Privacy Policy

DRAFT FOR SOLICITOR REVIEW - NOT YET IN FORCE

Operator: David Ville trading as Actually AI Product: The Chamber (thechambergame.uk) Contact: david@actuallyai.co.uk Last updated: 2026-06-07 Business address: [BUSINESS ADDRESS - to be completed]


1. Who we are and the scope of this policy

1.1 This Privacy Policy explains how we collect, use and protect your personal data when you use The Chamber, a web-based AI-generated satirical local-government simulation game at https://thechambergame.uk (the "Service").

1.2 The data controller is David Ville, a sole trader trading as "Actually AI", established in England and Wales. You can contact us about privacy matters at david@actuallyai.co.uk, or by post at [BUSINESS ADDRESS - to be completed].

1.3 We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.4 The Service is intended for people aged 16 and over and is not intended for children. We do not knowingly collect personal data from anyone under 16.

2. The personal data we collect

Depending on how you use the Service, we may collect:

2.1 Account data. Your email address and authentication identifiers (such as a user ID and login session tokens) created when you subscribe. Session 1 can be played anonymously without an account.

2.2 Gameplay data. Your in-game state and progress, including the leader name you choose and the in-game choices and decisions you make during sessions. This content is sent to our AI provider to generate the next part of the game (see clause 4).

2.3 Subscription and payment metadata. Information about your subscription status and payments, received from Stripe, such as whether your subscription is active, the plan you are on, renewal dates, the last four digits and type of your card, and billing country. We do not collect or store your full card number; that is handled by Stripe.

2.4 Usage and analytics data. Limited information about how you use the Service, collected through a privacy-focused analytics provider, such as pages or screens visited and general interaction events.

2.5 Technical data. Information collected automatically when you access the Service, such as your IP address, browser type, device and operating system information, and similar technical identifiers.

2.6 We do not ask for, and you should not provide, any special-category data (such as data about health, race, religion, or political opinions) when entering content into the game. We do not knowingly send special-category data to our AI provider.

3. Why we use your data and our lawful bases

We use your personal data for the following purposes and rely on the following lawful bases under UK GDPR:

PurposeData usedLawful basis
Providing the game, including generating AI content from your choicesGameplay data, account data, technical dataPerformance of a contract (Article 6(1)(b))
Creating and managing your account and authenticationAccount dataPerformance of a contract (Article 6(1)(b))
Taking payment and managing subscriptions and renewalsSubscription and payment metadataPerformance of a contract (Article 6(1)(b))
Keeping the Service secure, preventing abuse and fraud, and debuggingTechnical data, account data, gameplay dataLegitimate interests (Article 6(1)(f)): protecting and improving the Service
Understanding how the Service is used to improve itUsage and analytics dataConsent (Article 6(1)(a)) for non-essential analytics cookies; see the Cookie Policy
Responding to your enquiries and providing supportAccount data, contact detailsLegitimate interests (Article 6(1)(f)) and/or performance of a contract
Complying with our legal obligationsAs requiredLegal obligation (Article 6(1)(c))

3.1 Where we rely on legitimate interests, we have considered your rights and interests and do not believe our processing overrides them. You can object to processing based on legitimate interests at any time (see clause 7).

3.2 Where we rely on consent (for non-essential analytics), you can withdraw it at any time without affecting earlier processing. See the Cookie Policy.

4. Sub-processors and other recipients of your data

We use the following trusted third parties to run the Service. Each acts as our processor or as an independent controller for its own purposes, as indicated.

4.1 Supabase (authentication and database hosting). Stores your account data, authentication identifiers and gameplay data. Hosted in an EU/UK region.

4.2 Stripe (payment processing). Handles your card and payment details and provides us with subscription and payment metadata. Stripe acts as a controller for its own payment and fraud-prevention purposes.

4.3 Anthropic (AI content generation via the Claude API). We send the prompts needed to generate game content, which include your in-game choices and the leader name you have chosen. We do not send your email address or payment details to Anthropic, and we do not knowingly send special-category data. Anthropic processes this data in the United States (see clause 5 on international transfers and safeguards).

4.4 Vercel (application hosting and delivery). Hosts and serves the Service. Processing may take place in the United States (see clause 5).

4.5 A privacy-focused analytics provider (usage analytics). Provides aggregate and limited event-level usage statistics, used only where you have consented to non-essential analytics.

4.6 We may also disclose personal data where required by law, to enforce our terms, or to protect the rights, safety or property of us, our users or others.

4.7 [SOLICITOR / OWNER TO COMPLETE: confirm the named analytics provider and the precise hosting regions, and add links to each sub-processor's privacy notice. Consider maintaining a sub-processor list that is kept up to date.]

5. International transfers

5.1 Some of our sub-processors, in particular Anthropic and Vercel, process personal data in the United States, which is outside the UK.

5.2 Where personal data is transferred outside the UK, we put in place appropriate safeguards as required by UK GDPR. These safeguards include the use of the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or reliance on a relevant UK adequacy decision or other approved transfer mechanism, together with additional measures where appropriate.

5.3 You can ask us for more information about the safeguards we use by contacting us at david@actuallyai.co.uk. [SOLICITOR / OWNER TO CONFIRM the specific transfer mechanism relied on for each US recipient.]

6. How long we keep your data

6.1 We keep personal data only for as long as we need it for the purposes set out in this policy, and then delete or anonymise it.

6.2 In general:

6.3 [SOLICITOR / OWNER TO SET specific retention periods for each category, for example the number of months after account closure that gameplay data is deleted, and the statutory record-keeping period applied to payment records.]

7. Your rights

7.1 Under UK GDPR, you have the right to:

7.2 To exercise any of these rights, contact us at david@actuallyai.co.uk. We will respond within one month, although we may extend this where the request is complex, and we will tell you if we do. We will not normally charge a fee.

7.3 We may need to verify your identity before acting on a request, to protect your data.

8. Complaints

8.1 If you have a concern about how we handle your personal data, please contact us first at david@actuallyai.co.uk so we can try to put it right.

8.2 You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at https://ico.org.uk, by their helpline, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

9. Security

9.1 We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse, including relying on the security measures of our reputable infrastructure providers. No online service can be guaranteed to be completely secure, but we work to protect your information.

10. Changes to this policy

10.1 We may update this Privacy Policy from time to time. If we make material changes, we will let you know by email or through the Service. The "Last updated" date at the top shows when it was last revised.

11. Contact

For any privacy question or to exercise your rights, contact us at david@actuallyai.co.uk, or by post at [BUSINESS ADDRESS - to be completed].