Brickheist

About Brickheist

The world's most complete LEGO price comparison.

About us How it works FAQ Privacy Contact

Privacy policy

Last updated: May 21, 2026

What data we collect

Brickheist collects only what's needed to run the site and provide you with a usable account.

  • Account — email address, hashed password, verification status, optional marketing consent, and an optional display name used in mail salutations.
  • Sessions — IP address and user-agent at login, session token cookie.
  • Affiliate clicks — server-side log entry per click (timestamp + product), no personal data, no third-party cookies. Only logged after you accept Functional cookies.
  • Analytics — anonymised, aggregated page views via Google Analytics 4 (Consent Mode v2, IP anonymisation). Only sent after you accept Analytics cookies.

Where your data lives

  • Postgres database — Hetzner Cloud, Falkenstein, Germany (EU).
  • Email delivery — Brevo (sendinblue.com), France (EU). Used to send verification mails, password resets, and (if you opt in) deal alerts. Brevo signs an EU-standard DPA and processes only what's needed to deliver the email.
  • Analytics — Google Analytics 4. Aggregated data only; no personal identifiers.

How long we keep it

  • Account — until you delete it.
  • Active sessions — until you sign out, or 30 days of inactivity.
  • Server logs — 90 days, then auto-rotated.
  • Affiliate clicks — 24 months for commission reconciliation.

Your rights

Under GDPR you can exercise the following rights from your account page (or by emailing us):

  • Access — download a JSON export of everything we hold about you under Account → Download your data.
  • Rectification — change name, email, password, or marketing consent under Account.
  • Deletion — wipe your account and all associated data under Account → Delete account. Confirmation email sent.
  • Objection / Withdrawal — turn off marketing emails any time under Account → Email preferences.
  • Portability — the data export is in machine-readable JSON.
  • Complaint — you can lodge a complaint with the Danish Data Protection Authority (Datatilsynet).

Cookies

We use four cookie categories:

  • Necessary — session, CSRF, consent itself.
  • Functional — affiliate-click logging (server-side, first-party, no client cookie).
  • Analytics — Google Analytics 4 with Consent Mode v2 and anonymised IP. Sends no data until you accept this category. Opt-in.
  • Marketing — ad personalisation. Off by default.

You can change your preferences anytime via the in the footer.

Affiliate links

Brickheist earns a commission when you click through to a retailer and complete a purchase. This does not affect the price you pay. Click logging happens server-side after consent.

Contact

Questions about your data? Email hello@brickheist.com — we reply within 5 working days.