The personal data that we keep a record of is name, email, phone number, and games played.
The reasons why we hold and process personal data are:
We may keep a record of personal data so that we can contact you and people in your teams about your experience, for example if there is a problem, or for feedback. We may also keep a record of personal data from purchases on our site that weren’t completed, often known as ‘dropped checkouts’, to enable us to follow up with customers who indicated an intent to purchase, but did not complete the purchase. The basis for processing this data, as defined by the General Data Protection Regulation (GDPR) under Article 6 is ‘legitimate interests’.
If you have signed up multiple teams this data will also be shared by email with captains and players on your booked game. If you would like to avoid this, you can do so by selecting the “secret” option when booking. This will mean that no communications are sent to anyone other than the Team 1 captain until that person begins the game, at which point only text messages will be sent, not emails.
After you have played a game we will keep your data, unless you tell us you would like us to remove it. If you contact us we can look up your details so we can tell you which games you have done in the past, so we can recommend other games to you, and importantly make sure you don’t do the same game again. This is because the games do not usually change enough to make them suitably different to be a challenge to do again.
Our technology partners and our customer support staff have access to personal data so that they can make sure our systems run properly, and can serve you as a customer. They have access to name, email and mobile number. Data for our internal systems is held on a server by Digital Ocean LLC, based in the United States. Zendesk, based in the UK, stores data for customer support, and Stripe, based in the United States, stores payment data. Unbounce, sometimes used to create customer forms on our website, stores form submission data in the EU only.
We have agreements in place with the organisations above to ensure they safeguard data.
We do broad analysis of data so that we can understand how our business performs and how to market our products to help us work out which experiences we should create next. For example, to work out whether people who sign up to The Hunt for the Cheshire Cat then choose to play Moriarty’s Game: The Professor's Invitation.
Our retention policy is to retain data indefinitely, unless you ask us to remove it. This enables us to do reasonable analysis, to our legitimate interest, of which products people continue to buy, and recognise our most loyal customers.
For this analysis, we utilise Zoho Analytics services. Through Zoho, data is fully stored and processed within the EU boundaries. However, in some rare occasions data may be accessed by the employees of their Indian entity (Zoho Corporation Private Limited), in order to provide us technical support. There is no physical transfer of data out of the EU.
If you tell us you would like to be kept updated about HiddenCity experiences we will provide your name and email to The Rocket Science Group, based in the United States, to send emails using the Mailchimp email sending tool. You can unsubscribe at any time – click the unsubscribe link in the email, or unsubscribe here. This basis for holding your data for electronic marketing is ‘consent’ under GDPR.
We may provide data to Facebook, based in the United States, so that customers can find out about new HiddenCity experiences in adverts on the Facebook or Instagram sites. The information we send is for HiddenCity advertising purposes only; Facebook does not have access to the data for their purposes. The data sent is name, email and phone number. If you see an advert from HiddenCity on Facebook and do not want to see further adverts from HiddenCity click the ‘…’ menu on the top-right hand corner of the ad and navigate to ‘Hide all ads from this advertiser’. Read more about hiding adverts. The basis for processing this data under the General Data Protection Regulation (GDPR) is ‘legitimate interests’. Customer data sent to Facebook is hashed (encrypted in a way that it cannot be easily reversed) locally on the browser before it goes to Facebook for matching. Facebook typically deletes all matched and unmatched hashes within 48 hours after the matching process ends.
We have agreements in place with the organisations above to ensure they safeguard data.
If you submit a review we may publish it alongside your name. Your contact details will not be made public.
Google Signals
Google Signals is a feature within Google Analytics that enables us to analyse cross-device data, which helps us understand how users interact with our website across different devices. This information is aggregated and anonymised, allowing us to better tailor our offerings and improve user experiences. Google Signals utilises anonymised data from users who have enabled personalised advertising across their Google accounts.
Google Analytics
We use Google Analytics to analyse website traffic, monitor user engagement, and improve our marketing efforts. Google Analytics collects data such as IP addresses, device information, browser types, and interactions with our website. This information is aggregated and anonymised, and is used to generate reports and provide insights into user preferences, enabling us to enhance our services and optimise user experiences.
By using our services or continuing to browse our website, you acknowledge that you have read and understood this Privacy Policy statement, including the use of Google Signals and Google Analytics, and consent to the collection, use, and disclosure of your personal information as described herein.
We keep a record of your data so we can look for applicants who may be suitable for current and future roles, unless you tell us to remove your data. When you apply for jobs your data is sent to a company called Recruitee, based in The Netherlands. They provide an online form for you to apply, and store your data for our team to access.
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, then contact us. We may make a small charge for this service. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
If you would like us to correct or remove your data after you have played an experience with us, or you would like us to stop processing it for any reason, then let us know. You have the right to ask us to do this under GDPR. We won’t be offended.
If we remove your data we may retain a small amount of information about your request, including your name and email address and your communication to us related to GDPR so that we can (1) monitor the effectiveness of handling GDPR-related enquiries and (2) monitor systems to protect ourselves from repetitive spurious enquiries, cyber-attack or fraud.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
This privacy policy was last updated on 18 May 2023.
Contact us if you have a problem.
If you cannot get your issue resolved with us, or if you have a concern, then contact the Information Commissioner’s Office (ICO).
