Privacy Policy

Last updated: 23 February 2026

1. Introduction & Data Controller

RKT Grading Services (“RKT Grading”, “we”, “us”, “our”) is the data controller responsible for your personal data. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what personal data we collect when you use our website at rktgrading.com and our grading services, how we use it, who we share it with, and what rights you have.

Data Controller

RKT Grading Services

Chesterfield, Derbyshire, United Kingdom

Email: support@rktgrading.com

2. Data We Collect

We collect and process the following categories of personal data:

Account Data

When you create an account or contact us, we collect:

Full name, email address, and phone number
Postal address (for shipping graded cards)
Username and encrypted password
Profile information you choose to provide
Social login identifiers if you sign in via Google or Discord

Submission & Grading Data

When you submit cards for grading, we collect:

Card details (game, set, card name, condition notes)
High-resolution photographs of submitted cards
Grading results, sub-grades, and certificate numbers
Declared card values for insurance purposes
Shipping tracking information

Payment Data

When you pay for our services:

We do not store your full card number or CVV. All payment processing is handled securely by Stripe, our PCI DSS Level 1 certified payment processor.
We retain a record of the transaction amount, date, and Stripe payment reference.

Device & Usage Data

When you visit our website, we automatically collect:

IP address, browser type, operating system, and device type
Pages visited, time spent, and referral source
Cookie and session data (see our Cookie Policy)

Communication Data

When you contact us, we retain:

Email correspondence and support enquiries
Any feedback, reviews, or comments you submit

3. Legal Bases for Processing

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

Contract performance: Processing necessary to fulfil our grading services, manage your account, process payments, and deliver graded cards.
Legitimate interests: Fraud prevention, security monitoring, service improvement, analytics, and maintaining our population report registry.
Legal obligation: Tax record keeping, responding to lawful requests from authorities, and maintaining business records.
Consent: Marketing communications (where you have opted in), non-essential cookies, and optional profile features.

4. How We Use Your Data

We use your personal data for the following purposes:

Grading services: Processing submissions, grading cards, generating certificates, and returning graded cards.
Account management: Creating and managing your account, authenticating logins, and providing customer support.
Payments: Processing payments through Stripe, issuing invoices, and managing refunds.
Population report: Publishing anonymised grading data in our public population registry (card name, set, grade, certificate number). Your personal details are never published.
NFC verification: Enabling tap-to-verify authentication for graded cards via our certificate lookup system.
Communications: Sending submission status updates, order confirmations, and responding to your enquiries.
Marketing: With your consent, sending newsletters and promotional content. You can unsubscribe at any time.
Security & fraud prevention: Detecting and preventing fraudulent submissions, abuse, and unauthorised access.
Analytics & improvement: Understanding how our website is used and improving our services.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties. We share data only with the following categories of service providers, who process data on our behalf under contractual obligations:

Provider	Purpose	Data Shared
Stripe	Payment processing	Name, email, payment details
Royal Mail	Shipping & delivery	Name, address, tracking reference
Amazon Web Services (AWS)	Website hosting & image storage	Card images, account data (encrypted)
Resend	Transactional email delivery	Email address, name
Neon (PostgreSQL)	Database hosting	All account and submission data (encrypted)

We may also disclose your data where required by law, regulation, legal process, or enforceable governmental request.

6. International Data Transfers

Some of our service providers (such as Stripe and AWS) process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses approved by the ICO
Adequacy decisions where the destination country provides equivalent data protection

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law.

Data Type	Retention Period
Account data	Duration of your account plus 2 years after deletion
Grading records & certificates	Indefinitely (population report integrity)
Card images	Duration of your account plus 1 year
Payment records	7 years (HMRC tax requirements)
Communication records	3 years from last interaction
Website analytics data	26 months
Marketing consent records	Duration of consent plus 1 year

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your data where there is no compelling reason for continued processing. Note: grading records in the population report may be retained for data integrity.
Right to restrict processing: Request that we limit the processing of your data in certain circumstances.
Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Withdraw consent at any time where processing is based on consent (e.g., marketing).

To exercise any of these rights, email us at support@rktgrading.com with the subject line “Data Rights Request”. We will respond within one calendar month.

9. Cookies

Our website uses cookies and similar technologies. For full details on the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

10. Children's Data

Our services are not directed at individuals under 18 years of age. If you are under 18, you must have a parent or guardian's consent to use our services and they must agree to this policy on your behalf. We do not knowingly collect personal data from children under 13. If we discover we have collected data from a child under 13 without appropriate consent, we will delete it promptly.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure password hashing (bcrypt)
Two-factor authentication (2FA) available for all accounts
Regular security reviews and vulnerability assessments
Access controls limiting data access to authorised personnel only
PCI DSS compliance via Stripe for payment processing

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately.

12. Changes to This Policy

We may update this privacy policy from time to time. Any material changes will be communicated via email or a prominent notice on our website. The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

13. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent body for data protection:

Information Commissioner's Office

Website: ico.org.uk

Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first. You can also review our Complaints Policy for more information on how we handle complaints.

14. Contact Us

If you have any questions about this privacy policy, wish to exercise your data rights, or have a concern about how we handle your data, contact us:

RKT Grading Services

Chesterfield, Derbyshire, United Kingdom

Email: support@rktgrading.com

Privacy Policy

Last updated: 23 February 2026

1. Introduction & Data Controller

This policy explains what personal data we collect when you use our website at rktgrading.com and our grading services, how we use it, who we share it with, and what rights you have.

Data Controller

RKT Grading Services

Chesterfield, Derbyshire, United Kingdom

Email: support@rktgrading.com

2. Data We Collect

We collect and process the following categories of personal data:

Account Data

When you create an account or contact us, we collect:

Full name, email address, and phone number
Postal address (for shipping graded cards)
Username and encrypted password
Profile information you choose to provide
Social login identifiers if you sign in via Google or Discord

Submission & Grading Data

When you submit cards for grading, we collect:

Card details (game, set, card name, condition notes)
High-resolution photographs of submitted cards
Grading results, sub-grades, and certificate numbers
Declared card values for insurance purposes
Shipping tracking information

Payment Data

When you pay for our services:

We do not store your full card number or CVV. All payment processing is handled securely by Stripe, our PCI DSS Level 1 certified payment processor.
We retain a record of the transaction amount, date, and Stripe payment reference.

Device & Usage Data

When you visit our website, we automatically collect:

IP address, browser type, operating system, and device type
Pages visited, time spent, and referral source
Cookie and session data (see our Cookie Policy)

Communication Data

When you contact us, we retain:

Email correspondence and support enquiries
Any feedback, reviews, or comments you submit

3. Legal Bases for Processing

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

Contract performance: Processing necessary to fulfil our grading services, manage your account, process payments, and deliver graded cards.
Legitimate interests: Fraud prevention, security monitoring, service improvement, analytics, and maintaining our population report registry.
Legal obligation: Tax record keeping, responding to lawful requests from authorities, and maintaining business records.
Consent: Marketing communications (where you have opted in), non-essential cookies, and optional profile features.

4. How We Use Your Data

We use your personal data for the following purposes:

Grading services: Processing submissions, grading cards, generating certificates, and returning graded cards.
Account management: Creating and managing your account, authenticating logins, and providing customer support.
Payments: Processing payments through Stripe, issuing invoices, and managing refunds.
Population report: Publishing anonymised grading data in our public population registry (card name, set, grade, certificate number). Your personal details are never published.
NFC verification: Enabling tap-to-verify authentication for graded cards via our certificate lookup system.
Communications: Sending submission status updates, order confirmations, and responding to your enquiries.
Marketing: With your consent, sending newsletters and promotional content. You can unsubscribe at any time.
Security & fraud prevention: Detecting and preventing fraudulent submissions, abuse, and unauthorised access.
Analytics & improvement: Understanding how our website is used and improving our services.

5. Data Sharing & Third Parties

Provider	Purpose	Data Shared
Stripe	Payment processing	Name, email, payment details
Royal Mail	Shipping & delivery	Name, address, tracking reference
Amazon Web Services (AWS)	Website hosting & image storage	Card images, account data (encrypted)
Resend	Transactional email delivery	Email address, name
Neon (PostgreSQL)	Database hosting	All account and submission data (encrypted)

We may also disclose your data where required by law, regulation, legal process, or enforceable governmental request.

6. International Data Transfers

Some of our service providers (such as Stripe and AWS) process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses approved by the ICO
Adequacy decisions where the destination country provides equivalent data protection

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law.

Data Type	Retention Period
Account data	Duration of your account plus 2 years after deletion
Grading records & certificates	Indefinitely (population report integrity)
Card images	Duration of your account plus 1 year
Payment records	7 years (HMRC tax requirements)
Communication records	3 years from last interaction
Website analytics data	26 months
Marketing consent records	Duration of consent plus 1 year

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your data where there is no compelling reason for continued processing. Note: grading records in the population report may be retained for data integrity.
Right to restrict processing: Request that we limit the processing of your data in certain circumstances.
Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Withdraw consent at any time where processing is based on consent (e.g., marketing).

To exercise any of these rights, email us at support@rktgrading.com with the subject line “Data Rights Request”. We will respond within one calendar month.

9. Cookies

Our website uses cookies and similar technologies. For full details on the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

10. Children's Data

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure password hashing (bcrypt)
Two-factor authentication (2FA) available for all accounts
Regular security reviews and vulnerability assessments
Access controls limiting data access to authorised personnel only
PCI DSS compliance via Stripe for payment processing

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately.

12. Changes to This Policy

13. Complaints

Information Commissioner's Office

Website: ico.org.uk

Telephone: 0303 123 1113

14. Contact Us

If you have any questions about this privacy policy, wish to exercise your data rights, or have a concern about how we handle your data, contact us:

RKT Grading Services

Chesterfield, Derbyshire, United Kingdom

Email: support@rktgrading.com