Legal · Privacy policy

Privacy policy.

We respect your privacy. This policy explains, in plain language, what we collect when you use webdesignawards.io, why we collect it, who we share it with, and the rights you have over your data.

Terms of service Contact us
Last updated · 27 April 2026 · Reviewed annually
01

Who we are

Web Design Awards (“we”, “us”, “our”) operates webdesignawards.io and recognises outstanding work across web, product, and brand. This Privacy Policy describes the personal data we collect, how we use it, who we share it with, and the rights you have. For privacy questions, contact mike@webdesignawards.io.

02

Information we collect

Account information
  • IdentifiersEmail address, username, and a bcrypt-hashed password. If you sign in with Google or GitHub, we receive a provider ID, your name, and your email from that provider.
  • ProfileOptional first name, last name, timezone, bio, title, affiliation, and profile image URL.
  • Billing profileIf you make a purchase, we retain a Stripe customer ID and any billing details you enter (company name, legal name, tax ID, billing address). Card data is handled by Stripe — we never see or store card numbers.
  • Roles and accessYour account role (individual, company, agency, judge, editor, admin) and the timestamp of your last global logout.
Nominee submissions
  • Entry detailsProject name, website URL, description, categories, tech stack, and the agency or studio behind the work.
  • Contact dataSubmitter email, applicant email, and (when relevant) client email.
  • MediaThumbnail and full-size images you upload, stored on Cloudflare R2.
  • Social linksOptional Instagram, X/Twitter, TikTok, Facebook, and YouTube URLs you provide for the entry.
  • Judging recordsScores assigned by judges across design, UX, performance, accessibility, and other criteria, plus winner and Site of the Month status.
Newsletter and marketing
  • Subscription recordEmail address, signup timestamp, referer, source, status (active/bounced), and a unique unsubscribe token.
  • AttributionUTM parameters (source, medium, campaign, term, content) captured at the moment you subscribe.
Voting
  • Anonymous voter IDAn “anon_id” cookie is set so we can prevent duplicate votes. We do not link this to your identity unless you are signed in.
Contact form
  • Message dataName, email, message body, optional website URL, and topic.
  • Request metadataSubmission timestamp, referer, IP address, and user agent. Used for spam filtering and abuse prevention.
Usage and device data
  • Analytics eventsPageviews, navigation, and product events (e.g. signups, submissions, completed purchases).
  • IdentifiersA persistent visitor ID and a 30-minute session ID stored in your browser, plus saved attribution data and consent state.
  • Technical signalsIP address, browser, device, operating system, and referrer.
03

How we use your information

  • Run the serviceCreate and authenticate accounts, accept and judge nominee submissions, host the awards archive, and tally votes.
  • Process paymentsTake payment for premium nominations, rushed judging, certifications, and job postings via Stripe, and email receipts.
  • CommunicateSend transactional emails (confirmations, password resets, judging updates) and — if you subscribed — our newsletter. You can unsubscribe at any time.
  • Improve the productAnalyse aggregated usage so we can make pages faster, content better, and the submission flow clearer.
  • Protect the serviceDetect spam, rate-limit abusive traffic, prevent duplicate voting, and investigate security issues.
  • Comply with lawMeet tax, accounting, and other legal obligations, and respond to lawful requests.
04

Legal bases (UK / EU users)

If you are in the UK or EEA, we rely on the following lawful bases under the UK GDPR / GDPR:

  • ContractCreating your account, processing submissions, fulfilling purchases, and providing support.
  • Legitimate interestsSecuring the service, preventing fraud and abuse, measuring traffic, and improving the product — balanced against your rights.
  • ConsentNon-essential analytics cookies, marketing emails, and any optional tracking. You can withdraw consent at any time.
  • Legal obligationRetaining payment and tax records for the periods required by law.
05

Service providers and sub-processors

We use the following processors to operate the site. Each is bound by their own terms and privacy policy, and we share only what each one needs to do its job.

  • MongoDB AtlasDatabase hosting for accounts, submissions, newsletter records, and judging data.
  • StripePayment processing, checkout, and billing. Card details go directly to Stripe.
  • ResendSends transactional emails (account, judging, receipts) and the newsletter.
  • Cloudflare R2Object storage for images you upload with a nominee entry.
  • VercelApplication hosting, plus Vercel Analytics and Speed Insights for aggregated, privacy-friendly performance metrics.
  • Google Analytics 4 & Tag ManagerPage and event analytics. Loaded only after you grant consent; defaults to denied.
  • Upstash RedisCaching and rate limiting (e.g. throttling abusive newsletter signups).
  • Google & GitHub OAuthOptional sign-in providers. We receive your provider ID, name, and email when you choose to sign in with them.
06

Cookies and local storage

We use a small number of cookies and browser storage keys. Analytics tags load only after you accept the consent banner; until then, Google Analytics is set to “denied” for analytics, ad, and personalisation storage.

Strictly necessary
  • NextAuth sessionKeeps you signed in. Set when you log in; cleared when you log out.
  • anon_idAnonymous voter cookie used to prevent duplicate votes.
  • wda_analytics_consentRemembers your analytics consent choice so we don’t ask again.
Analytics (consent-gated)
  • Google Analytics 4Aggregate page and event analytics. Loaded only after you opt in.
  • Google Tag ManagerLoads analytics tags. Subject to your consent choice.
  • Vercel Analytics & Speed InsightsPrivacy-friendly aggregate traffic and performance metrics.
  • wda_visitor_id / wda_session_id / wda_attribution / wda_ga4_purchasesLocalStorage keys used to identify a returning visitor, group events into a session, remember the campaign you arrived from, and de-duplicate purchase events.

You can change your mind at any time by clearing site data in your browser, which will reset the consent banner.

07

Sharing your information

We do not sell your personal information and we do not share it with advertisers. We disclose data only:

  • To processorsThe service providers listed above, strictly to operate the service.
  • For published nomineesProject name, website, description, agency, social links, images, and judging outcomes are public on webdesignawards.io — that is the point of an awards platform.
  • For legal reasonsWhen required by law, court order, or to investigate fraud, abuse, or threats to safety.
  • In a business transferIf we are involved in a merger, acquisition, or asset sale, your data may transfer to the successor entity, subject to this policy.
08

International transfers

Our processors operate in the United States and the European Union, so personal data may be transferred to and processed in those regions. Where required, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards offered by each provider.

09

Data retention

  • Account dataHeld for as long as your account is active. Deleted on request — see “Your rights”.
  • Nominee submissionsRetained as part of the public awards archive even after account deletion, since the archive is a historical record. Personal contact fields (applicant/client emails) are removed on request.
  • Newsletter recordsHeld until you unsubscribe. Unsubscribed records are kept briefly to honour the opt-out.
  • Payment and tax recordsRetained for the period required by law (typically up to seven years).
  • Server logs and analyticsAggregated or rotated on a rolling basis (typically 30–90 days for raw logs).
10

Data security

We protect your data with HTTPS in transit, bcrypt-hashed passwords, scoped credentials for each service, rate limiting, and access controls on administrative endpoints. No system is perfectly secure, so we cannot guarantee absolute security, but if we become aware of a breach affecting your data we will notify you and the appropriate regulators as required by law.

11

Your rights

Depending on where you live, you have some or all of the following rights over your personal data:

  • AccessRequest a copy of the personal data we hold about you.
  • CorrectionAsk us to fix anything that is inaccurate or incomplete.
  • DeletionAsk us to delete your account and personal data. Some records (e.g. tax) must be kept by law.
  • PortabilityReceive your data in a structured, machine-readable format.
  • Object or restrictObject to or restrict processing based on our legitimate interests, including direct marketing.
  • Withdraw consentWithdraw analytics or marketing consent at any time — it does not affect the lawfulness of prior processing.
  • ComplainLodge a complaint with your local data protection authority (e.g. the UK ICO or your EU member-state regulator).

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law. To exercise any of these rights, email mike@webdesignawards.io — we will respond within the timeframes required by applicable law.

12

Account deletion

You can delete your account at any time from your account settings or by emailing mike@webdesignawards.io. Deletion removes your profile, login credentials, and contact details from our database. Submissions that have already been published in the awards archive remain visible as a historical record; on request we will remove personal contact fields (applicant and client emails) from those entries.

13

Automated decision-making

Award decisions are made by human judges. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

14

Children’s privacy

Our services are not directed to anyone under 16. We do not knowingly collect personal information from children. If you believe a child has given us their information, contact mike@webdesignawards.io and we will delete it.

15

Changes to this policy

We may update this Privacy Policy as the product evolves or the law changes. The “Last updated” date at the top of this page reflects the latest version. For material changes we will post a notice on the site and, where appropriate, email registered users.

16

Contact us

Questions, requests, or complaints about this policy or your data: mike@webdesignawards.io. We aim to respond within 30 days.