Privacy Policy
Last updated: June 2026
This privacy policy explains what personal information Age Engage collects, why we collect it, how we keep it safe, and what rights you have over your data.
We've written this in plain English so it's easy to understand. We don't collect anything we don't need, we don't sell your data, and we don't use it for advertising.
1. Who is responsible for your data?
Age Engage is the data controller for any personal information you provide to us. This means we decide what data we collect and how it's used. We are based in the United Kingdom and operate under UK data protection law (UK GDPR and the Data Protection Act 2018).
2. What information we collect and why
We only collect information that's needed to run the service.
| What we collect | Why we collect it | Legal basis |
|---|---|---|
| Email address | To create and identify your account; to send password reset emails; to send the newsletter (if you opt in) | Contract (account); Consent (newsletter) |
| Name (optional) | To personalise your account if you choose to provide it | Contract |
| Password (hashed) | To verify your identity when you log in. We never store your actual password — only a secure one-way hash using PBKDF2 | Contract |
| Subscription and billing status | To know whether your subscription is active so we can give you access to downloads. Payment is handled by Stripe — we don't store card details | Contract |
| Download history | To show you what you've downloaded in your account area, and to help us manage the service | Contract / Legitimate interest |
| IP address (download logs) | To help detect fraud and misuse (e.g. credential sharing). We don't use this for profiling or marketing | Legitimate interest |
| Newsletter subscription (email + sign-up date) | To send you the Age Engage newsletter, only if you've opted in | Consent |
We do not collect or use:
- Advertising or tracking cookies
- Third-party analytics (e.g. Google Analytics)
- Social media tracking pixels
- Sensitive personal data (health, financial, biometric etc.)
3. Cookies
We use exactly one cookie on Age Engage. Here's everything you need to know about it:
| Cookie name | What it does | How long it lasts | Type |
|---|---|---|---|
session |
Keeps you signed in to your account. Without this cookie, you'd have to log in every time you visit. | 30 days, or until you log out | Strictly necessary |
Because this cookie is strictly necessary for the site to work, we don't need your consent to set it. However, we do inform you about it — which is what our cookie notice is for.
We do not use any tracking, analytics, or advertising cookies.
4. How we store and protect your data
Your data is stored in a Cloudflare D1 database, distributed across Cloudflare's global edge network. All data is encrypted at rest and all connections use HTTPS.
We apply the following security measures:
- Passwords are hashed using PBKDF2 with 100,000 iterations and a unique salt per password. Even if our database were compromised, your actual password would not be exposed.
- Session tokens are 32 bytes of cryptographically random data, stored server-side and verified on every request. They expire after 30 days.
- Files are stored in Cloudflare R2 under unpredictable UUID keys. Signed download URLs expire after 1 hour and are generated fresh for each download request.
- Admin access requires both a valid session and an explicit admin flag — no privilege escalation is possible through normal login.
- All database queries use prepared statements to prevent SQL injection.
No system is 100% secure, but we take reasonable and proportionate steps to protect your information.
5. Who we share your data with
We only share your data with the following third parties, and only to the extent necessary to run the service:
Cloudflare
Our site is hosted on Cloudflare Pages and the backend runs on Cloudflare Workers. Your data (database, files) is stored in Cloudflare's infrastructure. Cloudflare is based in the US and operates under a Data Processing Agreement compliant with UK GDPR.
Stripe
Payments are processed by Stripe. When you subscribe, you're directed to Stripe's secure checkout. We receive a confirmation from Stripe but we never see or store your card details. Stripe may collect and process data according to their own privacy policy.
Brevo (email sending)
We use Brevo to send transactional emails (e.g. password reset links) and the newsletter. We share only the email address needed to send each email. Brevo acts as a data processor on our behalf.
We do not sell, rent, or trade your personal data with any other company or individual.
6. How long we keep your data
| Data | Kept until | Reason |
|---|---|---|
| Email address, name, password | Deleted when your account is anonymised (see below) | No longer needed |
| Session tokens | 30 days, or when you log out — whichever comes first | Security |
| Newsletter subscription | Until you unsubscribe, or your account is deleted | Consent withdrawn |
| Stripe customer ID & subscription history | 6 years from last transaction | HMRC / Companies Act 2006 — we are legally required to keep accounting records for 6 years |
| Download logs | Kept in anonymised form after account deletion; fully deleted after 2 years | Aggregate service improvement and fraud detection |
Account deletion — what happens step by step
You can request to delete your account at any time from your Profile settings. Here is what happens:
- Day 0 — you request deletion: We schedule your account for deletion and send you a confirmation email. Your account remains fully accessible.
- Days 1–30 — grace period: You can log in and cancel the deletion at any time from your Profile settings.
- Day 30 — permanent anonymisation: If you haven't cancelled, we automatically erase your name, email address, and password. Your Stripe customer reference and subscription history are retained for 6 years to comply with UK tax law. Download records are kept in anonymised form (no longer linked to your name or email). After this point, deletion cannot be reversed.
For more details on what data is kept and why, see Section 10 of our Terms & Conditions.
7. Your rights under UK GDPR
UK data protection law gives you the following rights regarding your personal data:
- Right of access — you can ask us what data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data. You can update your name and email directly in your account profile.
- Right to erasure ("right to be forgotten") — you can ask us to delete your account and personal data.
- Right to restrict processing — you can ask us to pause using your data in certain circumstances.
- Right to data portability — you can ask us for a copy of your data in a common format.
- Right to object — you can object to us processing your data for our legitimate interests.
- Right to withdraw consent — if we're relying on your consent (e.g. for the newsletter), you can withdraw it at any time. This won't affect anything that happened before you withdrew.
To exercise any of these rights, please contact us. We'll respond within 30 days. We won't charge you for making a request.
If you're not satisfied with how we handle your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
8. Children
Age Engage is intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with their information, please contact us and we'll delete it.
9. Links to other websites
Our site may contain links to external websites (for example, Stripe's checkout). Once you leave Age Engage, this privacy policy no longer applies. We recommend reading the privacy policy of any site you visit.
10. Changes to this policy
We may update this policy from time to time. If we make significant changes, we'll let you know by email or by posting a notice on the site. The "last updated" date at the top of this page always shows when it was last changed.
11. Contact us
If you have any questions about this privacy policy or how we handle your data, please get in touch. You can find our contact details on the site.