Privacy Policy

Version v1.0· effective 2026-06-03

Who we are

Unconventional Cosplay Ltd ("we", "us", "UC") is the data controller for the personal data described in this policy.

  • Company: Unconventional Cosplay Ltd, registered in England & Wales, company number 16649423.
  • Registered office: 124 City Road, London, EC1V 2NX.
  • ICO registration: ZB958298 (Information Commissioner's Office register of fee payers).
  • Contact: [email protected] — our data protection lead. (A company of our size is not legally required to appoint a named Data Protection Officer; this address reaches the person responsible for data protection.)

 

Who controls and who processes your data

Unconventional Cosplay Ltd is the data controller — it decides why and how your personal data is processed.

The website and the systems behind it are built and operated by Kraeken Studios (operating as a sole trader), which acts as our data processor: it processes personal data only on UC Ltd's instructions, under a data processing agreement. Kraeken Studios runs the self-hosted infrastructure behind this site — the application database, our single sign-on, our content management system, and our error monitoring (described under "Who we share your data with"). Those self-hosted systems are operated by our processor on our behalf; they are not separate third-party companies.

 

This policy is written to align with the UK GDPR and the Data Protection Act 2018.

 

What we collect and why (our lawful basis)

We only collect personal data you give us through the things we actually run. We do not buy in marketing lists or profile you for advertising.

Event-form submissions

When you fill in one of our event forms we collect your name, your email address, and the other fields configured for that specific event (for example dietary needs, accessibility requirements, or other event-specific questions). These submissions are stored in our own application database.

Lawful basis: consent (UK GDPR Art. 6(1)(a)) for the submission, and, where the form is how you enter or sign up to an event you have asked to take part in, performance of steps you have requested (Art. 6(1)(b)).

Special category data. Some event forms may include information about health, disabilities, accessibility requirements, allergies or dietary needs. Where this information constitutes special category personal data, we process it only where you have explicitly provided it for the purpose of participating in the event, and only to the extent necessary to meet those requirements. Our condition for processing it is your explicit consent (UK GDPR Art. 9(2)(a)).

 

Masquerade entries

When you enter a masquerade competition we collect the details you provide for the entry — your stage / character name, the character you are portraying, your pronouns, your age band (Under 12 / Under 16 / 16–18 / 18+), and any media you upload (for example reference photos, audio, or video of your costume or performance). Group entries also record the same per-member details for each participant.

Age bands. Age bands are used only to determine eligibility for age-restricted competition categories and to ensure the age-appropriateness of the media being portrayed by the entrant. We collect an age band, not a precise date of birth.

Children's data. Some entrants are children. Where an entrant is under 16 we process their data only with guardian consent, captured through the guardianship mechanism already built into the entry flow (a person with parental responsibility confirms consent as part of the entry). For entrants aged 16–18 we collect the same entry details but do not require separate guardian consent. We apply age-appropriate safeguards across the masquerade flow.

Lawful basis: consent (Art. 6(1)(a)). For entrants under 16, that consent must be authorised by a person with parental responsibility in accordance with Article 8 UK GDPR.

 

Accounts (sign-in)

If you sign in as a member, authentication is handled by Zitadel, an open-source single sign-on system that we self-host on Kraeken Studios' own infrastructure (id.kraeken-studios.co.uk). It is not a third-party cloud service and not a separate data processor — it is part of the self-hosted infrastructure our processor operates on our behalf. We hold the account identifier (account_id) that links your sign-in to your activity on our site. Your password is held only by our self-hosted Zitadel; the rest of the site never sees it.

Lawful basis: performance of a contract / steps you have requested where you have an account with us (Art. 6(1)(b)), and our legitimate interests in securing accounts (Art. 6(1)(f)).

 

Consent records

When you submit a form or entry we record that you accepted this Privacy Policy and our Terms & Conditions, together with the date of acceptance and the version of each policy you accepted. We keep the exact text of the policy version you accepted so the record is meaningful and recoverable.

Lawful basis: our legitimate interests (Art. 6(1)(f)) in maintaining records demonstrating the permissions, agreements and consents provided to us, and in resolving disputes relating to those permissions.

Who we share your data with

We do not sell your personal data, and we do not share it for anyone else's marketing.

 

Most of the systems that run this site are self-hosted by Kraeken Studios (our data processor) on its own infrastructure, rather than provided by outside companies: the application database that stores your form submissions and masquerade entries, our Zitadel single sign-on, our Directus content management system (which holds editorial content and the structure of our forms), and our GlitchTip error monitoring (see Error monitoring below). These are operated by our processor on UC Ltd's behalf — they are not third parties we share your data with.

 

We also use a small number of third-party sub-processors, under contract, for things we do not host ourselves:

  • OVHcloud — object storage for media you upload (for example masquerade reference media). Your media is stored in OVH's London (UK) and Warsaw (EU) data centres.
  • Cloudflare — the content delivery network and proxy in front of our site, and the delivery of our transactional email (the uc-mail-send service that sends, for example, the one-time codes used to confirm a masquerade entry). Cloudflare processes connection information such as IP addresses and request metadata in order to provide content delivery, performance and security services.

 

Error monitoring. We configure our error monitoring systems to avoid collecting personal data wherever reasonably possible. If personal data is incidentally included in an error report, access is restricted and the data is retained only as long as necessary for troubleshooting.

International transfers. Where personal data is transferred outside the UK, we rely on appropriate safeguards recognised under UK data protection law, including adequacy regulations or approved contractual protections where required.

 

How long we keep your data (retention)

We aim to remove personal data once we no longer need it. In practice:

  • Event registrations — 6 months after the event.
  • Masquerade entries — 6 months after the event.
  • Uploaded media — 6 months after the event, unless Unconventional Cosplay Ltd and you have separately agreed that we may retain or use it for promotional, archival or competition-related purposes.
  • Account records — kept until you delete your account, or until 24 months of account inactivity, whichever is sooner.
  • Consent records — kept longer where necessary to demonstrate the consent given.

 

We may hold data for longer where we are required to do so by law.

How we keep your data secure

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or disclosure.

 

Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • ask us to rectify data that is inaccurate or incomplete;
  • ask us to erase your data ("right to be forgotten") where it applies;
  • restrict our processing in certain circumstances;
  • portability — receive the data you gave us in a portable format;
  • object to processing based on our legitimate interests; and
  • withdraw consent at any time where we rely on consent (this does not affect processing already carried out).

 

To exercise any of these rights, email [email protected]. We will respond within the statutory time limit (normally one month). Before responding to certain requests, we may need to verify your identity, to ensure that personal data is not disclosed to the wrong person.

If you are not happy with how we have handled your data you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. We encourage you to contact us first so that we have an opportunity to address your concerns.

 

Cookies

We use only strictly necessary cookies for the site to work — we do not use advertising or third-party tracking cookies. In particular:

  • a session cookie (uc_session) is set when you sign in, to keep you signed in; and
  • an anonymous draft token cookie may be set while you are part-way through a masquerade entry, so your draft can be resumed.

These are strictly necessary and are not used to track you across other sites.

 

Automated decisions, profiling and AI

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

We do not use your personal data — including the content of your form submissions, masquerade entries or uploaded media — to train artificial intelligence or machine-learning models, and we do not permit any third party processing data on our behalf to do so.

 

Changes to this policy

We version this policy. The current version and effective date always appear at the top of the published page. When we make a material change we bump the version, and any consent you give is recorded against the version in force at the time.