Caledonia TX Ltd, trading as ROCK.SCOT, is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This policy applies to all users of our website at rockdotscot.com (and rock.scot), our DAB+ radio service, our merch store, our mailing list, and our advertising services.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email address | Order confirmation, delivery updates | Contract |
| Shipping address | Fulfilment via Gelato | Contract |
| Order details (items, size, colour) | Fulfilment, returns | Contract |
| Payment data | Payment processing (via Stripe — we never see card numbers) | Contract |
| Order history | HMRC accounting requirements | Legal obligation |
Right to cancel: Our merch products are custom print-on-demand items manufactured to your specific order. Under the Consumer Contracts Regulations 2013, the 14-day right to cancel does not apply to goods made to a consumer's specification. We will replace or refund faulty or damaged items — see our returns process at studio@rock.scot.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address | Sending newsletters, station news, merch updates | Consent (double opt-in) |
| Subscription date and confirmation token | Proof of consent | Legal obligation (PECR) |
You can unsubscribe at any time using the link in every email or by emailing studio@rock.scot. We will process unsubscribe requests within 5 working days.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email, phone, company | Campaign management, invoicing | Contract |
| Campaign and billing records | Accounting, HMRC | Legal obligation |
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name (optional, self-provided) | Personalising on-air response | Consent |
| Message text | Delivering to on-air presenter | Consent |
| Hashed IP address | Rate limiting, abuse prevention | Legitimate interests |
| Plain IP address (flagged messages only) | Safety — evidence of threats or abuse | Legitimate interests / Legal obligation |
| Timestamp | Message routing to correct DJ | Legitimate interests |
Messages are automatically moderated for threatening or abusive content. Flagged messages may be retained and disclosed to police if they contain credible threats. Non-flagged messages are anonymised after 90 days.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Essential cookies (session, consent record) | Site operation, remembering your cookie choice | Legitimate interests |
| Analytics cookies (if consented) | Understanding how the site is used | Consent |
| General location (country/region from IP) | Aggregate audience analytics | Legitimate interests |
You can manage your cookie preferences at any time via our Cookie Policy page.
| Data Type | Retention Period | Reason |
|---|---|---|
| Order records (name, address, items, payment ref) | 7 years from order date | HMRC statutory requirement |
| Mailing list subscriptions | Until unsubscribed, or 2 years of inactivity | PECR / consent basis |
| Advertising client records | 7 years from last invoice | HMRC statutory requirement |
| Listener messages (non-flagged) | 90 days then anonymised | Operational necessity |
| Listener messages (flagged / threatening) | Up to 7 years | Legal obligation / safety |
| Website analytics | 13 months then deleted | ICO guidance on PECR |
| Session tracking (sessionStorage) | Current session only, cleared on browser close | Legitimate interests |
| Visitor fingerprinting (localStorage) | 12 months | Legitimate interests — to track returning visitors and improve analytics |
| Device type detection | 13 months with other analytics | Legitimate interests |
| Stream connection logs | 90 days | Ofcom technical records requirement |
| General correspondence | 3 years from last contact | Legitimate interests |
We do not sell your data. We share it only with the following data processors who act under our instructions and are bound by data processing agreements (DPAs) compliant with UK GDPR:
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Database hosting — stores orders, subscribers, messages, DJs, anonymous website analytics | EU (Frankfurt) | Yes — supabase.com/privacy |
| Stripe Inc. | Payment processing — handles all card transactions | EU / US (SCCs) | Yes — PCI DSS compliant. We never see card numbers. |
| Gelato AS | Print-on-demand fulfilment — receives name and shipping address for merch orders | EU (Norway) | Yes — gelato.com/privacy |
| SMTP2GO | Transactional email — order confirmations | EU / AU (SCCs) | Yes — smtp2go.com/privacy |
| Resend Inc. | Mailing list confirmation emails | US (SCCs) | Yes — resend.com/privacy |
| Supabase Inc. (Analytics) | Anonymous website visit data (page, device type, visitor ID) — no personal data stored | US (SCCs) | Yes — supabase.com/privacy |
| Amazon EU S.à.r.l. | Affiliate programme (Amazon Associates) — we earn commission on qualifying purchases via links on our site | Luxembourg/US (SCCs) | Yes — Amazon Privacy Notice |
| Pusher Ltd. | Real-time message delivery to DJ lounge | EU (Ireland) | Yes — pusher.com/legal |
| Broadcast.Radio | Audio stream delivery | UK | Yes |
| IONOS SE | Domain registration | EU (Germany) | Yes — ionos.co.uk/privacy |
We may also disclose your data where required by law to: Ofcom, Police Scotland or other law enforcement, HMRC, courts or tribunals. We will only do so in response to valid legal requests.
Some processors operate outside the UK/EEA, including Stripe (US), Resend (US), Supabase (US), and Amazon (Luxembourg/US). All such transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK ICO, ensuring your data receives equivalent protection to that provided under UK GDPR.
ROCK.SCOT participates in the Amazon EU Associates Programme, an affiliate advertising programme that allows sites to earn advertising fees by linking to Amazon.co.uk. When you click an Amazon link on our site and make a purchase, we may receive a small commission at no extra cost to you.
Affiliate links are clearly identified on our site. We only link to products we believe are relevant to our audience. The commission we earn helps support the running of ROCK.SCOT as an independent Scottish rock radio station.
Amazon may set cookies when you click our affiliate links. See Amazon's Privacy Notice for details.
You have the following rights regarding your personal data:
To exercise any right, email studio@rock.scot. We will respond within 30 days. No fee is charged for reasonable requests.
We protect your data through: HTTPS encryption on all web traffic • encrypted database storage with row-level security • access controls and authentication • API key management (keys stored in secured server files, not in code) • rate limiting on all public-facing forms • content moderation on user-submitted messages.
In the event of a data breach affecting your rights, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33-34.
Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child under 16, contact us immediately at studio@rock.scot and we will delete it.
As an Ofcom-licensed DAB+ broadcaster, ROCK.SCOT complies with: the Communications Act 2003 • the Ofcom Broadcasting Code • PRS for Music (performance rights licence) • PPL (Phonographic Performance Limited — recording rights licence) • Ofcom logging and record-keeping requirements.
We may update this policy as our services evolve or when required by law. The "Last updated" date at the top will always reflect the current version. For significant changes we will notify mailing list subscribers by email.
If you are unhappy with how we handle your data, please contact us first at studio@rock.scot. If you remain unsatisfied, you have the right to complain to the Information Commissioner's Office (ICO):
Website: ico.org.uk • Phone: 0303 123 1113 • Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF