Privacy Policy
Site: uksocials.club
Operator: CMP Technologies Ltd
Last updated: 30 April 2026
Version: 1.0
1. Who we are and how to contact us
Trader name: CMP Technologies Ltd
Trading as: UK Socials (the website at uksocials.club)
Companies House registration: Company registration number to be added on completion of Companies House lookup
Registered office: Registered office address: this is being procured. In the meantime, please contact us at info@uksocials.club for any postal correspondence.
Data Protection Lead: the operator of UK Socials, contactable via info@uksocials.club — contactable via the email below
Contact for all privacy queries: info@uksocials.club
We are the data controller for the personal data we collect about you when you use UK Socials. “We”, “us”, and “our” in this policy mean CMP Technologies Ltd. “You” means anyone using the UK Socials website or service.
If you would prefer to write to us by post, use the registered office address above.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. We would, however, appreciate the chance to deal with your concerns first.
– ICO website: https://ico.org.uk/concerns/
– ICO helpline: 0303 123 1113
– ICO post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
2. What information we collect
2.1 Information you give us when you register and use your profile
- Account basics: username, display name, email address, password (we store a one-way hash, never the plain text).
- Date of birth — used to verify you are 13 or older and to apply our age-pairing rules (see §10). Not displayed publicly.
- Postcode — used to show events, venues, and matches near you. Stored as the postcode you provide. We do not derive your exact home address from it.
- Profile content: photos, videos, profile bio, hobbies, interests, sigil placements, photo panels, customised page colours, and any music or media widget you add to your profile.
- Profile visibility settings — for each piece of optional profile data, whether you have made it public, visible only to matches, or private.
2.2 Optional information you may add
- Political affiliation — entirely optional. Only stored if you actively drag the political-affiliation widget onto your profile. When you do so, you choose one of three visibility settings: visible to all logged-in members, visible only to matched members, or visible only to administrators for aggregate polling. We treat this as special-category data — see §4.
- Other profile widgets — favourite venues, favourite organisers, wishlisted events, character/connector/level badges. All optional.
- Onboarding questionnaire responses if you choose to complete the matching questionnaire.
2.3 Information you generate by using the service
- Messages you send to other members through our internal messaging system.
- Activity — events you attend or RSVP to, members you have matched with, members you have invited, members who have invited you, members you have wishlisted, reviews you leave, photos you upload to galleries.
- Reports of other members that you submit, and the content you reported.
- Peer reviews you leave about other members after a group event (see §2.6).
- Peer reviews other members leave about you after a group event — these stay private to admins, but they affect your reputation score (which is public).
2.4 Information we collect automatically
- Device and connection data — IP address, browser type, device type, operating system, time zone, referring URL.
- Usage data — pages you visit, features you use, session length. We use this in aggregate to improve the service.
- Cookies and similar technologies — see our Cookie Policy for the full list.
2.5 Information we receive from third parties
- Payment information — when you take a paid subscription or buy an event ticket, our payment processor (Stripe) handles your card details. We do not see your full card number — Stripe gives us a masked version (last four digits, card brand, expiry month/year) and a customer ID we use to manage your subscription. Stripe also passes us the result of fraud checks.
- Image-safety scanning results — if a photo you upload is flagged by our safety scanner (see §10), we store the flag and the action taken.
We do not buy your data from data brokers, and we do not collect data about you from social networks or other public sources.
2.6 Peer reviews and reputation
After group events (where two or more members who have mutually invited each other and attended together — see Community Guidelines §11), each attendee may be asked to leave a private review of the others in the group.
- The review text itself is private — visible only to UK Socials administrators, never to other members, including the member being reviewed.
- The reviewed member sees their aggregate reputation score change — not the individual reviews or the names of the reviewers.
- Other members viewing your profile see your reputation score (e.g. as a star rating, badge, or descriptor) but never the underlying review messages.
- Reviewers are not anonymised in our internal records — admins can see who said what when investigating issues like review-bombing or retaliation.
- You cannot see reviews left about you. You can ask info@uksocials.club whether reviews exist about you, and in some circumstances the substance of them, under your right of access (§8) — but we may redact reviewer identity to protect honest feedback.
This is a piece of personal data about you (a peer’s opinion of you), and you have all the same rights over it as your other data. See §8 for how to exercise those rights.
We process peer-review data on the basis of legitimate interest (Art 6(1)(f)) — the legitimate interest is operating a trustworthy social platform where members can rely on each other’s reputation when deciding who to invite to future events. We have balanced this against your privacy interest and concluded that the system as designed (private reviews, public aggregate, redacted reviewer identity by default) is proportionate. You can object to processing on this basis under Art 21 — see §8.
3. How we use your information and the lawful basis for each use
UK GDPR requires us to identify a lawful basis under Article 6 for each purpose we use your data for. The table below sets that out.
| What we do with your data | Why we do it | Lawful basis (UK GDPR Art 6) |
|---|---|---|
| Set up and operate your account; keep you logged in | To deliver the service you have asked for | Contract (Art 6(1)(b)) |
| Show you events, venues, and matches near you using your postcode | To deliver the core matching/discovery service | Contract (Art 6(1)(b)) |
| Process your subscription payment and your event-ticket purchases | To collect payments you have agreed to make | Contract (Art 6(1)(b)) |
| Send you internal platform messages (welcome, match notifications, event reminders) | Part of the service you signed up for | Contract (Art 6(1)(b)) |
| Send you transactional emails (password reset, payment receipts, data-export download links, breach notices) | To meet legal obligations or operate your account | Legal obligation (Art 6(1)(c)) and Contract (Art 6(1)(b)) |
| Operate moderation, safety scanning, and abuse-prevention systems | To keep the platform safe | Legitimate interest (Art 6(1)(f)) — the safety of all users |
| Operate the peer-review and reputation system (private reviews after group events; public aggregate reputation score) | To help members make informed decisions about who to invite to future events | Legitimate interest (Art 6(1)(f)) — see §2.6 for full balancing |
| Monitor behavioural patterns to detect misconduct (e.g. accept-attend-ghost, repeated 21+→16- contact attempts, gold-digging patterns) | To detect harm to other members and respond to it | Legitimate interest (Art 6(1)(f)) — the safety and integrity of the platform |
| Verify your age (13+) and apply our cross-age messaging rules | To protect children using the platform | Legal obligation (Art 6(1)(c)) under the Online Safety Act 2023 |
| Operate our LLM-based matching system (planned, post-MVP, adults only — see §10) | To deliver the matching feature | Contract (Art 6(1)(b)). Off by default for under-18s. |
| Improve the service through aggregated analytics | To understand usage patterns and improve | Legitimate interest (Art 6(1)(f)) |
| Defend legal claims, handle complaints, respond to enforcement requests | Legal compliance and our right to defend ourselves | Legal obligation (Art 6(1)(c)) and legitimate interest (Art 6(1)(f)) |
| Show you advertising | We don’t | n/a |
We will tell you if we ever start using your data for a new purpose that is not described above, and we will identify the lawful basis at that point.
4. Special-category data (UK GDPR Article 9)
Some data has extra legal protection under Article 9 of the UK GDPR. The only piece of data we collect that is unambiguously in this category is political affiliation.
4.1 How political-affiliation data is handled
- Entering your political affiliation is completely optional. The field is not part of registration. To enter it, you have to actively find the political-affiliation widget and drag it onto your profile.
- When you drop the widget onto your profile, we ask you to choose one of three visibility levels:
- Public — visible to any logged-in member who views your profile
- Matches only — visible only to members you are matched with
- Admin only — visible only to UK Socials administrators, used for aggregate polling and never shown to other members
- Your choice is recorded against your profile and you can change it at any time, including by removing the widget completely.
- The act of dragging the widget onto your profile, plus your visibility choice, is your explicit consent under Article 9(2)(a). You can withdraw that consent at any time by removing the widget — no reason needed.
- If you choose “Public” we additionally rely on Article 9(2)(e) — data manifestly made public by you.
4.2 What we use it for
- If “Admin only”: we use it solely for aggregate polling. Individual answers are never shown to anyone but the named admin team. We do not match you with people based on your politics — politics never feeds the matching system.
- If “Matches only”: only your matches can see it. Used for nothing else.
- If “Public”: shown on your profile, like a hobby or interest.
4.3 What we never do
- We never publish, sell, or share political-affiliation data with any third party.
- We never feed it into the matching algorithm.
- We never use it to make decisions about your account (e.g. moderation calls).
4.4 Data we deliberately don’t collect
We do not ask about your sexual orientation, race, religion, health, trade-union membership, or genetic/biometric data. If something you choose to write in your profile bio (e.g. an interest tag) implies one of these categories, we treat that as data you have manifestly made public under Article 9(2)(e), and we still do not use it for any purpose you haven’t expected.
5. Who we share your information with
We share your data only with the following recipients, and only where required to operate the service:
| Recipient | What they get | Why |
|---|---|---|
| Stripe Payments UK Ltd / Stripe Inc (our payment processor) | Your name, email, billing address (if any), the amount being charged, and a Stripe customer ID | To take subscription payments and process event-ticket payments. Stripe is the merchant of record for cards. |
| Stripe Connect (for paid event tickets) | Same as above, plus the organiser’s account ID | Stripe Connect splits the payment between the organiser and our 5% platform fee |
| Our hosting provider (currently GoDaddy) | All data on the site, since they host the servers | They store the server contents on our behalf. They do not access your data except where instructed by us or required by law. |
| WordPress and BuddyPress plugins running on the site (rtMedia, PMPro, BuddyPress core, etc.) | Whatever each plugin needs to operate the feature it provides | They are software acting on our infrastructure; not “third parties” in the traditional sense |
| Internet Watch Foundation (IWF) (future — we hope to subscribe once revenue allows; see Children’s Safety Statement) | When the integration is live: a non-reversible hash of any image you upload | To detect known child sexual abuse material before it can be shared |
| The National Crime Agency (NCA) | Manual reports of any suspected child sexual abuse material detected via member reports + admin review (and once automated scanning is live, automated reports too), plus the user account that uploaded it | Mandatory under the Online Safety Act 2023 s.66 |
| Police / regulators / courts | Whatever they lawfully require | Legal obligation, only on receipt of a valid order |
We do not share your data with advertisers, data brokers, marketing networks, social-media-platform tracking pixels, or analytics aggregators.
A live list of our sub-processors will be published at uksocials.club/sub-processors and updated when changes occur.
5.1 Internal access by UK Socials staff — when admins can see your data
UK Socials administrators have technical access to most data on the platform. Whether and when they actually look at it is governed by a strict trigger-based policy:
Routine activity (no individual data access)
– Maintaining the site, fixing bugs, releasing updates
– Reviewing aggregate statistics (e.g. “how many users used the matching feature this week?”)
– Administering settings and configuration
Triggered access (limited, logged, justified)
– A user submits a Report against another user’s content or behaviour
– A user submits a complaint to us about another user
– We have a reasonable suspicion that a user has breached our Community Guidelines, our Terms of Service, or UK law (we record the suspicion, who raised it, and when, before access happens)
– We are responding to a request from the user themselves (e.g. a Subject Access Request, an Export Data request, a “please help me find this old message” request)
– We are responding to a lawful request from the police, a regulator, or a court
– We are investigating a security incident affecting platform integrity (e.g. account takeover)
What this means in practice for your messages and peer-review records
– Admins do not read your messages routinely.
– Admins do not read your messages when you close your account, unless a trigger above is open at the time.
– For peer reviews you have written about other members: your reviewer identity is stored alongside the review so that we can investigate if a pattern of review-bombing or retaliation is reported. It is not surfaced to other admins or to the reviewed member during normal operation. Admin access to reviewer identity is itself a triggered-access event — it happens only when a complaint or pattern detection raises the question.
– Admins can read messages relevant to a Report when one is filed — to check whether the reported behaviour actually happened — but they should look only at what’s needed to make the call.
– Admins can widen an investigation if the initial review reveals a pattern of misconduct, but the widening is itself recorded with a reason.
Audit trail. Every time an administrator accesses private content (messages, restricted profile fields, peer-review reviewer identity), the access is recorded automatically with the admin’s identity, the time, the user being accessed, and the reason given. We keep these audit records for 6 years for accountability.
Your right to ask. You can email info@uksocials.club to ask whether your messages or other private data have been accessed by an admin and, if so, when and why. We will tell you, unless doing so would prejudice an active investigation or a law-enforcement matter.
6. International transfers
Most of your data stays in the UK or the EEA. The exceptions:
- Stripe is a US-based processor. We rely on the UK Extension to the EU-US Data Privacy Framework for transfers to Stripe — Stripe Inc is a DPF-certified organisation, which the UK government recognises as providing an adequate level of protection.
- Hosting backups may be replicated to data centres outside the UK. If so, we use the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, and we run a Transfer Risk Assessment for each such transfer.
Where we make any transfer outside the UK, we make sure your data is protected to a level essentially equivalent to UK GDPR.
7. How long we keep your data
We keep your data only as long as we need it. Our default position is: when you close your account, we delete your data within 30 days. We only retain data beyond that point if there’s a specific, narrow reason to do so.
7.1 What happens when you close your account (the default)
When you delete your account from your settings, the following happens automatically:
- Within 24 hours: your public profile is taken offline. Your account login is disabled. Other users can no longer find your profile or invite you to events.
- Within 30 days: your profile data, photos, videos, custom widgets, sigil placements, customised page colours, and the platform’s copy of your messages are all deleted from our active systems.
- Within 90 days: your data is purged from our backup systems on the next normal backup cycle.
- Reviews you have left about events or venues are anonymised (your name removed) but the review text is kept, because other users have relied on it. You can request specific reviews be deleted instead — email info@uksocials.club.
- Messages you have sent to other people stay in the recipients’ inboxes. Once a message has been received, the recipient becomes a separate data controller for their copy of that message — we cannot reach into someone else’s inbox to delete it. We can however delete the platform’s central copy.
This is the normal, default behaviour. If you have done nothing wrong on the platform, this is what happens to your data when you leave.
7.2 When we retain data beyond 30 days (the exceptions)
We will keep some or all of your data for longer only if one of the following triggers applies. Even then, we keep only what is needed for the specific purpose, and only as long as the purpose lasts.
| Trigger | What we keep | For how long |
|---|---|---|
| There is an open report or moderation case against you when you close your account | The reported content, related messages, profile snapshot, and admin notes | Until the case is resolved, plus 12 months. Then deleted. |
| We have a reasonable suspicion of misconduct that has been formally raised internally before you close (whether against our policy or against the law) | As above | As above |
| You have an active legal claim or dispute with us, or have notified us of an intended claim | Data relevant to the claim | Until the claim is fully resolved or limitation expires |
| Police or another regulator have required us to preserve data | The data they have specified | As long as legally required |
| Payment records (subscriptions and ticket purchases) | Transaction details only — not your profile or messages | 6 years from the end of the tax year of the transaction (HMRC accounting requirement) |
| Records of CSAM scanner hits | The hash and the report we made to the National Crime Agency | Indefinitely — required for crime-reporting integrity |
We will never go through your messages or activity just because you’ve closed your account. No fishing expeditions. The only way data is retained beyond the default 30-day deletion is if a specific, documented trigger above applies.
7.3 Other retention periods (for active accounts)
These apply while your account is open:
| Data category | How long we keep it | Why |
|---|---|---|
| IP addresses and login records | 12 months | Security and abuse-prevention |
| Moderation records (reports filed, admin actions taken, suspensions) | 6 years from the action | Defence of legal claims; pattern-of-behaviour monitoring across users |
| Cookie consent records | 2 years from consent given | Demonstrate compliance with PECR / UK GDPR |
| Aggregated and anonymised analytics | Indefinitely | No longer personal data once aggregated |
7.4 Your right to ask for earlier deletion
If you have closed your account and you want us to delete your data sooner than the 30 days set out above, email info@uksocials.club. We will do so as soon as practicable, unless one of the trigger conditions in §7.2 applies, in which case we will tell you that and explain why.
If you have an active account and you want us to delete specific items (an old photo, an embarrassing review, a particular message), you can usually do so yourself. If not, email us and we will help.
8. Your rights
Under UK GDPR you have the following rights. We will honour these requests free of charge in most cases, and respond within one calendar month (extendable by two further months for complex requests, in which case we will tell you within the first month).
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art 15) | Get a copy of the personal data we hold about you | Use the Export Data tool in your account settings, or email info@uksocials.club |
| Rectification (Art 16) | Correct inaccurate or incomplete data | Edit your profile, or email us |
| Erasure (Art 17) | Have your personal data deleted | Delete your account, or email us. Note: we may keep some data under Art 17(3)(e) where needed to defend legal claims (see §7). |
| Restriction (Art 18) | Pause our use of your data while a dispute is resolved | Email info@uksocials.club |
| Data portability (Art 20) | Get your data in a machine-readable format you can take elsewhere | Use the Export Data tool — produces a structured archive |
| Object (Art 21) | Stop us using your data for purposes based on legitimate interest | Email info@uksocials.club |
| Rights about automated decisions (Art 22) | Not be subject to a decision based solely on automated processing that has legal or similarly significant effects on you | See §10 on our matching system |
| Withdraw consent (Art 7(3)) | Stop us using data we got under your consent | For political affiliation: remove the widget. For cookies: use the Cookie Settings link. For other consent: email us. |
| Complain to the ICO (Art 77) | Tell the regulator if you think we’re getting it wrong | https://ico.org.uk/concerns/ — see §1 above for ICO contact details |
To exercise any of these rights, email info@uksocials.club. Tell us what you’d like and we will respond within one month.
9. Security
We protect your data with the following measures:
- HTTPS everywhere — all traffic between you and our servers is encrypted.
- Passwords are stored as one-way hashes (we never see your plaintext password).
- Access to the production database is limited to a small named list of admins.
- Stripe handles all card numbers — we never receive or store them.
- Backups are encrypted at rest.
- Software dependencies are kept up to date, and security patches are applied promptly.
- We log access to administrative tools.
If a personal-data breach occurs that is likely to result in a risk to your rights or freedoms, we will notify the ICO within 72 hours. If the risk is high, we will notify affected users without undue delay (we will use email for this notification, even if you would normally only receive internal messages).
No system is perfectly secure — but if you suspect your account has been compromised, contact us immediately at info@uksocials.club.
10. Children and the protection of minors
UK Socials is for people aged 13 and over. We comply with the ICO Age Appropriate Design Code and the Online Safety Act 2023.
10.1 The 13 minimum and how the platform protects children
- You confirm you are 13 or older when you sign up. We collect your date of birth and verify the calculation.
- We do not knowingly accept users under 13. If you believe an account belongs to a child under 13, contact info@uksocials.club and we will investigate and delete the account.
- The 13+ minimum exists because the platform is designed to support families attending events together. To make this safe, every event listed on UK Socials carries an age-group tag chosen by its organiser (Family friendly, 13-15 only, 16-17 only, 18+, 21+, 25+, or Mixed). RSVP and ticket purchase are gated to users within the chosen age range; family-friendly events are open to all.
10.1a How we comply with the ICO Children’s Code (Age Appropriate Design Code)
The Children’s Code under DPA 2018 s.123 sets 15 standards for online services likely to be accessed by children. UK Socials is such a service because the minimum age is 13. Below is how we address each standard. This summary is for the public; we maintain a more detailed Children’s Risk Assessment internally.
| Standard | How we address it |
|---|---|
| 1. Best interests of the child | Decisions about features, defaults, and content rules consider the impact on under-18 users explicitly. The 21+ ↔ 16- messaging block + age-tagged events come from this principle. |
| 2. Data Protection Impact Assessment (DPIA) | We hold a DPIA covering profiling, special-category data (political affiliation), and matching. Reviewed at least annually. |
| 3. Age-appropriate application | Self-declared date of birth verifies the 13 minimum. We treat ages 13–17 as a distinct cohort with different defaults (see below). |
| 4. Transparency | This Privacy Policy is supplemented by a child-readable summary planned for launch. |
| 5. Detrimental use of data | We do not use children’s data in ways that could be detrimental to them. No advertising. No data brokering. No profiling for marketing. |
| 6. Policies and community standards | Our Community Guidelines and Children’s Safety Statement are public and applied consistently. |
| 7. Default settings | Under-18 accounts default to the highest privacy setting for every optional profile element. They have to actively choose to make any element public. |
| 8. Data minimisation | We collect only what we need to deliver the service. Postcode (not full address). Date of birth (not National Insurance number, not passport number). |
| 9. Data sharing | We do not share children’s data with third parties except where listed in §5. We never share for advertising. |
| 10. Geolocation | Location is derived from postcode only. Precise GPS location is never collected. |
| 11. Parental controls | Family Link allows parents/guardians to be linked to their under-16 child’s account with mutual opt-in (see §10.2). Parents can also request the child’s account be deleted by emailing info@uksocials.club. |
| 12. Profiling | LLM-based matching (planned post-MVP) is off by default for under-18 accounts and cannot be turned on. Under-18s see the basic search/discovery only. |
| 13. Nudge techniques | We do not nudge under-18 users toward lower-privacy choices, longer time on site, paid upgrades, or sharing more data. |
| 14. Connected toys and devices | N/A — UK Socials does not connect to physical IoT devices. |
| 15. Online tools to support these standards | The Cookie Settings link in the footer, the Account → Export Data flow, and the in-account profile-visibility controls work the same for under-18 users as for adults. |
We re-review this section whenever the platform adds a new feature that could affect under-18 users. Last review date matches the “Last updated” at the top of this policy.
10.1b Highly Effective Age Assurance — current position
Ofcom’s Protection of Children Codes require “highly effective age assurance” only for services that host certain types of content (pornography, content promoting suicide or self-harm, content promoting eating disorders). UK Socials does not host any of those — content of that kind is prohibited under our Community Guidelines and removed on detection. For a general-purpose 13+ service of our kind, Ofcom and the ICO accept self-declared date of birth plus behavioural signals as proportionate, and that is what we use. We will reconsider this position if the regulatory baseline changes or if the platform’s risk profile changes.
10.2 Cross-age messaging block
- A user aged 21 or older cannot send messages to a user aged 16 or younger through our internal messaging system. This block is enforced automatically.
- The Family Link feature lets a 21+ user and a 16- user mutually opt in to messaging if they are family members (siblings, cousins, parent/child). Both sides must explicitly confirm. Family Link does not override our other safety rules.
10.3 High-privacy defaults for under-18 accounts
For users aged 13–17:
– Profile visibility defaults are set to the highest privacy level
– LLM-based matching (when launched post-MVP) is off by default and cannot be turned on
– Profiling-based recommendations are off by default
– The political-affiliation widget shows additional warnings before being made public
– Parental-style oversight features may be added — we will update this policy if we add them
10.4 Concerns about a child’s safety
If you are concerned that a child is at risk of harm on UK Socials, contact info@uksocials.club immediately. For imminent danger, contact the police on 999.
11. Cookies
Cookies are explained in our separate Cookie Policy. The short version: we use strictly-necessary cookies to make the site work, and we ask for opt-in consent before setting any analytics cookie. We do not use marketing or advertising cookies.
12. Automated decision-making and profiling
UK GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
- We do not make any decision about you that affects your legal rights, your account access, or your eligibility purely automatically. All moderation actions are taken by a human admin.
- Our matching feature (planned post-MVP) uses an LLM to suggest other members you might like to meet. It is suggestion-only — it never blocks you from contacting someone. It is off by default for under-18s and cannot be turned on for those accounts.
- Our cross-age messaging block (§10.2) is automated. It does not produce legal effects — you simply cannot send a particular message — and you can appeal it via Family Link or by contacting us.
If you have concerns about how the matching system handles your data, email info@uksocials.club. You can ask for human review of any matching outcome.
13. Changes to this policy
When we change this policy:
– The “Last updated” date at the top changes
– Substantial changes (new categories of data, new sharing recipients, new lawful basis, change of controller) will be notified to you by an in-platform message and by email at least 30 days before they take effect, where possible
– Minor changes (clarifications, typo fixes, contact-detail updates) take effect immediately and are not actively notified
We keep an archive of previous versions of this policy. Email info@uksocials.club if you want a copy.
14. Contact
For any privacy or data-protection question:
Email: info@uksocials.club
Post: CMP Technologies Ltd, Registered office address: being procured (contact info@uksocials.club for postal correspondence)
For complaints to the regulator:
ICO: https://ico.org.uk/concerns/