🛡️ PRIVACY POLICY

Last Updated: November 20, 2025

This Privacy Policy explains how Blooming Heroes SASU (“the Company”, “Lucky Bastards”, “We”, “Us”, “Our”) collects, uses, stores, and protects personal data when You access or use the Lucky Bastards website (https://luckybastards.co) and all related features, including user accounts, user-generated content (“UGC”), storytelling tools, e-commerce services, affiliate redirections, and podcasts or video content (collectively, the “Service”).

Lucky Bastards acts as the Data Controller for all processing activities described below, in accordance with:

EU GDPR (Regulation EU 2016/679)
UK GDPR (Data Protection Act 2018)
French law (Loi Informatique & Libertés)
Digital Services Act (DSA) for hosting & moderation obligations
CCPA/CPRA for California residents
CalOPPA for website disclosures
Applicable Canadian privacy laws (PIPEDA)

1. WHO WE ARE

Blooming Heroes SASU
9 rue des Colonnes
75002 Paris
France

For privacy inquiries or DSA notices: legal@luckybastards.co

Lucky Bastards is a platform hosting stories, photos, videos, and experiences shared by users. We also operate an e-commerce store (POD/dropshipping) and publish podcasts and editorial content.

2. DEFINITIONS

User: Any natural person or legal entity accessing, visiting, browsing, registering an Account on, interacting with, or otherwise using the Website or any of the Services, whether or not they create an Account, post User-Generated Content, or make purchases.
Personal Data: Any information identifying or reasonably capable of identifying an individual.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
User-Generated Content (UGC): Content submitted by Users including stories, posts, comments, audio, video, and images.
Data Controller: Lucky Bastards, who determines the purposes and means of processing.
Processors: External service providers handling data on Our behalf (hosting, payments, analytics, POD suppliers).
Applicable Regulations: GDPR, UK GDPR, CCPA/CPRA, CalOPPA, PIPEDA, DSA.

3. WHAT PERSONAL DATA WE COLLECT

We collect data in the following categories:

A. Data You Provide Voluntarily

Account registration: name, email address, password
Profile details (optional): bio, avatar, social links
UGC: stories, text, images, videos, audio
Contact form submissions
Communications with support

B. Data Collected Automatically

IP address
Device identifiers
Browser type and version
Operating system
Access times and pages viewed
User interactions (scroll, clicks, time spent, content viewed)
Referring URLs
Cookies and similar technologies

C. E-Commerce Data

Order details
Shipping address
Billing address
Payment method (tokenized – We never store card numbers)
Transaction ID
VAT/tax information
Customer service interactions related to orders

D. User-Generated Content Metadata

Upload date/time
Geolocation (if enabled)
Story engagement (views, likes, comments)
Reports and moderation flags

E. Affiliate & Tracking Data

Outbound affiliate clicks
Attribution information
Conversion metadata
UTM parameters

4. LEGAL BASES FOR PROCESSING (GDPR Article 6)

We process personal data based on:

Performance of a contract: account creation, order processing, delivery of UGC features
Legitimate interests: analytics, fraud prevention, platform improvement, security
Consent: cookies, newsletters, optional profile fields, marketing
Legal obligations: tax, accounting, consumer rights
Public interest under DSA: moderation, illegal content handling

5. HOW WE USE PERSONAL DATA

We use data to:

A. Operate and Improve the Platform

Provide account functionality
Publish and display UGC
Ensure service stability and security
Personalize your experience

B. Fulfill E-Commerce Orders

Process transactions
Provide shipping information to POD suppliers (Printful, Printify, Gelato)
Handle returns, disputes, and fraud detection

C. Moderate Content (DSA Compliance)

Detect, review, and act on illegal or harmful content
Respond to Notice & Action submissions
Maintain audit logs of moderation actions

D. Marketing & Communications

Send account notifications
Send newsletters (with consent)
Promote stories or products (with lawful basis)

E. Analytics & Performance Monitoring

Analyze trends
Optimize content and UX
Measure campaign effectiveness

6. SHARING PERSONAL DATA

We share data only when necessary:

A. With Processors

Hosting: (e.g., AWS, OVH, Cloudflare)
Payments: Stripe, PayPal
Email delivery: SendGrid/Mailgun
Analytics: Google Analytics, Meta Pixel
Dropshipping suppliers: Printful, Printify, Gelato

All processors are bound by Data Processing Agreements (DPAs).

B. With Third-Party Controllers (if applicable)

Social networks (if you share content externally)
Affiliate partners (only anonymized or aggregated data)

C. For Legal Reasons

To comply with EU, UK, or US law
To enforce our Terms
To respond to law enforcement (lawful requirement only)

We never sell personal data.

7. INTERNATIONAL TRANSFERS

Data may be transferred outside the EU.
When this occurs, We rely on:

EU Standard Contractual Clauses (SCCs)
UK IDTA Addendum
Appropriate safeguards: encryption, access controls
Data minimization

No transfer is made without such protections.

8. COOKIES & TRACKING TECHNOLOGIES

We use:

Essential cookies
Performance cookies
Analytics cookies
Advertising cookies (if consented)
Social media pixels

You may manage preferences in the cookie banner.

A complete Cookie Policy is available separately.

9. DATA RETENTION PERIODS

We retain data only as long as necessary:

Account data: as long as the account is active
UGC: until deleted by the User
Order records: 6 years (legal obligation)
Cookies: 13 months
Analytics logs: 26 months
Moderation logs (DSA): 6 months to 5 years depending on legal requirements

If you delete your account, We delete or anonymize your data except where retention is required by law.

10. USER RIGHTS

Under GDPR and UK GDPR, Users have:

Right of access
Right to rectification
Right to erasure
Right to data portability
Right to restrict processing
Right to object (including profiling)
Right to withdraw consent
Right to lodge a complaint (CNIL, ICO)

California residents have:

Right to know
Right to deletion
Right to opt out of data sharing
Right to non-discrimination

To exercise rights: legal@luckybastards.co

11. SECURITY

We implement:

Encryption in transit & at rest
Access controls
Audit logging
Network firewalls
Frequent vulnerability testing
Data minimization & pseudonymization
72-hour data breach notification (GDPR)

12. UGC, PUBLICATION & STORY DATA

Because Lucky Bastards is a storytelling platform:

UGC may be visible publicly
Metadata (date, location, engagement metrics) may also be displayed
Users are responsible for ensuring their UGC does not violate privacy or rights of third parties
Moderation actions are logged (DSA requirement)

13. DSA — NOTICE & ACTION OBLIGATIONS

As a hosting platform under the EU Digital Services Act:

We maintain a mechanism allowing Users to report illegal content.
Reports may be submitted to: legal@luckybastards.co
Moderation decisions may be contested.

See the dedicated Notice & Action page for details.

14. CHILDREN’S PRIVACY

You must be:

16+ in the EEA (15 in France)
13+ in the United States

We do not knowingly process data of minors below applicable age thresholds.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Policy as needed.

Material changes will be notified to Users.

16. CONTACT

For privacy inquiries and DSA notices:
📩 legal@luckybastards.co