Live deals 6Biggest drop −54% Echo Dot Kids (newest gen) | Wi-Fi and BAvg discount −45%Avg saving £37.67Products tracked 54Live deals 6Biggest drop −54% Echo Dot Kids (newest gen) | Wi-Fi and BAvg discount −45%Avg saving £37.67Products tracked 54
Legal

Privacy Policy.

How we collect, use, and protect your personal data. Written to comply with the UK GDPR and Data Protection Act 2018.

Effective 7 June 2026Version 1.0
— Plain-English summary

We collect the minimum personal data needed to run an account for you, send you the alerts you opted into, and measure site usage in aggregate. We do not sell your data. You can export or delete everything at any time.

01Who we are

DropSignal ("we", "us", "our") is an independent Amazon UK deal publisher operated from the United Kingdom. For the purposes of the UK GDPR we are the data controller for personal data processed through dropsignal.uk.

Our data protection contact: privacy@dropsignal.uk.

We are registered with the Information Commissioner's Office (ICO) as a UK data controller.

02Data we collect

If you create an account

  • Name — what you tell us at sign-up.
  • Email address — required, used for sign-in and notifications.
  • Password hash — your password is hashed with argon2id; we never see or store the plaintext.
  • Account preferences — categories, keywords, discount thresholds, digest cadence.
  • Personalisation data — bookmarks, watchlist ASINs, saved searches you create.
  • Account timestamps — when you created the account, last signed in.

When you use the site

  • Click events — when you click through to Amazon via one of our deal links, we record the deal, the source channel (web / email / Telegram), and a timestamp. We do this for our own analytics; we do not share it with Amazon beyond what Amazon receives from the affiliate tag.
  • Page views — aggregate counts only, via privacy-respecting analytics that does not place cookies on your browser.
  • Server logs — IP address, user-agent, request path. Used for security and abuse-prevention. Retained for 30 days then deleted.

If you subscribe to digests without an account

  • Email address — and whether you've opted into the daily or weekly digest.

03Why we use it

Each use of your data is tied to a UK GDPR lawful basis:

  • Contract — running your account, fulfilling notifications you've enabled, processing your watchlist and bookmarks.
  • Legitimate interests — basic site analytics (aggregate), security logs, fraud and abuse prevention.
  • Consent — sending you the daily or weekly digest, and any future marketing email.
  • Legal obligation — retention required by tax, accounting, or law-enforcement orders.

04Sub-processors

We use a small set of trusted third parties to run the service. Each is bound by UK GDPR-compliant data processing agreements.

ServicePurposeRegion
NeonPostgres database hosting (accounts, deals, history)EU
VercelApplication hosting + CDNEU / global edge
ResendTransactional + digest email deliveryEU
KeepaAmazon price history data (no personal data shared)EU
Amazon AssociatesAffiliate tracking via redirect URL parameterUK / EU
SentryError tracking — captures stack traces, browser metadata, and your user ID (no name or email) when something breaksEU (Germany)

05Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of everything we hold about you. Available self-serve at /account.
  • Rectification — correct anything that's wrong.
  • Erasure ("right to be forgotten") — delete your account and all associated data. Self-serve at /account, or write to us.
  • Portability — export your data in JSON.
  • Object to processing — for any processing based on legitimate interest.
  • Withdraw consent — for any consent-based processing (e.g. digest emails). One-click unsubscribe is in every email.
  • Complain to the ICOico.org.uk. We'd rather you wrote to us first so we can fix it.

06Retention

  • Account data — for the life of your account, then deleted within 30 days of account closure.
  • Click events — anonymised after 12 months (we keep aggregate counts indefinitely).
  • Server logs — 30 days.
  • Subscribed-only email — until you unsubscribe.

07Security

  • Passwords stored only as argon2id hashes — we never see plaintext.
  • All traffic over HTTPS, with HSTS preload.
  • Session cookies are HttpOnly, Secure, SameSite=Lax.
  • Database access scoped to least privilege; no production secrets in source control.
  • If we ever suffer a personal-data breach we'll notify affected users and the ICO within 72 hours of discovery, in line with UK GDPR.

08International transfers

Some sub-processors (Vercel, Resend) operate global infrastructure. Where personal data is transferred outside the UK or EEA we rely on the UK International Data Transfer Addendum and equivalent EU Standard Contractual Clauses.

09Children

DropSignal is not directed at people under 16 and we do not knowingly collect personal data from children. If you believe we have inadvertently done so, please email privacy@dropsignal.uk and we'll delete it.

10Changes to this policy

Material changes will be flagged on the homepage and signalled inside the app at least 14 days before they take effect. All previous versions remain accessible via the changelog at the bottom of this page.

11Contact

For anything privacy-related, email privacy@dropsignal.uk. For general questions, see /contact.

Changelog

  • 1.0 — 7 June 2026 — Initial publication.