Privacy Policy

Last updated: April 2026

Paddock Pass Kids ("we", "our", or "us") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use and share it, and what rights you have — wherever in the world you are.

1. Who We Are

Paddock Pass Kids is operated by 1436 Enterprises, LLC, a small family business based in New York. 1436 Enterprises, LLC is the data controller for personal data processed through this site. You can contact us at hello@paddockpasskids.com for any privacy matter. As a small family business, we do not have a formal Data Protection Officer; privacy requests are handled by the founders.

2. What Data We Collect

Email address — when you make a purchase or sign up for our newsletter, we collect your email address. Purchase emails are used to deliver your packet download link and send order confirmations. Newsletter emails are used to send occasional race-week updates you can unsubscribe from at any time.

Name — optionally collected during checkout and feedback submissions.

Payment data — processed entirely by Stripe. We never see or store your card number, expiry, or CVV. Stripe may store billing information as described in their privacy policy.

Usage data — our hosting provider (Vercel) automatically logs request metadata (IP address, user agent, referring URL) for security and performance purposes. This data is not used for advertising or cross-site tracking.

Cookies — essential (always on). These are required for the site to function. They are not used for tracking and you cannot opt out of them, because turning them off would break the features they support.

  • ppk_consent — records your cookie-banner choice (Accept all / Reject all). Set the moment you click a banner button. Expires after 365 days. Without this we would show you the banner on every visit.
  • ppk_email — set when you sign up for the newsletter. Lets us recognise you on a return visit so we don't prompt you to sign up again. Expires after 365 days. Cleared if you unsubscribe.

Cookies — analytics (opt-in only, off by default). None of the cookies below load until you click Accept all on the cookie banner. Click Reject all and they never load — no scripts are fetched, no data leaves your browser. You can change your choice at any time at paddockpasskids.com/cookie-settings.

  • Vercel Analytics — first-party page-view and visit counters from our hosting provider. No third-party tracking, no cross-site identifier. IP addresses are anonymised server-side by Vercel before the metric is stored. Retention: aggregate data only; Vercel does not retain individual visit records beyond what is needed for the dashboard view. See Vercel Privacy Policy.
  • Google Analytics 4 (_ga, _ga_*) — page views, traffic sources, conversion events. Configured in measurement-only mode: allow_ad_personalization_signals: false and allow_google_signals: false. We do NOT use GA4 for advertising or audience targeting. _ga cookie expires after 2 years; _ga_* after 2 years. Default GA4 user-data retention period: 14 months, after which user-level data is automatically deleted by Google.
  • Microsoft Clarity (_clck, _clsk) — heatmaps and session replay. Helps us spot UI bugs (e.g. dead clicks, rage clicks). Clarity automatically masks form fields, password inputs, and patterns matching credit-card numbers._clck expires after 1 year; _clsk after 1 day. Session recordings are retained for 30 days by Microsoft and then deleted automatically.

When you click the Buy button, you are redirected to Stripe's hosted checkout at checkout.stripe.com. Stripe sets its own cookies on its own domain for fraud prevention and session handling; those are governed by Stripe's privacy policy, not this one.

3. Sensitive Data We Do Not Collect

We never collect or process:

  • Social Security numbers or government ID numbers
  • Bank account numbers or full payment card numbers (Stripe handles all of this)
  • Health or medical information
  • Information about your religious, political, or sexual identity
  • Information about children under 13 — see Section 19

If you send any of this information to us voluntarily (for example, in a free-text feedback message), please don't — we don't need it and will delete it.

4. Legal Basis for Processing (EU / UK)

If the General Data Protection Regulation (GDPR, EU) or UK GDPR applies to you, we process your personal data under these legal bases:

  • Performance of a contract — to deliver your purchase, send your download link, process refunds, and provide customer support.
  • Consent — to send marketing emails and to set non-essential analytics cookies. You can withdraw consent at any time (see Section 9).
  • Legitimate interests — to prevent fraud, secure our site, measure aggregate performance, and respond to contact form submissions. We have balanced these interests against your rights and consider the processing proportionate.
  • Legal obligation — to keep transaction records for tax and accounting purposes.

5. How We Use Your Data

  • To deliver your PDF download
  • To send order confirmations and download links
  • To send newsletter emails if you've subscribed (unsubscribe any time)
  • To respond to feedback and support requests
  • To process refunds
  • To improve the site and products
  • To prevent fraud and abuse
  • To comply with legal and tax obligations

6. Email Marketing

If you sign up for our newsletter or make a purchase, we may send you occasional race-week updates about new packets and behind-the-scenes notes from our family. Every email includes an unsubscribe link. We do not sell your email address, and we will never share it with other companies for their marketing.

Emails are sent via Resend. Your email address is stored in Resend's contact list for this purpose.

7. How We Share Your Data

We share personal data only with the processors we need to run the business. We do not sell personal data, and we do not share it for cross-context behavioural advertising.

  • Stripe (United States) — payment processing. We share your email, name, and purchase amount. Stripe processes your card details directly and returns only a transaction token to us. Stripe Privacy Policy
  • Resend (United States) — transactional and newsletter email delivery. We share your email address and, if provided, your first name. Resend Privacy Policy
  • Vercel (United States) — site hosting, database (Vercel Postgres / Neon), file storage (Vercel Blob), and first-party analytics (Vercel Web Analytics). Vercel logs request metadata (IP address, user agent) for security and performance. Vercel Web Analytics is consent-gated and only loads after you click Accept all on the cookie banner. Vercel Privacy Policy
  • Google (United States) — Google Analytics 4 for aggregate site analytics (page views, traffic sources, conversion events). Configured in measurement-only mode with ad-personalization signals OFF. Consent-gated: GA4 scripts do not load and no cookies are set unless you click Accept all. Google Privacy Policy
  • Microsoft (United States) — Microsoft Clarity for heatmaps and session replay. Helps us spot UI bugs. Clarity automatically masks form fields, password inputs, and patterns matching credit-card numbers. Consent-gated: the Clarity script does not load unless you click Accept all. Microsoft Privacy Statement

We may also disclose personal data if required to do so by law, court order, or valid legal process; to enforce our Terms of Service; to prevent fraud or protect rights, property, and safety; or in connection with a merger, acquisition, or sale of business assets (in which case we will notify affected users in advance).

8. International Data Transfers

Our business is based in the United States, and most of our processors (Stripe, Resend, Vercel, Neon, Google, Microsoft) are also US-based. If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data protection laws that restrict international transfers, your data will be transferred to and processed in the United States.

For transfers from the EEA and UK to the United States we rely on one or more of the following legal mechanisms:

  • The EU-U.S. Data Privacy Framework and the UK Extension (Stripe, Vercel, Google, and Microsoft are certified participants);
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where a processor is not DPF- certified;
  • Your explicit consent, where appropriate.

You can request a copy of the transfer safeguards we rely on by emailing hello@paddockpasskids.com.

9. Your Choices — How to Exercise Control

You can exercise the following controls at any time:

  • Unsubscribe from newsletter emails — click the unsubscribe link at the bottom of any marketing email. We will remove you within a few minutes.
  • Analytics opt-out — analytics scripts (GA4, Microsoft Clarity, Vercel Web Analytics) are gated behind your cookie-banner choice. They never load until you click Accept all, and they stop firing new events if you change your mind at paddockpasskids.com/cookie-settings and pick Reject all. To completely remove previously-set analytics cookies, clear your browser's cookies for paddockpasskids.com.
  • Access, correct, or delete your data — email us and we will respond within 30 days.
  • Object to processing based on legitimate interests — email us explaining the grounds for your objection.
  • Request data portability — we will provide your data in a machine-readable format within 30 days.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights regarding your personal information:

  • Right to know what personal information we collect, use, disclose, and share.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell personal information and we do not share it for cross-context behavioural advertising — so there is nothing to opt out of, but you are formally notified of the right.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
  • Right to non-discrimination — we will not deny you products, charge you more, or provide a lower level of service because you exercised any of these rights.

To exercise any of these rights, email hello@paddockpasskids.com. We may verify your identity before responding (for example, by asking you to confirm the email address associated with your purchase). You may also authorise an agent to make a request on your behalf.

11. EU and UK Rights (GDPR / UK GDPR)

If the EU General Data Protection Regulation or the UK GDPR applies to you, you also have the following rights:

  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to how we use your data
  • Withdraw consent — where processing is based on your consent

To exercise any of these rights, email hello@paddockpasskids.com. We will respond within 30 days.

12. Other US State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws may have rights similar to the California rights in Section 10 — typically including the right to know, access, delete, and opt out of targeted advertising. We treat all US residents equivalently and will honour these requests. Email hello@paddockpasskids.com to exercise your rights.

13. Data Retention

Newsletter subscribers. We keep your email address for as long as you are subscribed. If you unsubscribe, we mark your record as unsubscribed and stop all marketing immediately. We retain the unsubscribed row indefinitely so we can permanently honor your opt-out if the same email is ever re-submitted. To request full deletion of the record (right to erasure under GDPR Article 17 / right to delete under CCPA § 1798.105), email hello@paddockpasskids.com.

Purchase records. Order history and invoices are kept for a minimum of 7 years to comply with US and international tax requirements (IRS retention guidance + EU VAT recordkeeping rules). Erasure requests for these records are honored only after the legal retention window has passed.

Download link records. Each token expires 7 days after issue and is capped at 3 downloads. The underlying database row is retained after expiry for support reference (so we can verify a purchase if a buyer contacts us months later). Deleted on request.

Analytics. Three tools, all consent-gated and off by default:

  • Vercel Web Analytics — aggregate page-view and visit counts only; Vercel does not retain individual visit records beyond what the dashboard view requires.
  • Google Analytics 4 — user-level event data auto-deleted after 14 months (GA4 default); aggregate reports persist longer in the GA4 dashboard.
  • Microsoft Clarity — session recordings retained for 30 days, then automatically deleted by Microsoft. Heatmap aggregate data persists in the Clarity dashboard.

14. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Our analytics is aggregate and anonymous and does not make decisions about individuals.

16. Do Not Track and Global Privacy Control

We honour the Global Privacy Control (navigator.globalPrivacyControl) and the legacy Do Not Track (DNT) browser signal as an automatic opt-out. On your first visit, if either signal is present, we set your cookie preference to Essential only without showing the cookie banner — no analytics scripts load, no analytics cookies are set. You can still upgrade to Accept all manually at paddockpasskids.com/cookie-settings if you change your mind. Essential first-party cookies required for the cookie-preference itself, checkout, and the newsletter signup are unaffected — these don't track you, they remember things you asked us to remember.

17. Security

We take reasonable steps to protect your data. All data is transmitted over HTTPS. Payment data is handled entirely by Stripe and never passes through our servers. Access to our admin tools is restricted to founders and protected by strong authentication.

18. Your Rights Do Not Stand Alone

Depending on where you live, you may have additional rights under local consumer protection and privacy laws — including under Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and other regional frameworks. We aim to honour reasonable requests from residents of any jurisdiction. Email us and tell us which framework you are exercising rights under.

19. Children's Privacy (COPPA)

Our products are designed for children to enjoy, but this website is addressed to parents and guardians. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, please contact us and we will delete it promptly.

20. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email to subscribers or by a notice on this page, and the "Last updated" date at the top will reflect the change.

21. How to Complain to a Regulator

You always have the right to complain to a data protection authority if you feel we have mishandled your personal information. Suggested contacts:

  • United Kingdom Information Commissioner's Office (ICO)
  • European Union — your national data protection authority, or the European Data Protection Board for cross-border matters.
  • California California Privacy Protection Agency (CPPA) or the Office of the California Attorney General.
  • United States (federal) — the Federal Trade Commission (FTC) for unfair or deceptive privacy practices.
  • Canada — Office of the Privacy Commissioner of Canada.
  • Brazil — Autoridade Nacional de Proteção de Dados (ANPD).
  • Australia — Office of the Australian Information Commissioner (OAIC).

We hope you will contact us first — we read every email and will do our best to resolve any concern directly: hello@paddockpasskids.com.

22. Contact

Privacy questions or data requests: hello@paddockpasskids.com

Postal address for legal correspondence:

1436 Enterprises, LLC
418 Broadway STE N
Albany, NY 12207
United States