1. Who we are
TwinkleTrail (“we”, “us”, “our”) operates the website at twinkletrail.co.uk — a community platform for discovering and sharing Christmas light displays across the United Kingdom.
We are the data controller for the personal data described in this policy. If you have any questions or requests regarding your data, please contact us.
2. Data we collect
We collect the following categories of personal data:
Account data — if you register an account, we collect your email address and a hashed password. You may optionally provide a display name.
Submissions — when you submit a Christmas light display, we store the address and location you provide, along with any description, photos, and your account identifier.
Photos — images you upload are stored on our file storage service. Photos may contain embedded metadata (such as EXIF data); we recommend removing sensitive metadata before uploading.
Ratings and reviews — star ratings and any written comments you submit, linked to your account.
Contact messages — if you use the contact form, we receive your name, email address, and message content.
Usage data — we use Google Analytics 4 to collect anonymised information about how visitors use the site, including pages visited, time on site, and broad geographic region. This data is collected via cookies. See section 7 for more detail.
Technical data — our web server may log IP addresses and browser user-agent strings for security and operational purposes. These logs are retained for a short period and are not used for profiling.
3. How and why we use your data
We use your data only for the purposes for which it was collected:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing and running the service | Contract (Art. 6(1)(b)) |
| Moderating submissions and user content | Legitimate interests (Art. 6(1)(f)) |
| Responding to contact form enquiries | Legitimate interests (Art. 6(1)(f)) |
| Analysing site usage to improve the platform | Legitimate interests (Art. 6(1)(f)) |
| Security, fraud prevention, and legal compliance | Legal obligation / legitimate interests |
We do not sell your personal data to third parties, and we do not use it for automated decision-making or profiling that produces legal or similarly significant effects.
4. How we handle address data
We take a deliberately conservative approach to displaying address information. Public pages show only a street name and partial postcode. The precise location is shown on a map, but is not published as indexable text. Full addresses are stored securely in our database and are never made publicly available in full.
If you are a property owner and would like your address removed from TwinkleTrail, please contact us and we will act promptly. You do not need to give a reason.
5. Who we share data with
We do not sell or rent your personal data. We share data only with the following trusted service providers, strictly for the purposes of operating the platform:
- Cloudflare R2 — cloud object storage used to host uploaded photos. Data may be stored in the EEA or UK.
- Google Analytics — anonymised, aggregated usage data is sent to Google. Google acts as a data processor. See Google’s Privacy Policy for details. IP addresses are anonymised before transmission.
- Hosting infrastructure — our web server and database are hosted on UK/EEA infrastructure.
We may also disclose data where required to do so by law, or to protect the rights, property, or safety of TwinkleTrail, our users, or the public.
6. How long we keep your data
We retain your data for as long as necessary to provide the service and fulfil the purposes described in this policy:
- Account data — kept for as long as your account is active. You may request deletion at any time.
- Display submissions and photos — kept until you or we remove them. Removed content may be retained in backups for up to 30 days.
- Contact form messages — kept for up to 12 months.
- Server logs — typically retained for up to 30 days.
- Google Analytics data — retained in accordance with Google’s default retention settings (26 months for user-level data).
7. Cookies
We use the following cookies on TwinkleTrail:
- Session cookie — a strictly necessary cookie used to keep you logged in to your account. It expires when you close your browser or log out.
- Google Analytics cookies (
_ga,_ga_*) — used to distinguish users and sessions for analytics purposes. These are analytics cookies set by Google.
Most browsers allow you to control or block cookies through their settings. Disabling analytics cookies will not affect your ability to use the site.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data.
- Right to erasure — you can ask us to delete your data in certain circumstances (“right to be forgotten”).
- Right to restriction — you can ask us to restrict how we use your data while a dispute is being resolved.
- Right to data portability — you can ask for your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interests.
To exercise any of these rights, please contact us. We will respond within one month.
9. Complaints
If you are unhappy with how we have handled your data, please contact us first and we will do our best to resolve your concern.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we do, the “Last updated” date at the top of this page will change. We encourage you to review this page periodically.
Continued use of TwinkleTrail after changes are posted constitutes your acceptance of the revised policy.
11. Contact us
If you have any questions about this Privacy Policy or how we handle your data, please get in touch: