GDPR Compliance

Last updated: 4 April 2026

We are fully committed to GDPR compliance. Grand Prix Boys complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains in detail how we comply with each principle of GDPR, what rights you have, and how to exercise them.

1. Our Commitment to Data Protection

Grand Prix Boys recognises that the protection of personal data is a fundamental right. We have implemented comprehensive technical and organisational measures to ensure that all personal data we process is handled lawfully, fairly, and transparently. We are committed to the seven key principles of UK GDPR and have embedded data protection into every aspect of our services from the ground up — a practice known as "Privacy by Design and by Default".

2. The Seven GDPR Principles — How We Comply

Principle 1: Lawfulness, Fairness, and Transparency

We process personal data only when we have a valid legal basis to do so. We are open and honest about what data we collect, why we collect it, and what we do with it. We provide this information through our Privacy Policy, these GDPR pages, and clear notices at the point of data collection. We never collect data secretly or use it for purposes you would not reasonably expect.

Principle 2: Purpose Limitation

We collect personal data only for specified, explicit, and legitimate purposes. We do not use your data for any purpose beyond what is necessary to provide our services. Specifically:

Email addresses are collected for account verification and essential communications — not for marketing
Chat messages are stored to provide conversation history — not for profiling or advertising
Payment references are stored to match transactions — not for financial analysis

Principle 3: Data Minimisation

We collect only the minimum amount of personal data necessary. For example:

We require only a username, email, and password for registration — we do not ask for your date of birth, gender, address, or phone number
Phone numbers for photo submissions are entirely optional
We do not use third-party analytics or tracking that would collect additional data

Principle 4: Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. You can update your account information at any time. If you believe any data we hold about you is inaccurate, please contact us and we will correct it promptly.

Principle 5: Storage Limitation

We do not keep personal data for longer than is necessary. Our data retention schedule is as follows:

Data Type	Retention Period	Reason
Account data	Until account deletion requested	Required to provide the service
Chat messages	Lifetime of account	Conversation history feature
Model conversations	Lifetime of account	Conversation continuity
Payment records	7 years	UK tax/accounting requirements
Server access logs	90 days	Security and abuse prevention
Email verification tokens	Deleted after verification	No longer needed
Photo submissions	Until removal requested	Gallery display

Principle 6: Integrity and Confidentiality (Security)

We implement robust technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

Technical measures:

TLS/SSL encryption — all data in transit between your browser and our servers is encrypted using modern TLS protocols
Password hashing — all passwords are irreversibly encrypted using bcrypt with 12 rounds of computational salting
Firewall protection — enterprise-grade firewalls with strict inbound and outbound rules
Non-standard SSH ports — administrative access uses non-standard ports to reduce automated attacks
Key-based authentication only — no password-based SSH access is permitted to our servers
Two-factor authentication (2FA) — all administrative panels are protected by TOTP-based two-factor authentication
fail2ban intrusion prevention — automated detection and blocking of brute-force and suspicious access attempts
Daily malware scanning — automated ClamAV antivirus scans run daily on all servers
Rootkit detection — rkhunter scans detect and alert on any system-level compromises
Security auditing — Lynis security audits assess server hardening levels
Country-level blocking — traffic from high-risk countries is blocked at the firewall level
Regular backups — encrypted backups are taken regularly and stored securely
Root access disabled — direct root login is disabled on all servers

Organisational measures:

Access to personal data is restricted to authorised personnel only
All administrators use unique credentials with two-factor authentication
We maintain records of all processing activities as required by Article 30 of UK GDPR
We conduct regular reviews of our security measures and update them as necessary

Principle 7: Accountability

We take responsibility for complying with UK GDPR and can demonstrate our compliance. We maintain:

This comprehensive GDPR compliance page
A detailed Privacy Policy
Clear Terms of Service
Records of processing activities
Technical documentation of our security measures
Procedures for handling data subject requests

3. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of UK GDPR:

Processing Activity	Lawful Basis	Details
Account creation	Contract (Art. 6(1)(b))	Necessary to provide the service you signed up for
Email verification	Contract (Art. 6(1)(b))	Necessary to verify your identity and activate your account
Chat services	Contract (Art. 6(1)(b))	Necessary to provide the chat service you are using
Payment processing	Contract (Art. 6(1)(b))	Necessary to process your purchase and deliver credits
Photo submissions	Consent (Art. 6(1)(a))	You actively choose to submit your photo and data
Server security logs	Legitimate Interest (Art. 6(1)(f))	Protecting our systems and users from attacks and abuse
Content moderation	Legitimate Interest (Art. 6(1)(f))	Ensuring community safety and enforcing rules
Tax records	Legal Obligation (Art. 6(1)(c))	Required by HMRC for 7 years

4. Your Rights Under UK GDPR

UK GDPR grants you powerful rights over your personal data. We fully respect and facilitate all of these rights:

Right of Access (Article 15)

You have the right to request a complete copy of all personal data we hold about you. This is known as a "Subject Access Request" (SAR). We will provide your data in a commonly used, machine-readable format within 30 days of receiving your request. There is no fee for this request unless it is manifestly unfounded or excessive.

Right to Rectification (Article 16)

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Simply contact us with details of what needs to be changed and we will update it promptly.

Right to Erasure / Right to be Forgotten (Article 17)

You have the right to request that we delete all personal data we hold about you. Upon receiving such a request, we will:

Delete your account and all associated data
Delete your chat messages and conversation history
Delete your photo submissions (if requested)
Remove your data from all active databases
Remove your data from backups within 90 days

Please note that we may need to retain certain data where required by law (e.g., payment records for tax purposes) or where we have a compelling legitimate interest that overrides your rights.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV). You also have the right to request that we transmit this data directly to another service provider where technically feasible.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Withdraw Consent (Article 7)

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Our AI chat models provide entertainment responses only and do not make any decisions that affect your rights or legal standing.

5. How to Exercise Your Rights

To exercise any of your rights under UK GDPR, please contact us using one of the following methods:

Email: privacy@grandprixboys.com — please include "GDPR Request" in the subject line

When submitting a request, please provide:

Your full name and the email address associated with your account
A clear description of what right you wish to exercise
Any information that will help us identify the specific data concerned

We may need to verify your identity before processing your request to ensure we do not disclose personal data to unauthorised persons. We will respond to all valid requests within 30 days. If your request is complex, we may extend this by a further 60 days, but we will inform you of any extension within the initial 30-day period.

6. International Data Transfers

Our primary servers and databases are located within Europe. However, certain third-party service providers we use may process data outside the UK and European Economic Area (EEA):

Service Provider	Data Processed	Location	Safeguards
PayPal	Payment transactions	US/EU	EU-US Data Privacy Framework, SCCs
Anthropic (Claude AI)	Chat message text only	US	Standard Contractual Clauses
ElevenLabs	Model response text for TTS	US/EU	Standard Contractual Clauses

In all cases where personal data is transferred outside the UK/EEA, we ensure that appropriate safeguards are in place to protect your data to the standard required by UK GDPR, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office.

7. Data Breach Procedures

In the event of a personal data breach, we will:

Assess the nature, scope, and severity of the breach immediately upon discovery
Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms, as required by Article 33 of UK GDPR
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of UK GDPR
Document the breach, its effects, and the remedial actions taken in our breach register
Take immediate technical measures to contain and mitigate the breach
Conduct a post-incident review to prevent recurrence

8. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in high risk to individuals' rights and freedoms. This includes the processing of chat conversations through AI systems and the handling of user photographs.

9. Children's Data

Our services are strictly for users aged 18 and over. We do not knowingly collect or process personal data from children under the age of 18. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that data. If you believe a child under 18 has provided personal data to us, please contact us immediately at privacy@grandprixboys.com.

10. Cookies and Tracking

In compliance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR:

We display a clear cookie consent notice on first visit
We use only strictly necessary cookies (authentication tokens and consent preference)
We do not use advertising or tracking cookies
We do not use Google Analytics or similar third-party analytics platforms
Third-party cookies from PayPal are loaded only when you initiate a payment

11. Supervisory Authority

If you are not satisfied with how we handle your personal data or your data protection request, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first at privacy@grandprixboys.com.

12. Updates to This Policy

We review and update this GDPR compliance page regularly to ensure it remains accurate and comprehensive. The "Last updated" date at the top of this page indicates when this document was last revised. Material changes will be clearly communicated.

13. Contact Our Data Protection Team

For any questions about GDPR, data protection, or to exercise your rights:

Email: privacy@grandprixboys.com
Subject line: "GDPR Request" or "Data Protection Enquiry"
Website: grandprixboys.com