Privacy policy
Last updated: 18 May 2026
1. Who we are — data controller
AquaticForum.co.uk is operated by the operator(s) of AquaticForum.co.uk, an independent UK team running a non-commercial hobbyist community. For the purposes of the UK GDPR and the Data Protection Act 2018, we are the data controller for personal data processed through this site and the Android app.
You can reach us about anything in this policy via the contact page or by email at privacy@aquaticforum.co.uk.
2. What personal data we collect
We limit what we collect to what we actually need to operate a safe, functional forum:
- Account data: email address, username, chosen password hash, date of account creation, and (optionally) avatar, bio and display name.
- Forum content: discussions, replies, reactions, profile fields and any media you choose to upload.
- Moderation data: reports submitted by you or about your content, warnings, appeal records, a salted SHA-256 hash of your IP address at report time (we never store raw IPs for moderation purposes), and rate-limit counters.
- Device & push tokens: Web Push (VAPID) subscriptions and Android FCM tokens if you opt in to push notifications.
- Contact form: name, email and message body you send via /contact.
- Technical / log data: standard server logs (request path, timestamp, user-agent, truncated IP) retained for security and abuse prevention.
3. Why we use it — purposes & legal bases
Under UK GDPR Article 6, each processing activity has a legal basis:
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and running your account | Email, username, password hash | Contract (Art. 6(1)(b)) |
| Displaying your posts and profile to other users | Forum content, username, avatar | Contract (Art. 6(1)(b)) |
| Keeping the site safe, moderation, abuse prevention | Moderation records, hashed IP, rate-limit counters | Legitimate interests (Art. 6(1)(f)) |
| Sending notification emails you opted in to | Email address, notification content | Consent (Art. 6(1)(a)) |
| Serving personalised / non-personalised ads | Advertising cookies (Google AdSense) | Consent (PECR + Art. 6(1)(a)) |
| Replying to your contact-form messages | Name, email, message | Legitimate interests (Art. 6(1)(f)) |
| Complying with UK law (takedowns, statutory requests) | Whatever the request requires | Legal obligation (Art. 6(1)(c)) |
4. Advertising and Google AdSense
AquaticForum.co.uk displays advertising from Google AdSense (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) as the primary ad network. This is how we cover hosting, domain, CDN and email costs without charging members or taking money from aquatics retailers.
- Ads are only loaded after you grant consent for the "Advertising" category in the cookie banner. If you decline, you can still read and use the entire site.
- Google and its certified third-party ad partners may use cookies and device identifiers to select, deliver, cap, and measure ads — including personalised ads where you have granted consent, and non-personalised ads otherwise.
- The specific advertisers and creatives are selected by the ad network; we do not pick them, have no contractual relationship with them, and do not receive personally identifying information about you from them.
- Seeing a brand advertised on this site is not an endorsement by AquaticForum.co.uk.
Useful links:
5. Cookies
We use a first-party cookie banner stored in your browser's localStorage to record your consent choices. For a concrete list of cookies set by the site and our processors — names, purpose and durations — see the dedicated cookie policy.
You can change your choice at any time via the Cookie settings link in the footer.
6. Who we share data with — processors
We do not sell personal data. We use the following processors to operate the service:
| Processor | Used for | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Authentication, database, file storage | EU region |
| Vercel (Vercel Inc.) | Edge hosting, static asset delivery, logs | Global edge network |
| Google AdSense (Google Ireland Ltd.) | Third-party advertising (consent-gated) | EEA + global |
| Resend (Resend, Inc.) | Transactional email (notifications, contact form) | US (with SCCs) |
| Google Firebase Cloud Messaging | Android push notifications (opt-in only) | Global |
International transfers outside the UK/EEA rely on the UK Addendum to the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or adequacy decisions as appropriate.
7. How long we keep it — retention
- Account & forum content: until you delete your account, or until 24 months of inactivity after which we may prompt you to confirm the account.
- Moderation records & content reports: up to 24 months after the underlying action, then anonymised.
- Hashed IP fingerprints: 24 months, then deleted.
- Rate-limit counters: up to 2 hours.
- Contact form email deliveries: held by Resend for up to 30 days, then purged from their logs.
- Push notification tokens: until you unsubscribe, uninstall, or the token is marked invalid by the provider.
- Aggregate analytics (if enabled): up to 26 months.
- Server access logs: up to 90 days.
- Legal / takedown records: retained as long as needed to defend legal claims, typically 6 years.
8. Your rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — delete your account. You can also ask us to erase specific content.
- Restriction — limit processing in certain cases.
- Portability — get your forum data in a structured, machine-readable format.
- Object — to processing based on legitimate interests, including moderation profiling.
- Withdraw consent — for advertising cookies and email notifications, at any time, without penalty.
To exercise any of these, use the contact page and choose "Privacy / data request". We verify you are the account holder before acting and aim to respond within 30 days.
You also have the right to complain to the UK data-protection authority: the Information Commissioner's Office (ICO). We would prefer you give us the chance to fix any issue first.
9. Children
AquaticForum.co.uk is not directed at children under 13, and accounts require a minimum age of 13. If we learn that an account belongs to a child under 13 we will close it and delete associated data. If you believe a child has created an account, please let us know.
10. Security
We use HTTPS site-wide, password hashing at the identity provider level, database Row Level Security policies, signed JWTs, service-role scoping, rate limiting, and salted hashing for IP fingerprints. No online service is 100% secure — please tell us promptly if you suspect your account has been compromised.
11. Changes to this policy
We will update this page when our processors, cookies, or practices change. Material changes will be announced on the forum and — where required — re-prompted via the cookie banner. The "last updated" date above reflects the most recent change.
Questions or corrections to this policy? Contact us at privacy@aquaticforum.co.uk or via the contact page.