Privacy Policy

1. Introduction

Let's Go Games, operated by Let's Automate™ (letsautomategroup.com) ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software and website.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company/venue name
• Payment Information: Processed securely by Stripe; we don't store full card details
• Support Communications: Messages you send to our support team
• Player Email (optional, phone play only): Players joining a game session can tick a consent checkbox to share their email with the hosting venue. Never collected without that explicit opt in. Full treatment in section 2.3 below.

2.2 Information Collected Automatically

• Licence Validation: Machine identifier (hashed), app version, licence status
• Website Analytics: Pages visited, time on site, referral source
• Technical Data: Browser type, operating system, IP address

2.3 Player/Attendee Data (Phone Play)

When players join a game session via phone play, we collect the following:

• Player Name: Required for gameplay. Player names are used to identify participants during the game session and are not linked to any personal identity beyond that session.
• Player Email (optional): Only collected when the player explicitly consents via a checkbox. If provided, the email may be shared with the hosting venue for communication purposes (e.g. results, offers). Emails are only shared when the player has given explicit consent.
• Session & Game Data: Session codes, game participation data, and game-specific interactions (e.g. bingo card selections, quiz answers, betting choices) are collected for gameplay functionality.
• Device Information: Basic device and connection information is used for real-time communication management during the game session. This data is not stored permanently.

Player data is stored securely in our database for the duration of the game session and a short retention period thereafter for support purposes. Player names alone are not considered personally identifiable information.

2.4 Information We DON'T Collect

• Game content, numbers called, or quiz answers from the host's perspective
• Prize or payment information from your games
• Audio or visual recordings from the application

2.5 Error and Diagnostic Logs

When something goes wrong in the app or website we record a short diagnostic entry so we can fix the problem. Each entry contains:

• Hashed IP address: a one-way SHA-256 truncation, not the raw IP
• Browser, operating system and device information: e.g. "iPhone, iOS 17, Safari"
• Error message and stack trace: never contains email addresses, player names or payment data by design
• Session identifier (not the 6-character join code): so the same error can be correlated across a support conversation

Legal basis: legitimate interest (Article 6(1)(f) UK GDPR) in keeping the service reliable and diagnosing faults for paying customers. Retention: error logs are retained for 30 days then deleted automatically.

2.6 Browser Local Storage

On top of cookies (see section 9) the app uses your browser's local storage to keep a session running smoothly. Nothing in local storage is transmitted to us automatically; it is only read back by the same browser tab. Items stored:

• Player name and (if you consented) player email so you can rejoin a game from the same device without retyping
• Your bingo cards, marked numbers and in-game state so a phone lock or tab reload does not lose your place
• Session code and PIN you last used so the same device can rejoin if the player page is accidentally closed
• Your cookie consent preferences so the cookie banner does not re-ask on every visit
• A host token (if you host games) so your host controls stay authorised across reloads

Local storage can be cleared at any time from your browser settings. Clearing it will sign you out of active sessions and reset cookie consent choices. We do not use local storage to track you across sites.

3. How We Use Your Information

Purpose	Data Used	Legal Basis
Provide the Service	Account info, licence data	Contract performance
Process payments	Payment info via Stripe	Contract performance
Customer support	Account info, communications	Legitimate interest
Product updates	Email address	Legitimate interest
Improve the Service	Analytics, usage patterns	Legitimate interest
Marketing (opt-in)	Email address	Consent
Phone Play gameplay	Player name, session code, game data	Legitimate interest
Venue communication (opt-in)	Player email (when consented)	Consent

4. Data Sharing

We do not sell your personal information. We may share data with the following third-party service providers who process data on our behalf:

• Supabase (EU - Ireland, eu-west-1) - Database hosting and real-time communication. Stores game session data, player first names, session identifiers, and lead information. Production data is held in the EU; no personal data is transferred to the United States by Supabase.
• Stripe (US/EU) - Secure payment processing. Handles payment card details, billing information, and transaction records. PCI DSS Level 1 compliant. We do not store full card details.
• Google Analytics (US) - Website analytics. Collects anonymised website usage data, device information, and browsing patterns.
• Netlify (US) - Website hosting and serverless function execution. Processes HTTP request data and IP addresses via global CDN.
• Anthropic (US) - AI services (Claude) for quiz question generation. No player or customer personal data is sent to Anthropic - only quiz topics and categories.
• ClickSend (Australia) - SMS and WhatsApp messaging service. Used for business communications. Processes phone numbers and message content.
• Resend (US) - Transactional email delivery. Used for account confirmations and onboarding emails. Processes email addresses and email content.
• Microsoft (EU) - Dynamics 365 CRM for lead and contact management. Microsoft Graph API for business emails. Processes names, email addresses, company information, and communication history.
• Spotify (Sweden) - Music Bingo playlist provision. No personal data is shared with Spotify - playlist metadata only.
• Crisp (France) - Live chat support widget. Processes chat messages, name, email (if provided), IP address, and device information.
• Hunter.io (France) - Email verification for business lead contact validation only. No player data is processed.
• Legal Requirements: We may disclose data when required by law or to protect our rights.

A full list of our sub-processors, including the data they process and their locations, is available in our Data Processing Agreement. For B2B customers, a DPA is available upon request by contacting info@letsautomate.info.

5. Data Security

We implement appropriate security measures including:

• HTTPS encryption for all web traffic
• Encrypted storage of sensitive data
• Regular security audits
• Access controls and authentication
• Secure payment processing via PCI-compliant Stripe

6. Data Retention

• Account Data: Retained while your account is active, plus 2 years
• Payment Records: Retained for 7 years (legal requirement)
• Support Communications: Retained for 3 years
• Analytics Data: Aggregated and anonymized after 26 months
• Player Session Data: Retained for the duration of the game session plus up to 30 days for support purposes, then automatically deleted
• Error and Diagnostic Logs: Retained for 30 days, then deleted automatically (see section 2.5)
• Audit Logs of Privileged Actions: When a host retrieves player emails from a session, we log the licence key, session id, record count and a hashed IP. Retained for 12 months so we can investigate misuse if reported.

7. Your Rights (GDPR)

If you are in the EU/UK, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a portable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at privacy@letsgogames.co.uk

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where feasible
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, including the facts, effects, and remedial actions taken

If you believe your data has been compromised, please contact us immediately at privacy@letsgogames.co.uk.

9. Cookies

We use a cookie consent system that allows you to control which cookies are placed on your device. When you first visit our website, you will be presented with a cookie consent banner where you can accept or decline non-essential cookies. You can manage your cookie preferences at any time using our cookie preference centre.

9.1 Essential Cookies

Required for the website to function (authentication, preferences). Cannot be disabled.

9.2 Analytics Cookies

Help us understand how visitors use our site (Google Analytics). You can opt out via our cookie consent banner or the preference centre above.

9.3 Marketing Cookies

Enable live chat support (Crisp) and personalised experiences. Disabled by default; requires your consent.

10. Children's Privacy

The Service is not marketed directly to children. Our public website and marketing channels are intended for adults who run or attend events.

The Service may be used by children in two specific contexts only:

• Schools and education providers: Where a school or education provider has purchased a licence and chooses to use the Service with pupils, the school is the data controller for any pupil personal data. The school is responsible for obtaining any required parental or guardian consent for pupils under 13 (UK-GDPR Article 8). In education deployments we collect player first name only and disable optional email capture and any monetary features. Game session data is deleted within 24 hours of session end. See our DPA for full education sector terms.
• Family or community events run by adults: Where an adult is hosting a session, children may participate as players. We collect first name only and the host is responsible for ensuring any consent required by their setting.

Monetary features (paid entry, prize funds, fundraising tools) are restricted to users aged 18 and over. We do not knowingly enable any payment-related feature for users under 18.

If you believe a child's personal data has been collected outside of these intended contexts, please contact privacy@letsgogames.co.uk and we will delete it without delay.

11. International Transfers

Your data may be transferred to and processed in countries outside the UK/EU, including the United States, Australia, France, and Sweden, where our sub-processors operate (see Section 4 for the full list). We ensure appropriate safeguards are in place for each transfer, including:

• UK International Data Transfer Agreements (IDTAs)
• EU Standard Contractual Clauses with the UK Addendum, as approved by the ICO
• Transfer risk assessments for each international transfer
• Supplementary technical and organisational measures where necessary

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our website. The "Last updated" date at the top indicates when changes were made.

13. Contact Us

For privacy-related questions or to exercise your rights:

• Email: info@letsautomate.info
• General Support: info@letsautomate.info
• Parent Company: Let's Automate™