Privacy notice

Ducky is a shared platform used by multiple organisations, including charities and community groups, to sell tickets for their own races.

The platform operator (see footer for details) controls account authentication data, platform-wide audit log entries, and SumUp webhook events. The organisation running your race controls the buyer contact details collected during checkout and the order records linked to its races.

• Race purchases: your name, email, the numbers you bought, order timestamps, and payment reference. Card details are handled by SumUp and never touch ducky.
• Accounts:email, name, last sign-in time, and profile image (if provided) for organisers and admins. Buyers don't need an account.
• Audit log: every administrator and organiser action — race creation, organiser invitation, winner-email send — with actor, timestamp and entity.
• Email operations: SHA-256 hash of outbound notification recipients so delivery can be audited without keeping the plaintext address.
• Notify-me: if you ask to hear when the next race opens, your email and the race ID until that one email is sent (or 12 months, whichever is sooner).

• Send your purchase confirmation and winner notification.
• Process your payment via SumUp.
• Maintain a security audit trail for organiser and admin actions.
• Verify email delivery without retaining plaintext recipients longer than needed.
• Email you once when a future race opens, if you opted in from a sold-out race.

• Buyer contact details: removed 12 months after the race.
• Order records: anonymised records may be kept longer for financial auditing.
• Audit log entries: retained for 24 months.
• Notify-me rows:deleted as soon as the one-off email is sent, or after 12 months if the next race doesn't open.

You can ask for a copy of your personal data, or ask for it to be corrected or deleted where the law allows, by contacting the organisation running your race or the platform operator. Either contact point can route the request depending on whether it concerns race-order data, platform-account data, audit records, or payment records.