content. These require consent and are blocked until consent is given.

Where the Program forum is hosted on Discourse by CDCK, the forum uses default session, authentication, and security cookies required for forum operation. Additional cookies or similar technologies may also be used depending on the live forum configuration, enabled plugins, analytics setup, and embedded content. We classify those technologies under the categories above based on whether they are strictly necessary for the requested service. See Cookie Settings and this Privacy Notice for the current categories and controls in use.

6.3 You may withdraw or change your cookie consent at any time via the cookie settings on the Program platform. Withdrawing consent for non-essential cookies will not prevent Program participation.

6.4 Cookie details, including the categories in use and your available controls, are made available through Cookie Settings and this Privacy Notice. We review those details whenever we change the forum configuration, plugin stack, analytics setup, or broader technology stack.

7. User Content

7.1 Content you submit (text, images, video, audio) is personal data to the extent it identifies or could reasonably identify you. It is processed under the intellectual property licence in Builders Terms Section 9. This notice governs the personal data within that content.

7.2 If your Content includes personal data of third parties, you are responsible for ensuring you have a lawful basis or other right to share that data with us. We will handle third-party personal data within Content in accordance with this notice.

7.3 You may request that we cease using your Content in active marketing campaigns by emailing ops@sealandgov.org (Builders Terms Section 9.5). Cessation of active marketing use is not the same as erasure of personal data: it does not delete data from audit records, legal holds, or contractual archives. To exercise your right to erasure of personal data, see Section 8 below.

7.4 User Content submitted to Prize Missions is retained for 36 months after the Mission closes for audit and dispute resolution purposes, regardless of account closure, unless an earlier deletion is required by law or an upheld erasure request.

8. Your Rights

Under the UK GDPR you have the rights below. Exercise any of them by contacting us at ops@sealandgov.org. We respond without undue delay and normally within one month of receiving your request. If your request is complex or you have submitted multiple requests, we may extend the response period by up to two further months; we will notify you of any extension and the reasons for it within the first month. We do not charge a fee unless a request is manifestly unfounded or excessive, in which case we will notify you before applying a fee.

Access: Receive a copy of the personal data we hold about you and information about how we process it (a Subject Access Request).

Rectification: Have inaccurate or incomplete personal data corrected or completed.

Erasure: Have personal data deleted where there is no compelling reason to continue processing it. Legal, tax, audit, and contractual retention obligations may prevent full or immediate deletion; where this applies we will explain the specific reason and the expected retention period.

Restriction: Ask us to pause processing of your data in limited circumstances, for example while accuracy is disputed or a legitimate-interest objection is pending.

Portability: Receive your Account Data and Program Activity Data in a structured, commonly used, machine-readable format where our processing is based on consent or contract and is carried out by automated means.

Object: Object to processing based on Legitimate Interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. We will always stop direct marketing processing on request, with no compelling-grounds test applied.

Withdraw Consent: Withdraw consent at any time (for example, for marketing communications or non-essential cookies) without affecting the lawfulness of processing carried out before withdrawal.

Complain: Lodge a complaint with the ICO at ico.org.uk if you are dissatisfied with how we handle your personal data or your rights request. You may do this at any time.

9. Marketing

We send marketing communications only where you have given express consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting ops@sealandgov.org. Withdrawal of consent will be actioned promptly and does not affect the lawfulness of communications sent before withdrawal.

Transactional and administrative messages — including Reward notifications, account alerts, Mission updates, and appeals outcomes — are not marketing. They are sent on the basis of our contractual relationship or legitimate interests and will continue regardless of any marketing opt-out.

We do not share your personal data with third parties for their own marketing purposes without your explicit, separate opt-in consent.

10. Security

We apply appropriate technical and organisational measures proportionate to the risks presented by our processing. These include: access controls and authentication requirements; encrypted data transmission using TLS/HTTPS; separation of Program data by function; and contractual data protection obligations on all processors. Access to personal data is limited to individuals with a genuine Program need who are bound by confidentiality obligations.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will notify affected individuals without undue delay. If you believe your account has been compromised, contact ops@sealandgov.org immediately.

We review and update our security measures on an ongoing basis, including in response to changes in our technology, processing activities, or threat environment. While we apply appropriate safeguards, no online system can be guaranteed to be completely secure.

11. Automated Decision-Making

We do not make solely automated decisions about you that produce legal or similarly significant effects. Automated tools are used to flag potential Program integrity issues (for example, unusual voting patterns or suspicious account behaviour) but any decision to take enforcement action under Builders Terms Section 15 is subject to human review before it is implemented. You may request information about any significant automated processing that has affected you by contacting ops@sealandgov.org.

12. Changes to This Notice

We may update this notice to reflect changes to the Program, our processing activities, or applicable law. For material changes — those that reduce your rights, add new processing purposes, or substantially alter how we use your data — we will notify you by email and Program channel at least 30 days before the change takes effect. For minor updates such as typographical corrections or contact detail changes, we will update the notice and note the date of change without advance notice. The current version of this notice is always available at builders.sealandgov.org/privacy.

13. Contact

All privacy enquiries, data subject rights requests, stop-active-marketing requests, and winner-publication objections should be directed to:

Email: ops@sealandgov.org (all Program and privacy matters, routed internally to the privacy function)

Postal: Sealand Services Ltd, 95a Prince Avenue, Southend-on-Sea, Essex, SS2 6RL, England

ICO: ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, SK9 5AF

You may send any type of privacy enquiry or rights request to ops@sealandgov.org. There is no separate privacy email address; this single address routes internally to the privacy function and will be actioned by the appropriate team.