Treasure Hunt Tours Ltd Privacy Policy
Updated 15 March 2024
Director names: Paul Fawkesley, Ian Drysdale
Company name: Treasure Hunt Tours Ltd
Address: ℅ Sugar and Dice, 33a Cornhill, Liverpool, L1 8DP
Email: ahoy@treasurehuntglasgow.com
Personal information is any information that can be used to identify a living person.
We currently collect and process the following information:
- Name
- Email address
- Phone number
- Postal address (if you buy a physical gift voucher)
- Subject & body of emails which may contain personal information
- Sort code & account number (if we offer to pay you for a promotional photo)
- IP address of the device or connection you use to access our website
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You made a reservation for a treasure hunt game through our website.
- You booked a treasure hunt game with us directly through our website.
- You booked a treasure hunt game through a sales partner for example Eventbrite, GetYourGuide, Tripadvisor (Viator).
- You contacted us with an enquiry by phone, email or SMS.
- You signed up to receive something for example our Top Tips city guide
We also receive personal information indirectly, from the following sources in the following scenarios:
- Stripe, our payment processor, collects the billing address of your payment card. Although this is visible to us inside Stripe’s dashboard but we do not access or process it in any way.
We use the information that you have given us in order to:
We use your name and email address to:
- Deliver your treasure hunt game.
- Support you if something goes wrong.
- Email you city guides and other information (if you’ve requested it)
- Ask follow-up questions, for example:
- Checking if everything was OK (if you did not complete the game),
- Inviting you to join our “crew member” mailing list,
- Asking you how you thought the game was,
- Asking about any disruptions to the game that you encountered,
- Asking if we can phone you for user research,
- Other questions relating to you, your booking or your experience in the city.
- Send emails to our opt-in “crew members” mailing list.
- Store payment receipts as required by HMRC.
We use your phone number to:
- call you back if we’ve missed your call,
- support you if something goes wrong,
- send you SMS messages relating to your booking.
We use your postal address to:
- send you a physical gift voucher, if applicable
We use the subject and body of emails to:
- automatically categorise the type of email
- extract structured information for example if you’ve mentioned a date
- automatically respond to certain specific types of email
We use your sort code & account number to:
- Pay you for a photo that you’ve agreed to sell us for promotional use.
We use your IP address to:
- Keep a record of visitors to our website for debugging and abuse investigation.
We use third-party organisations listed in the next section to process information and run our business.
Apart from those listed, we do not share personal information with other organisations or individuals.
We use third party organisations for the day-to-day running of our business. Some of these receive personal information.
These are the third-parties, the personal information they receive and the reason they receive it:
- We use Google Workspace to host our email, documents and spreadsheets. They store, on our behalf, all the types of personal information listed above.
- We use Mythic Beasts to host our internal company chat software. They store, on our behalf, the following types of personal information:
- phone numbers of anyone who calls us and for anyone we send or receive an SMS message to
- names & email addresses related to bookings we need to discuss, for example for customer support
- email body & subject of certain emails that match automation rules
- We use Heroku to host our in-house business automation software and its database. They store, on our behalf, the following types of personal information:
- name
- email address
- phone number
- email body & subject of all inbound emails
- postal address
- We use iomart to host our company websites. They store, on our behalf, the IP address of site visitors in our server logs.
- We use OpenAI to automatically categorise and extract information from the subject and body of some emails we receive. We automatically redact everything after the email signature and anything that appears to be an email address or UK phone number before sending it to OpenAI. The redaction process it not infallible and so some personal information contained in the email may be sent to OpenAI.
- We use Postmark to send most of our outbound emails which contain name, email address and postal address.
- We use Mailgun to receive all inbound emails. They receive, forward and temporarily store the name, email address, email subject & body of all emails we receive.
- We use DNSimple and DNSMadeEasy to provide DNS services. They can see the IP address of anyone who accesses our website.
- We use FreeAgent to store our financial information. This includes payment receipts, some of which contain your name and email address.
- We use DoubleAgent to automate book-keeping inside FreeAgent. DoubleAgent has full access to our transactions and payment receipt, some of which contain name and email address.
- We use Adding Value accountants. They have full access to our FreeAgent account and the payment receipts, some of which contain name and email address.
- We use Plausible Analytics for tracking website visitor activity. This is a privacy-friendly alternative to Google Analytics.
- We use Stripe to collect payments.
- We use Google Ads to advertise our websites based on search keywords. They do not receive any personal information from us.
- We sell through sales partners who collect personal information directly from you. They send information to us to allow us to fulfil your treasure hunt booking. We only store the personal information we need as outlined above.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- Your consent. This applies to our opt-in marketing emails. You are able to remove your consent at any time. You can do this by using the unsubscribe link or replying to any email we send you.
- We have a contractual obligation. This applies to fulfilling bookings made directly by you or through our sales partners.
- We have a legitimate interest. This lawful basis applies to our sending follow up communication after you book a treasure hunt.
- We have a legal obligation. We may be required to disclose information for example, to law enforcement. At the time of writing this has never happened.
- We minimise what we collect in the first place. We try to collect only the personal information information we need to run our business effectively.
- We store it securely, protected by strong authentication.
- We use two-factor authentication on all services that contain personal information.
- We minimise where we store personal information. We have a single business database that contains most data required to run our business. We limit where personal information is stored.
- We automatically delete personal information to prevent it from accumulating over time.
As a principle we try to delete personally identifiable information within 30 days of it no longer being required, and no longer than 90 days.
Where technically possible we configure our tools to automatically delete information.
- If you booked a treasure hunt, we automatically delete your name, email address and phone number from the booking either:
- 3 months after the date of your booking, if you completed the game.
- 15 months after the date of booking, if you didn’t complete the game.
- If you made a reservation, we delete your name and email address after the date of your reservation has passed.
- If you bought a physical gift voucher, we automatically delete your postal address 30 days after we post it.
- If you sold us a photo for promotional use, we delete your sort code & account number immediately after sending your payment.
- If you sent us an email, we automatically delete emails (name, email address, email subject & body) older than 182 days. The exception is payment receipts which we delete after 7 years.
- If we sent or received an SMS from you, we automatically delete your phone number and message history 182 days after the most recent message.
- If you sign up for our crew members mailing list, we retain your name and email address until you unsubscribe. We then automatically delete your information.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access - You have the right to ask us for copies of your personal information.
- Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please use our contact details at the top of the page if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can
make a complaint to us at the contact details at the top of the page.
You can also complain to the Information Commissioner’s Office (ICO) if you are
unhappy with how we have used your data.
You should quote our ICO registration reference: ZB014668.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO Helpline number:
0303 123 1113
ICO Website contact page:
https://ico.org.uk/global/contact-us/