Privacy Policy
Data controller
The controller of the personal data we collect through playchallenges.com is:
- Name / Legal entity: [LEGAL_ENTITY_NAME]
- Tax ID: [TAX_ID]
- Registered address: [REGISTERED_ADDRESS]
- Contact email: info@playchallenges.com
- Website: https://playchallenges.com
📌 PlayChallenges is currently in pre-incorporation phase. Full identification details of the controller will be published once the legal registration process is complete. In the meantime, you can contact the data controller via info@playchallenges.com.
Personal data we collect
We only collect personal data strictly necessary to provide our services and fulfill the purposes described in this policy. Specifically:
2.1. VIP Access Request form data
When you fill out the public "VIP Access Request" form on our home page, we collect:
- Full name and job title — to personalize our communication.
- Corporate email — to send you the verification code and to communicate with you about your request.
- Company website — to verify the legitimacy of the request.
- Annual events and participants per event — to assess the fit with our service.
- Challenge or problem to solve — to understand your need and offer an appropriate response.
- Submission date/time and IP address — for security and abuse prevention.
- Browser User-Agent and country code — for technical analysis and security.
2.2. Data collected during the use of the events platform
If you participate in an event created on PlayChallenges as an organizer or as a participant, we may process:
- Username and password (hashed) — to authenticate you in the event.
- Group and role data — to personalize your experience.
- Challenge results (scores, times, answers) — linked to the user and the group.
- Messages with the AI assistant — to manage the interaction and improve the service.
- Approximate geolocation — only in geolocation challenges (GPS), and always with your explicit consent when activating the browser sensor.
- Camera image — only in Augmented Reality (WEB-AR) challenges, processed locally on your device, never stored on our servers.
2.3. Automatic technical data
Like any website, our servers log basic technical information for each request: IP address, date/time, browser type, operating system, and origin URL. These logs are kept for a maximum of 30 days and used exclusively for problem diagnosis, security, and abuse prevention.
Purposes and legal bases
We process your personal data for the following purposes, each with its corresponding legal basis under GDPR Art. 6:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Process your VIP Access Request, verify your email via OTP code, and manage your onboarding as a customer. | Consent (Art. 6(1)(a)) — given by checking the form's consent box. |
| Create your account, authenticate you, and allow you to participate in events. | Performance of a contract (Art. 6(1)(b)) — necessary to provide the requested service. |
| Send you operational communications (password resets, security alerts, event reminders). | Performance of a contract (Art. 6(1)(b)). |
| Prevent fraud, abuse, spam, or automated attacks (rate limiting, captcha, geo-blocking). | Legitimate interest (Art. 6(1)(f)) — protect platform integrity. |
| Comply with legal obligations (tax, accounting, judicial requests). | Legal obligation (Art. 6(1)(c)). |
| Internal aggregated analysis of platform usage (without identifying individual users). | Legitimate interest (Art. 6(1)(f)) — improve the service. |
We do not perform automated profiling with legal effects on you, nor do we engage in behavioral advertising based on your activity on the website.
Data retention
We only retain your data for as long as necessary for the described purposes:
- Unverified VIP requests: 90 days from submission. If you do not complete email verification, the data is automatically deleted.
- Verified VIP requests not converted to customer: 12 months from verification.
- Active user accounts: while the account is active plus 6 months after last activity. Subsequently anonymized or deleted.
- Finished event data: up to 24 months after the end of the event, unless the organizer requests early deletion.
- Technical logs: 30 days.
- Data subject to tax/accounting obligations: 6 years (Art. 30 of the Spanish Commercial Code).
Recipients and international transfers
We do not sell or share your personal data with third parties for commercial purposes. However, in order to provide the service, we share some data with the following technology providers (data processors):
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Application hosting (Workers), database (D1), storage (R2), CDN, anti-DDoS protection, and captcha (Turnstile). | US and European Union (global edge network with servers in Spain) |
| Resend, Inc. | Transactional email delivery (verification codes, operational notifications). | US |
| Google LLC | Gemini AI API, used to generate hints and evaluate answers in AI challenges. | US and EU |
International transfers
Some of our providers are established in the United States. These transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
- The EU-U.S. Data Privacy Framework, for participating providers (Cloudflare and Google are certified).
We only transfer the data strictly necessary to provide the service.
Your GDPR rights
As a data subject, you have the following rights regarding your personal data, which you can exercise free of charge at any time:
- Right of access (Art. 15): obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data when it is no longer necessary.
- Right to restrict processing (Art. 18): ask us to temporarily suspend processing.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to automated decisions with significant legal effects.
How to exercise your rights
To exercise any of these rights, send an email to info@playchallenges.com indicating:
- The right you wish to exercise.
- Your full name and a piece of information that identifies your account or request (email, approximate registration date).
- A copy of an ID document if necessary to verify your identity.
We will respond within a maximum of 1 month from receipt of the request, extendable by 2 additional months in complex cases (we will notify you if this happens).
📋 If you believe that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), the Spanish supervisory authority, at www.aepd.es. We would appreciate it if you could contact us first to try to resolve the issue directly.
Security measures
We apply appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or accidental destruction, in accordance with Art. 32 of the GDPR:
- Encryption in transit: all communications are made over HTTPS (TLS 1.2/1.3).
- Encryption at rest: data in Cloudflare D1 and R2 is encrypted by default.
- Passwords: stored with bcrypt + salt, never in plain text.
- Authentication tokens: signed JWT, with limited expiration.
- Email verification via OTP for VIP requests.
- Captcha (Cloudflare Turnstile) to prevent bots.
- Rate limiting by email and IP.
- Security headers (CSP, X-Frame-Options, Referrer-Policy, etc.).
- Least-privilege policy: only authorized administrators can access raw personal data.
- Regular backups with limited retention and encryption.
In the event of a security breach that may pose a risk to your rights and freedoms, we will notify the AEPD within a maximum of 72 hours and inform you directly if the risk is high, in accordance with Arts. 33 and 34 of the GDPR.
Cookies and similar technologies
Currently playchallenges.com does not use tracking, advertising, or third-party analytics cookies on its public page. The home page works without cookies.
Only when you log in to the events panel do we use:
- Browser localStorage to store your JWT authentication token and minimal preferences (language, accessibility settings). This is not strictly a cookie and is not automatically transmitted to the server.
If we incorporate analytics tools or additional cookies in the future, we will update this policy and display a consent banner in accordance with the ePrivacy directive.
Children's data
The public service of PlayChallenges (VIP form, web page) is intended exclusively for professionals aged 18 and over. We do not knowingly collect personal data from minors through the VIP form.
In the context of educational events where minors participate, the data is managed by the educational center or event organizer, who acts as the data controller. PlayChallenges acts in these cases as a data processor on behalf of the center, under the corresponding processing agreement (Art. 28 GDPR).
If we discover that we have collected data from a minor without proper authorization, we will delete it without delay.
Changes to this policy
We reserve the right to modify this Privacy Policy to reflect legal, technical, or service changes. Revised versions will be published at this same URL with the date of the last update indicated at the beginning of the document.
In the event of substantial changes affecting the processing of your data, we will notify you with reasonable advance notice via the email associated with your account or request.
Contact and complaints
If you have any questions about this policy or the processing of your data, please do not hesitate to contact us:
📧 Email: info@playchallenges.com
🌐 Web: https://playchallenges.com
🏛️ Supervisory authority: Spanish Data Protection Agency (AEPD)