PRIVACY POLICY

LAST UPDATED: MARCH 2026

1. INTRODUCTION

Welcome to Lost in Town Brewery Ltd ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with UK GDPR and applicable data protection laws.

Company Details:
Lost in Town Brewery Ltd
Company Number: 15162932
Address: 92 York Street, London, W1H 1QX
Email: info@lostintown.co.uk

2. INFORMATION WE COLLECT

We collect and process the following types of personal data:

2.1 Information You Provide

• Order Information: Name, email address, delivery address, phone number
• Game Profile: Email address, chosen username, detective name, game tier, experience points, quest progress, and achievements (stored in our database and locally in your browser)
• Payment Information: Processed securely by Stripe (we do not store full card details)
• Communication: Any correspondence you send us via email or contact forms
• Marketing Preferences: Your consent to receive marketing emails

2.2 Automatically Collected Information

• Browsing Data: IP address, browser type, device information, pages visited
• Cookies & Local Storage: See our Cookie Policy below
• Age Verification: Your confirmation that you are 18+ (stored locally in your browser)
• Local Browser Storage: We store your email address, game profile, shopping cart contents, and cookie preferences in your browser's local storage to provide a seamless experience across visits. This data remains on your device and is not transmitted to our servers unless you take an action (such as signing up or placing an order)
• Analytics Data: With your consent, we collect page views and interaction data via Google Analytics and Meta Pixel (see Section 6)

3. HOW WE USE YOUR INFORMATION

We use your personal data for the following purposes:

• Order Fulfillment: Processing and delivering your orders
• Customer Service: Responding to inquiries, handling returns and refunds
• Game Services: Providing your game profile, saving progress, displaying leaderboards, and managing tier subscriptions
• Marketing: Sending promotional emails (only with your consent)
• Site Improvement: Analyzing website usage to improve user experience
• Legal Compliance: Meeting tax, accounting, and legal obligations
• Fraud Prevention: Protecting against fraudulent transactions

3.1 Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing your orders, managing your game account and profile, providing tier subscriptions, and delivering the services you signed up for
• Consent (Article 6(1)(a)): Sending marketing emails via Klaviyo, setting analytics cookies (Google Analytics), and advertising cookies (Meta Pixel). You may withdraw consent at any time
• Legitimate Interest (Article 6(1)(f)): Improving our website and services based on aggregated usage patterns, fraud prevention, and ensuring network security
• Legal Obligation (Article 6(1)(c)): Retaining order and financial records to comply with UK tax and accounting requirements

4. DATA STORAGE & SECURITY

Your data is stored securely using Google Firebase/Firestore cloud services (hosted in the EU/EEA). We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

All payment information is processed securely through Stripe, which is PCI DSS compliant. We do not store full credit card details on our servers.

5. COOKIES & LOCAL STORAGE

We use cookies, local storage, and similar technologies as follows:

5.1 Strictly Necessary (No Consent Required)

• Age Verification: Remembers that you confirmed you are 18+ so you are not asked again
• Shopping Cart: Stores your cart contents locally so they persist between pages
• Cookie Preference: Remembers whether you accepted or declined analytics cookies

5.2 Functional (Service Delivery)

• Game Profile: Your email, username, and game progress are stored locally so you can resume your session without signing in again
• Order History: A local backup of your completed orders for your reference

5.3 Analytics & Advertising (Consent Required)

• Google Analytics (GA4): Tracks page views, session duration, and device information to help us understand how our site is used. Only loaded if you click "Accept" on our cookie banner
• Meta Pixel (Facebook): Tracks page views to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram). Only loaded if you click "Accept" on our cookie banner

5.4 Your Choices

When you first visit our site, a cookie banner asks for your consent to analytics and advertising cookies. If you decline, Google Analytics and Meta Pixel are never loaded, and no tracking data is sent to those services. You can change your preference at any time by clearing your browser's local storage for our site, which will prompt the banner again on your next visit.

You can also control cookies through your browser settings. Note that disabling strictly necessary storage may affect site functionality.

6. THIRD-PARTY SERVICES

We share your data with the following third-party service providers, each acting as a data processor under a Data Processing Agreement:

• Stripe (USA): Payment processing. Receives your billing details when you make a purchase or subscribe to a tier. Stripe is PCI DSS Level 1 certified. Data transfers to the US are covered by Stripe's Standard Contractual Clauses. Stripe Privacy Policy
• Klaviyo (USA): Email marketing and behavioural identification. When you sign up, your email, name, and username are sent to Klaviyo for welcome emails and marketing (if you opt in). Klaviyo also identifies returning visitors to personalise email content. Data transfers to the US are covered by Klaviyo's Data Processing Addendum. Klaviyo Privacy Policy
• Google Analytics / GA4 (USA): Website analytics. With your consent, collects anonymised browsing data (pages visited, session duration, device type, approximate location). We have IP anonymisation enabled. Google Privacy Policy
• Meta Pixel / Facebook (USA): Advertising measurement. With your consent, tracks page views to measure the performance of our ads on Facebook and Instagram. Meta may use this data for its own purposes as a joint controller. Meta Privacy Policy
• Google Firebase / Firestore (EU): Cloud database for game profiles, orders, and contact form submissions. Firebase Privacy
• Delivery Partners: UK courier services receive your name and delivery address for order fulfillment only

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

7. DATA RETENTION

• Order Data: Retained for 6 years to comply with UK tax and accounting requirements (legal obligation)
• Game Profiles: Retained for as long as your account is active, or until you request deletion
• Marketing Data: Retained until you unsubscribe or withdraw consent
• Analytics Data: Google Analytics data retained for 14 months, then automatically deleted. Meta Pixel data is governed by Meta's retention policies
• Local Browser Data: Remains on your device until you clear your browser storage
• Inactive Accounts: Game profiles and associated data deleted after 3 years of inactivity

8. YOUR RIGHTS

Under UK GDPR, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Portability: Receive your data in a machine-readable format
• Right to Withdraw Consent: Unsubscribe from marketing at any time
• Right to Object: Object to processing based on legitimate interests
• Right to Restrict Processing: Request limitation on how we use your data

To exercise any of these rights, contact us at info@lostintown.co.uk. We will respond within 30 days.

9. AGE RESTRICTION

Our products are only available to individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it immediately.

10. INTERNATIONAL TRANSFERS

Your data may be transferred to and stored on servers outside the UK (e.g., Firebase servers). We ensure that any such transfers comply with UK GDPR requirements and that adequate safeguards are in place.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

12. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: info@lostintown.co.uk
Address: Lost in Town Brewery Ltd, 92 York Street, London, W1H 1QX
Website: www.lostintown.co.uk

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated: www.ico.org.uk