Privacy Policy
DRAFT FOR SOLICITOR REVIEW - NOT YET IN FORCE
Operator: David Ville trading as Actually AI Product: The Chamber (thechambergame.uk) Contact: david@actuallyai.co.uk Last updated: 2026-06-07 Business address: [BUSINESS ADDRESS - to be completed]
1. Who we are and the scope of this policy
1.1 This Privacy Policy explains how we collect, use and protect your personal data when you use The Chamber, a web-based AI-generated satirical local-government simulation game at https://thechambergame.uk (the "Service").
1.2 The data controller is David Ville, a sole trader trading as "Actually AI", established in England and Wales. You can contact us about privacy matters at david@actuallyai.co.uk, or by post at [BUSINESS ADDRESS - to be completed].
1.3 We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.4 The Service is intended for people aged 16 and over and is not intended for children. We do not knowingly collect personal data from anyone under 16.
2. The personal data we collect
Depending on how you use the Service, we may collect:
2.1 Account data. Your email address and authentication identifiers (such as a user ID and login session tokens) created when you subscribe. Session 1 can be played anonymously without an account.
2.2 Gameplay data. Your in-game state and progress, including the leader name you choose and the in-game choices and decisions you make during sessions. This content is sent to our AI provider to generate the next part of the game (see clause 4).
2.3 Subscription and payment metadata. Information about your subscription status and payments, received from Stripe, such as whether your subscription is active, the plan you are on, renewal dates, the last four digits and type of your card, and billing country. We do not collect or store your full card number; that is handled by Stripe.
2.4 Usage and analytics data. Limited information about how you use the Service, collected through a privacy-focused analytics provider, such as pages or screens visited and general interaction events.
2.5 Technical data. Information collected automatically when you access the Service, such as your IP address, browser type, device and operating system information, and similar technical identifiers.
2.6 We do not ask for, and you should not provide, any special-category data (such as data about health, race, religion, or political opinions) when entering content into the game. We do not knowingly send special-category data to our AI provider.
3. Why we use your data and our lawful bases
We use your personal data for the following purposes and rely on the following lawful bases under UK GDPR:
| Purpose | Data used | Lawful basis |
|---|---|---|
| Providing the game, including generating AI content from your choices | Gameplay data, account data, technical data | Performance of a contract (Article 6(1)(b)) |
| Creating and managing your account and authentication | Account data | Performance of a contract (Article 6(1)(b)) |
| Taking payment and managing subscriptions and renewals | Subscription and payment metadata | Performance of a contract (Article 6(1)(b)) |
| Keeping the Service secure, preventing abuse and fraud, and debugging | Technical data, account data, gameplay data | Legitimate interests (Article 6(1)(f)): protecting and improving the Service |
| Understanding how the Service is used to improve it | Usage and analytics data | Consent (Article 6(1)(a)) for non-essential analytics cookies; see the Cookie Policy |
| Responding to your enquiries and providing support | Account data, contact details | Legitimate interests (Article 6(1)(f)) and/or performance of a contract |
| Complying with our legal obligations | As required | Legal obligation (Article 6(1)(c)) |
3.1 Where we rely on legitimate interests, we have considered your rights and interests and do not believe our processing overrides them. You can object to processing based on legitimate interests at any time (see clause 7).
3.2 Where we rely on consent (for non-essential analytics), you can withdraw it at any time without affecting earlier processing. See the Cookie Policy.
4. Sub-processors and other recipients of your data
We use the following trusted third parties to run the Service. Each acts as our processor or as an independent controller for its own purposes, as indicated.
4.1 Supabase (authentication and database hosting). Stores your account data, authentication identifiers and gameplay data. Hosted in an EU/UK region.
4.2 Stripe (payment processing). Handles your card and payment details and provides us with subscription and payment metadata. Stripe acts as a controller for its own payment and fraud-prevention purposes.
4.3 Anthropic (AI content generation via the Claude API). We send the prompts needed to generate game content, which include your in-game choices and the leader name you have chosen. We do not send your email address or payment details to Anthropic, and we do not knowingly send special-category data. Anthropic processes this data in the United States (see clause 5 on international transfers and safeguards).
4.4 Vercel (application hosting and delivery). Hosts and serves the Service. Processing may take place in the United States (see clause 5).
4.5 A privacy-focused analytics provider (usage analytics). Provides aggregate and limited event-level usage statistics, used only where you have consented to non-essential analytics.
4.6 We may also disclose personal data where required by law, to enforce our terms, or to protect the rights, safety or property of us, our users or others.
4.7 [SOLICITOR / OWNER TO COMPLETE: confirm the named analytics provider and the precise hosting regions, and add links to each sub-processor's privacy notice. Consider maintaining a sub-processor list that is kept up to date.]
5. International transfers
5.1 Some of our sub-processors, in particular Anthropic and Vercel, process personal data in the United States, which is outside the UK.
5.2 Where personal data is transferred outside the UK, we put in place appropriate safeguards as required by UK GDPR. These safeguards include the use of the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or reliance on a relevant UK adequacy decision or other approved transfer mechanism, together with additional measures where appropriate.
5.3 You can ask us for more information about the safeguards we use by contacting us at david@actuallyai.co.uk. [SOLICITOR / OWNER TO CONFIRM the specific transfer mechanism relied on for each US recipient.]
6. How long we keep your data
6.1 We keep personal data only for as long as we need it for the purposes set out in this policy, and then delete or anonymise it.
6.2 In general:
- account and gameplay data is kept while your account is active and for a reasonable period after you close it or it becomes inactive;
- subscription and payment metadata is kept for as long as needed to manage the subscription and to meet our legal, accounting and tax record-keeping obligations; and
- analytics data is kept in line with the retention settings of our analytics provider.
6.3 [SOLICITOR / OWNER TO SET specific retention periods for each category, for example the number of months after account closure that gameplay data is deleted, and the statutory record-keeping period applied to payment records.]
7. Your rights
7.1 Under UK GDPR, you have the right to:
- be informed about how we use your data (this policy);
- access a copy of the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased in certain circumstances;
- restrict our processing in certain circumstances;
- object to processing based on legitimate interests, and to object to direct marketing at any time;
- data portability for data you provided to us, where processing is based on consent or contract and is carried out by automated means; and
- withdraw consent at any time where we rely on consent.
7.2 To exercise any of these rights, contact us at david@actuallyai.co.uk. We will respond within one month, although we may extend this where the request is complex, and we will tell you if we do. We will not normally charge a fee.
7.3 We may need to verify your identity before acting on a request, to protect your data.
8. Complaints
8.1 If you have a concern about how we handle your personal data, please contact us first at david@actuallyai.co.uk so we can try to put it right.
8.2 You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at https://ico.org.uk, by their helpline, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
9. Security
9.1 We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse, including relying on the security measures of our reputable infrastructure providers. No online service can be guaranteed to be completely secure, but we work to protect your information.
10. Changes to this policy
10.1 We may update this Privacy Policy from time to time. If we make material changes, we will let you know by email or through the Service. The "Last updated" date at the top shows when it was last revised.
11. Contact
For any privacy question or to exercise your rights, contact us at david@actuallyai.co.uk, or by post at [BUSINESS ADDRESS - to be completed].