Privacy Policy

Last updated: April 2026

Paddock Pass Kids ("we", "our", or "us") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use and share it, and what rights you have — wherever in the world you are.

1. Who We Are

Paddock Pass Kids is operated by 1436 Enterprises, LLC, a small family business based in New York. 1436 Enterprises, LLC is the data controller for personal data processed through this site. You can contact us at hello@paddockpasskids.com for any privacy matter. As a small family business, we do not have a formal Data Protection Officer; privacy requests are handled by the founders.

2. What Data We Collect

Email address — when you make a purchase or sign up for our newsletter, we collect your email address. Purchase emails are used to deliver your packet download link and send order confirmations. Newsletter emails are used to send occasional race-week updates you can unsubscribe from at any time.

Name — optionally collected during checkout and feedback submissions.

Payment data — processed entirely by Stripe. We never see or store your card number, expiry, or CVV. Stripe may store billing information as described in their privacy policy.

Usage data — our hosting provider (Vercel) automatically logs request metadata (IP address, user agent, referring URL) for security and performance purposes. This data is not used for advertising or cross-site tracking.

Cookies — we use a small number of first-party cookies:

  • ppk_email — a first-party cookie we set when you sign up for our newsletter. It records that you subscribed. It expires after 365 days.

When you click the Buy button, you are redirected to Stripe's hosted checkout at checkout.stripe.com. Stripe sets its own cookies on its own domain for fraud prevention and session handling; those are governed by Stripe's privacy policy, not this one.

We are preparing to add Google Analytics 4 and Microsoft Clarity for aggregate, privacy-friendly site analytics. When those go live, this page will be updated to describe the specific cookies they set, their retention, and how visitors in the EEA and UK can consent or decline via a cookie banner. Neither tool is currently installed.

3. Sensitive Data We Do Not Collect

We never collect or process:

  • Social Security numbers or government ID numbers
  • Bank account numbers or full payment card numbers (Stripe handles all of this)
  • Health or medical information
  • Information about your religious, political, or sexual identity
  • Information about children under 13 — see Section 19

If you send any of this information to us voluntarily (for example, in a free-text feedback message), please don't — we don't need it and will delete it.

4. Legal Basis for Processing (EU / UK)

If the General Data Protection Regulation (GDPR, EU) or UK GDPR applies to you, we process your personal data under these legal bases:

  • Performance of a contract — to deliver your purchase, send your download link, process refunds, and provide customer support.
  • Consent — to send marketing emails and to set non-essential analytics cookies. You can withdraw consent at any time (see Section 9).
  • Legitimate interests — to prevent fraud, secure our site, measure aggregate performance, and respond to contact form submissions. We have balanced these interests against your rights and consider the processing proportionate.
  • Legal obligation — to keep transaction records for tax and accounting purposes.

5. How We Use Your Data

  • To deliver your PDF download
  • To send order confirmations and download links
  • To send newsletter emails if you've subscribed (unsubscribe any time)
  • To respond to feedback and support requests
  • To process refunds
  • To improve the site and products
  • To prevent fraud and abuse
  • To comply with legal and tax obligations

6. Email Marketing

If you sign up for our newsletter or make a purchase, we may send you occasional race-week updates about new packets and behind-the-scenes notes from our family. Every email includes an unsubscribe link. We do not sell your email address, and we will never share it with other companies for their marketing.

Emails are sent via Resend. Your email address is stored in Resend's contact list for this purpose.

7. How We Share Your Data

We share personal data only with the processors we need to run the business. We do not sell personal data, and we do not share it for cross-context behavioural advertising.

  • Stripe (United States) — payment processing. We share your email, name, and purchase amount. Stripe processes your card details directly and returns only a transaction token to us. Stripe Privacy Policy
  • Resend (United States) — transactional and newsletter email delivery. We share your email address and, if provided, your first name. Resend Privacy Policy
  • Vercel (United States) — site hosting and performance analytics. Vercel logs request metadata (IP address, user agent) for security and performance. Vercel Privacy Policy

Planned processors (not yet live): we intend to add Google Analytics 4 (United States) and Microsoft Clarity (United States) for aggregate, privacy-friendly site analytics. Neither is installed today. When they are enabled, this policy will be updated to describe the specific data shared, cookies set, retention periods, and the EEA/UK consent flow — and the processors will be listed in the table above with links to their privacy policies.

We may also disclose personal data if required to do so by law, court order, or valid legal process; to enforce our Terms of Service; to prevent fraud or protect rights, property, and safety; or in connection with a merger, acquisition, or sale of business assets (in which case we will notify affected users in advance).

8. International Data Transfers

Our business is based in the United States, and most of our processors (Stripe, Resend, Vercel, Google, Microsoft) are also US-based. If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data protection laws that restrict international transfers, your data will be transferred to and processed in the United States.

For transfers from the EEA and UK to the United States we rely on one or more of the following legal mechanisms:

  • The EU-U.S. Data Privacy Framework and the UK Extension (Stripe, Vercel, Google, and Microsoft are certified participants);
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where a processor is not DPF- certified;
  • Your explicit consent, where appropriate.

You can request a copy of the transfer safeguards we rely on by emailing hello@paddockpasskids.com.

9. Your Choices — How to Exercise Control

You can exercise the following controls at any time:

  • Unsubscribe from newsletter emails — click the unsubscribe link at the bottom of any marketing email. We will remove you within a few minutes.
  • Analytics opt-out — analytics tools are not currently installed. When they are, visitors in the EEA and UK will be able to consent or decline via a cookie banner before any non-essential cookie is set, and we will honour Global Privacy Control (GPC) signals as an opt-out. This policy will be updated before any analytics goes live.
  • Access, correct, or delete your data — email us and we will respond within 30 days.
  • Object to processing based on legitimate interests — email us explaining the grounds for your objection.
  • Request data portability — we will provide your data in a machine-readable format within 30 days.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following rights regarding your personal information:

  • Right to know what personal information we collect, use, disclose, and share.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell personal information and we do not share it for cross-context behavioural advertising — so there is nothing to opt out of, but you are formally notified of the right.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
  • Right to non-discrimination — we will not deny you products, charge you more, or provide a lower level of service because you exercised any of these rights.

To exercise any of these rights, email hello@paddockpasskids.com. We may verify your identity before responding (for example, by asking you to confirm the email address associated with your purchase). You may also authorise an agent to make a request on your behalf.

11. EU and UK Rights (GDPR / UK GDPR)

If the EU General Data Protection Regulation or the UK GDPR applies to you, you also have the following rights:

  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to how we use your data
  • Withdraw consent — where processing is based on your consent

To exercise any of these rights, email hello@paddockpasskids.com. We will respond within 30 days.

12. Other US State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws may have rights similar to the California rights in Section 10 — typically including the right to know, access, delete, and opt out of targeted advertising. We treat all US residents equivalently and will honour these requests. Email hello@paddockpasskids.com to exercise your rights.

13. Data Retention

We keep your email address for as long as you are subscribed to our list. If you unsubscribe, we will delete your newsletter contact record within 30 days (the short delay is to prevent accidental re-adds). Purchase records — including order history and invoices — are kept for a minimum of 7 years to comply with US and international tax requirements.

Analytics tools are not currently installed. When we add them, retention periods will be documented here (for example, GA4 aggregate data is typically retained for 14 months before automatic deletion).

14. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Our analytics is aggregate and anonymous and does not make decisions about individuals.

16. Do Not Track and Global Privacy Control

Analytics tools that would respect these signals are not currently installed. When they are added, we will treat a Global Privacy Control (GPC) signal or a Do Not Track header as a request to opt out of non-essential analytics and any form of data sharing for advertising (which we do not do in any case). Essential first-party cookies required for newsletter signups, checkout, and site security are unaffected by these signals.

17. Security

We take reasonable steps to protect your data. All data is transmitted over HTTPS. Payment data is handled entirely by Stripe and never passes through our servers. Access to our admin tools is restricted to founders and protected by strong authentication.

18. Your Rights Do Not Stand Alone

Depending on where you live, you may have additional rights under local consumer protection and privacy laws — including under Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and other regional frameworks. We aim to honour reasonable requests from residents of any jurisdiction. Email us and tell us which framework you are exercising rights under.

19. Children's Privacy (COPPA)

Our products are designed for children to enjoy, but this website is addressed to parents and guardians. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, please contact us and we will delete it promptly.

20. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email to subscribers or by a notice on this page, and the "Last updated" date at the top will reflect the change.

21. How to Complain to a Regulator

You always have the right to complain to a data protection authority if you feel we have mishandled your personal information. Suggested contacts:

  • United Kingdom Information Commissioner's Office (ICO)
  • European Union — your national data protection authority, or the European Data Protection Board for cross-border matters.
  • California California Privacy Protection Agency (CPPA) or the Office of the California Attorney General.
  • United States (federal) — the Federal Trade Commission (FTC) for unfair or deceptive privacy practices.
  • Canada — Office of the Privacy Commissioner of Canada.
  • Brazil — Autoridade Nacional de Proteção de Dados (ANPD).
  • Australia — Office of the Australian Information Commissioner (OAIC).

We hope you will contact us first — we read every email and will do our best to resolve any concern directly: hello@paddockpasskids.com.

22. Contact

Privacy questions or data requests: hello@paddockpasskids.com