Data Protection
GDPR &
DATA PROTECTION.
Last updated: June 2025
The short version
Epicly collects almost nothing on players. No accounts, no emails, no personal data. Players join with a name of their choice and leave. That's it. Venue data is handled securely and transparently.
Who We Are
Epicly.live is a live entertainment platform for hospitality venues. We are the data controller for venue account data, and a data processor for any player data generated during game sessions.
For GDPR purposes, contact us at: privacy@epicly.live
Player Data — What We Collect
Players do not create accounts. They join games using a 4-letter room code and a display name they choose themselves.
- Display name (chosen by player — does not need to be real name)
- In-game answers and scores (held in memory during the session only)
- Session statistics (anonymised — no personal identifiers)
We do not collect: email addresses, phone numbers, device identifiers, location data, payment information or any other personal data from players.
Player anonymity by design
Player names are never linked to any personal identifier. "Steve" in one game session has no connection to "Steve" in another. Sessions are anonymous by architecture, not just policy.
Venue Data — What We Collect
Venue accounts require the following to provide the service:
- Venue name and type
- Contact name and business email address
- Contact phone number (optional)
- City and postcode
- Hashed password (never stored in plain text)
- Session history and usage statistics
Legal basis: Contract performance — this data is necessary to provide the Epicly service.
How Long We Keep Data
- Player session data: deleted from memory when the game room closes
- Anonymised session statistics: retained for service improvement
- Venue account data: retained while the account is active
- After account deletion: 30 days, then permanently deleted
Your Rights
Venue account holders have the following rights under UK GDPR:
- Right to access your personal data
- Right to correct inaccurate data
- Right to erasure (right to be forgotten)
- Right to restrict processing
- Right to data portability
- Right to object to processing
To exercise any of these rights, contact us at privacy@epicly.live. We will respond within 30 days.
Data Storage & Security
- All data stored in the UK/EU (Railway infrastructure, EU region)
- All connections encrypted via HTTPS/WSS (TLS 1.3)
- Passwords hashed using bcrypt (cost factor 12)
- Authentication via signed JWT tokens with expiry
- No third-party advertising or analytics SDKs
Third Parties
We use a small number of trusted third-party processors:
- Railway — infrastructure and database hosting (EU region)
- Netlify — frontend hosting (EU region available)
- Anthropic — AI question generation (data not retained by Anthropic)
- Resend — transactional email delivery
We do not sell data to third parties. We do not use data for advertising.
Cookies
Epicly uses no third-party tracking cookies. We use a single session token stored in localStorage to keep venue accounts logged in. No analytics cookies, no advertising pixels.