UK GDPR Compliance
Last updated: 10 November 2025
1. Data Controller Information
Controller: HarbourPlay Ltd
Registered Address: 123 Gaming Street, London, EC1A 1BB, United Kingdom
Data Protection Officer: privacy@harbourplay.co.uk
Telephone: +44 20 1234 5678
2. Lawful Bases for Processing
We process personal data under the following lawful bases as defined by UK GDPR Article 6:
| Processing Activity | Lawful Basis |
|---|---|
| Age verification (18+) | Legal obligation |
| Platform operation and service delivery | Legitimate interests |
| Customer support and communications | Contract performance / Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Analytics and improvement (non-essential cookies) | Consent |
3. Data Subject Rights
Under UK GDPR, you have the following rights:
3.1 Right of Access (Article 15)
You can request a copy of the personal data we hold about you, including information about how we process it.
3.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data.
3.3 Right to Erasure (Article 17)
You can request deletion of your personal data in certain circumstances, such as when it's no longer necessary or if you withdraw consent.
3.4 Right to Restriction (Article 18)
You can request that we limit processing of your data in specific situations.
3.5 Right to Data Portability (Article 20)
You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
3.6 Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
3.7 Rights Related to Automated Decision-Making (Article 22)
You have rights regarding automated decision-making and profiling. HarbourPlay does not use automated decision-making that produces legal or similarly significant effects.
3.8 Right to Withdraw Consent
Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time via our Cookie Settings.
How to Exercise Your Rights
To exercise any of these rights, contact our Data Protection Officer using the details in Section 1. We will respond within one month. We may request additional information to verify your identity before processing your request.
4. Categories of Personal Data
We process the following categories of personal data:
- Identity data: Age confirmation status
- Contact data: Email address, telephone number, postal address (when provided)
- Technical data: IP address, browser type, device information, cookies
- Usage data: Pages visited, features used, interaction patterns
- Communication data: Content of correspondence with our support team
We do NOT collect: financial data, identity documents, precise location data, or sensitive personal data (special category data under Article 9).
5. Data Retention Periods
| Data Category | Retention Period |
|---|---|
| Age verification records | Duration of use + 1 year |
| Contact correspondence | Up to 3 years after resolution |
| Technical logs and analytics | Up to 12 months |
| Strictly necessary cookies | Session or 12 months |
| Analytics cookies (with consent) | Up to 24 months |
6. Third-Party Processors
We engage the following categories of third-party processors:
- Hosting providers: UK/EEA-based infrastructure services
- Analytics providers: Website usage analysis (only with consent)
- Security services: DDoS protection and security monitoring
All processors are bound by data processing agreements meeting UK GDPR requirements (Article 28). We conduct due diligence to ensure appropriate security measures are in place.
7. International Transfers
Our primary data processing occurs within the UK and EEA. If we transfer personal data to countries outside the UK/EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the UK government
- Transfers to countries with adequacy decisions under UK GDPR
- Other mechanisms recognised under Chapter V of UK GDPR
8. Data Protection Impact Assessments
Where appropriate, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that may pose high risks to individuals' rights and freedoms. Our current processing activities are low-risk given our social gaming model with no financial transactions.
9. Data Breach Procedures
In the unlikely event of a personal data breach, we will:
- Assess the breach severity and risk to individuals
- Notify the Information Commissioner's Office (ICO) within 72 hours if required under Article 33
- Notify affected individuals without undue delay if the breach poses high risk to their rights and freedoms (Article 34)
- Document the breach and our response in our records of processing activities
10. Records of Processing Activities
As required by Article 30, we maintain internal records of our processing activities, including:
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers (if applicable)
- Retention periods
- Security measures
These records are available to the ICO upon request.
11. Complaints and Supervisory Authority
If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Helpline: 0303 123 1113
Website: ico.org.uk
Report a concern: ico.org.uk/make-a-complaint/
We encourage you to contact us first so we can address your concerns directly.
12. Contact Us
For GDPR-related questions or to exercise your data rights:
Data Protection Officer
Email: privacy@harbourplay.co.uk
Telephone: +44 20 1234 5678
Post: HarbourPlay Ltd, 123 Gaming Street, London, EC1A 1BB, United Kingdom