Privacy Policy
Last updated June 11, 2026
This policy explains how GameLedger handles personal data for guests making bookings and for the venues that use our platform. It is written to meet the UK GDPR and the EU GDPR, and applies to our customers worldwide, including in the UK and Asia.
1. Who we are and our roles
GameLedger provides reservation and venue-management software for board game cafés and similar venues. Our role under data-protection law depends on the data:
- Guest booking data — we act as a processor. When you make a booking, the venue you book with is the data controller and decides why and how your data is used. GameLedger processes that data on the venue's behalf to run the platform. Requests about your booking data are best directed to the venue; we will help the venue respond.
- Venue-account data — we act as a controller. For the operators and team members who hold a GameLedger account, we are the controller of account data (such as login email, name, role, and our records of platform usage and billing).
Note for Eric: confirm the GameLedger legal entity name, registered address, and (if one is appointed/required) the UK/EU representative and any Data Protection Officer contact, then add them here.
2. Data we collect
- Guest booking data: name, email address, phone number, party size, reservation date/time, and any notes you provide; SMS opt-in status and the consent snapshot; and, where a venue takes payments, payment status (card details are handled by Stripe, not stored by us).
- Venue-account data: account email, name, job title, phone, and avatar; venue and team configuration; and operational logs.
- Technical data: data needed to keep you signed in and to keep a table session active (see Cookies below), plus basic logs for security and debugging.
3. Lawful bases
- Contract: to create and manage a booking you request, and to provide the platform to a venue under our terms.
- Consent: for the optional SMS program (you opt in on the booking form and can withdraw at any time). Withdrawing consent does not affect prior processing.
- Legitimate interests: to operate, secure, and improve the platform and prevent abuse, balanced against your rights.
- Legal obligation: to comply with law, including retaining limited records to evidence consent and to honor opt-out requests.
4. How we use data
We use personal data to process and confirm reservations, communicate about a booking, operate guest payments where a venue enables them, provide venue accounts and support, keep the platform secure, and meet legal and carrier obligations. The venue you book with can access the booking details you provide in order to host your reservation. We do not sell personal data, and we do not use guest data for our own marketing.
5. Sharing and sub-processors
We share data with the venue you book with, and with the service providers (sub-processors) we use to run the platform. We do not sell data or share it for third-party marketing.
| Provider | Purpose | Data |
|---|---|---|
| Supabase | Database, authentication, and file storage | Booking and account data |
| Vercel | Application hosting and delivery | Request data and logs |
| Stripe | Payment processing for venue deposits/payments | Payment and limited contact data |
| Twilio | SMS confirmations and reminders | Phone number and message content |
| Resend | Transactional email | Email address and message content |
We may also disclose data where required by law or to protect rights and safety.
6. International transfers
Our service providers may process data in the United States and other countries outside the UK/EEA. Where data is transferred internationally, we rely on appropriate safeguards — such as the UK's International Data Transfer Agreement / Addendum and the EU's Standard Contractual Clauses, together with the providers' own data-protection commitments — to protect it.
7. Data retention
We keep personal data only as long as needed for the purposes above, then delete or anonymize it. Where a venue is the controller, the venue's own retention decisions also apply.
| Data class | Retention |
|---|---|
| Booking records | Kept while the venue uses the platform and for a reasonable period to resolve disputes; deleted or redacted on a valid erasure request. |
| SMS consent records and opt-out (suppression) list | Retained to evidence consent and to honor STOP requests, even after other data is erased, so we do not text someone who opted out. |
| Venue-account data | Kept for the life of the account and a short period after closure, then deleted subject to legal retention. |
| Security and operational logs | Kept for a limited period for security and debugging. |
8. Your rights
Subject to applicable law, you have rights to access, correct, delete, restrict, or object to the processing of your personal data, to data portability, and to withdraw consent. Where GameLedger is the processor for guest data, we will forward your request to the relevant venue and assist them in responding; where we are the controller, we respond directly.
To make a request — including to erase your data — email support@gameledger.io. We may need to verify your identity. Note that, for the reasons above, we retain the SMS consent record and opt-out entry even after an erasure so we can continue to honor a prior STOP request. You also have the right to complain to your local data-protection authority (in the UK, the Information Commissioner's Office).
9. SMS / text messaging data
If you opt in to text messages on the booking form, we use your mobile number solely to send booking confirmations and reminders for that venue. This program sends transactional messages only — no marketing.
- Mobile information, including phone numbers and SMS opt-in and consent data, will not be shared with third parties or affiliates for marketing or promotional purposes.
- We share your number only with the messaging providers (such as Twilio) needed to deliver these texts on our behalf.
- You can opt out at any time by replying STOP to any message. Message and data rates may apply; message frequency varies.
- We retain consent records (including the time and wording of the opt-in) to document compliance with carrier requirements.
The terms of the messaging program are described in our Terms of Service.
10. Cookies
GameLedger uses only strictly necessary cookies — the cookies required to run the service. We do not use advertising, analytics, or cross-site tracking cookies, so no cookie-consent banner is needed.
- Authentication cookies (venue accounts): set by our authentication provider to keep operators securely signed in across requests.
- Table session cookie (guests): a short-lived, HTTP-only cookie used when a guest joins a table at a venue, so they can rejoin the same session. It expires after about 24 hours.
11. Children
The platform is intended for use by venues and adult guests. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will address it.
12. Changes to this policy
We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate.
13. Contact
Questions about your privacy, or to exercise your rights, email support@gameledger.io.