Privacy Policy
Last updated: May 6, 2026 · Effective: May 6, 2026
This Privacy Policy explains how CoinsOnCards (“CoinsOnCards”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit www.coinsoncards.com (the “Site”). It applies to all visitors regardless of location and is written to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).
Reading the Site and changing your cookie choices does not require an account. Where we say “you”, we mean any natural person whose data we may process.
1. Who controls your data
The data controller is FRSR — Fraser Brown, registered at 1D Bar Hall Road, Portaferry, Down, BT22 1RQ, United Kingdom. You can contact us about anything in this policy at coinsoncards@frsr.com.
We are not currently required to appoint a Data Protection Officer under Article 37 GDPR. The privacy email above reaches the person responsible.
2. What we collect
We collect the minimum data needed to operate the Site. Specifically:
- Technical data — IP address (truncated for analytics), user agent, referrer, requested URL, timestamp. Collected automatically when your browser requests a page.
- Cookie consent state — the choices you make in the consent banner are stored locally in your browser so we can honour them on subsequent visits.
- Theme preference — light or dark mode, stored locally.
- Analytics events — aggregate page views and navigation events. Where Google Analytics 4 is enabled, this is gated on your analytics consent. Ahrefs Web Analytics is cookie-less and runs without consent.
- Advertising data — when you grant advertising consent, our advertising partners (see Section 5) may set cookies and access device identifiers to serve and measure ads.
- Email address — only if you voluntarily submit it (newsletter, corrections). Stored to send the requested communication.
We do not knowingly collect special-category data (health, race, sexual orientation, religious beliefs, etc.) and ask that you do not send it to us.
3. How we use it (purposes & lawful bases)
| Purpose | Data | GDPR / UK GDPR basis |
|---|---|---|
| Operate the Site, prevent abuse | Technical data, request logs | Legitimate interest (Art. 6(1)(f)) — running a working, secure site |
| Aggregate audience analytics | Truncated IP, page views | Consent (Art. 6(1)(a)) for GA4 / cookie-based analytics; legitimate interest for cookie-less Ahrefs |
| Personalised & non-personalised advertising | Cookies, ad identifiers | Consent (Art. 6(1)(a)) |
| Newsletter / corrections email | Email address, message body | Consent (Art. 6(1)(a)) or contract / pre-contract (Art. 6(1)(b)) |
| Comply with legal obligations | Whatever is required | Legal obligation (Art. 6(1)(c)) |
4. Cookies & similar technologies
A cookie is a small text file your browser stores when you visit a site. We also use comparable technologies such as localStorage and the browser’s Storage Access API. The table below lists every category we set, including those set by third parties when you grant consent.
| Category | Examples | Party | Purpose | Retention |
|---|---|---|---|---|
| Strictly necessary | cookie_consent_v2, coc.theme | First-party | Remember your consent and theme choices | Up to 12 months |
| Analytics | _ga, _ga_* (when GA4 enabled) | Third-party (Google Ireland Ltd. / Google LLC) | Aggregate visitor counts, traffic sources | Up to 24 months |
| Advertising | __gads, __gpi, IDE, NID | Third-party (Google AdSense / Google Marketing Platform) | Serve ads, frequency capping, measurement, fraud prevention | Up to 24 months |
| Consent management | Google Funding Choices (CMP) state | Third-party (Google) | Persist your TCF v2.2 consent signal across visits | Up to 13 months |
You can review, change, or withdraw consent at any time via the consent management link in the page footer. If your browser blocks cookies entirely, the Site still works but advertising and analytics features will be unavailable.
5. Advertising — Google AdSense and partners
We use Google AdSense (provided by Google Ireland Limited for users in the EEA, the UK, and Switzerland; Google LLC elsewhere) to display advertisements on the Site. Google AdSense and its partners may set cookies and access device identifiers to:
- Show personalised or non-personalised ads;
- Measure ad performance and limit how many times you see the same ad;
- Detect invalid traffic and fraud;
- Develop and improve ad products.
Personalised ads only run when you grant advertising consent through our consent banner. If you do not consent or withdraw consent, you will still see ads but they will not be personalised.
For full detail on how Google processes data when you use partners’ sites, see How Google uses information from sites or apps that use our services and Google’s Privacy Policy. You can manage personalised advertising at any time at Google Ads Settings and via industry opt-outs at Your Online Choices (EU) and DAA WebChoices (US).
Where we work with additional advertising vendors in future, we will list them in this section before activating them.
6. Other third-party services
- Cloudflare, Inc. — content delivery, DNS, DDoS protection. Processes request metadata as a sub-processor.
- Supabase, Inc. — backend database and auth storage. Card data and admin sessions only; no visitor PII is stored here.
- Ahrefs Singapore Pte. Ltd. — cookie-less Web Analytics (no consent required, no cross-site profiling).
- Google Ireland Ltd. / Google LLC — AdSense, Funding Choices CMP, optionally Google Analytics 4, optionally Google Fonts.
Each provider acts as a processor or independent controller under its own published terms. Links to their privacy policies are available on request.
7. International data transfers
Our advertising and analytics partners are located in the United States and other jurisdictions outside the EEA and the UK. When data is transferred internationally we rely on the safeguards in Article 46 GDPR — primarily the European Commission’s Standard Contractual Clauses (2021/914), and where applicable Google’s certification under the EU–US Data Privacy Framework. Copies of the relevant SCCs are available on request.
8. Retention
- Server access logs: 30 days.
- Aggregated analytics: 14 months by default in GA4.
- Consent and theme preferences: until you clear them.
- Newsletter address: until you unsubscribe (one-click link in every email).
9. Your rights — EEA & UK
If you are in the EEA, the UK, or Switzerland you have the right to:
- Access — confirm what data we hold about you;
- Rectification — correct inaccurate data;
- Erasure — delete data we no longer need to retain;
- Restriction — pause processing while a complaint is investigated;
- Portability — receive your data in a machine-readable format;
- Object — to processing we base on legitimate interest, including direct marketing;
- Withdraw consent — for any processing we base on consent, with no effect on lawful processing before withdrawal;
- Lodge a complaint with your supervisory authority (in the UK, the ICO at ico.org.uk).
We respond to verifiable rights requests within one month. Email coinsoncards@frsr.com with the request and enough information for us to identify the data.
10. Your rights — California (CCPA / CPRA)
California residents have the right to know what personal information we collect, request deletion, request correction, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information. We do not sell personal information for monetary consideration. Sharing for cross-context behavioural advertising via Google AdSense may constitute “sharing” under the CPRA when you have granted ad consent.
To exercise your right to opt out of sharing, use the Do Not Sell or Share My Personal Information link in the footer (consent banner re-prompt) or send a Global Privacy Control signal — we honour it. You may also email coinsoncards@frsr.com.
We will not discriminate against you for exercising any of these rights.
11. Children
The Site is intended for adults (18+) considering crypto-linked financial products. We do not knowingly collect data from anyone under 18 (or under 16 in the EEA / under 13 in the US). If you believe a child has provided data, contact us and we will delete it.
12. Security
All traffic uses TLS 1.2+. Backend data is encrypted at rest by our hosting providers. Access to admin dashboards is restricted to named accounts with multi-factor authentication. No system is ever perfectly secure; we will notify affected users and the relevant authority within 72 hours of confirming a personal-data breach as required by Article 33 GDPR.
13. Changes to this policy
We may update this policy from time to time. Material changes will be highlighted at the top of the page with a new effective date. Continued use of the Site after a change constitutes acceptance of the updated policy.
14. Contact
Questions, requests, or complaints: coinsoncards@frsr.com. Postal mail: FRSR — Fraser Brown, 1D Bar Hall Road, Portaferry, Down, BT22 1RQ, United Kingdom.