Privacy Policy

Last Updated: January 2025

This Privacy Policy describes how we collect, use, and protect your personal information when you use our WhatsApp-based tour service.

Information We Collect

Information You Provide

• Phone Number: We collect your WhatsApp phone number to deliver the tour experience and communicate with you about the game.
• Email Address: We collect your email address during purchase for receipt and order confirmation purposes only.
• Access Codes: When you purchase a tour, we generate a unique access code that you provide to access the game.

Information We Automatically Collect

• Game Progress: We store your progress through the treasure hunt (current step, selected tour) to maintain your game state.
• Order Information: We store order details including purchase date, tour selection, payment amount, and order status in our secure database.
• Usage Data: We may log technical information such as message timestamps and error logs for service improvement.

How We Use Your Information

We use the information we collect to:

• Deliver the Service: Provide you with the treasure hunt experience, track your progress, and send game-related messages.
• Process Purchases: Generate access codes, send purchase confirmations, and manage your access to purchased tours.
• Order Management: Track orders, process refunds, and maintain records for accounting and tax purposes as required by UK law.
• Improve the Service: Analyze usage patterns to improve the game experience and fix technical issues.
• Security: Protect against fraud, abuse, and unauthorized access.

Data Protection and Security

Phone Number Hashing

For your privacy and GDPR compliance:

• We never store your raw phone number. All phone numbers are hashed using SHA256 before storage.
• Your phone number is converted to a cryptographic hash that cannot be reversed to reveal your original number.
• This hash is used to identify you across sessions while protecting your privacy.

Data Storage

• Game Progress: Stored in Redis with automatic expiration (24 hours for game state, 30 days for access codes).
• Access Codes: Linked to your hashed phone number and expire after 30 days.
• Order Information: Stored in a secure PostgreSQL database with minimal personal information (email only, phone numbers are hashed).
• Email Addresses: Stored for receipt and order confirmation purposes only.

Security Measures

• All data is transmitted over encrypted connections (HTTPS/TLS).
• Access to data is restricted to authorized systems only.
• Database access is protected with row-level security policies.
• Regular security reviews and updates are performed.

Data Retention

• Game Progress: Automatically deleted after 24 hours of inactivity.
• Access Codes: Expire and are deleted after 30 days.
• Tour Selection: Stored for 30 days, then automatically deleted.
• Order Records: Retained for accounting and tax purposes as required by UK law. Personal information can be anonymized upon request (see Your Rights below).

Your Rights (GDPR & UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have certain data protection rights:

• Right to Access: You can request information about what personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate data.
• Right to Erasure: You can request deletion/anonymization of your personal data.
• Right to Data Portability: You can request a copy of your data in a portable format.
• Right to Object: You can object to processing of your personal data.

Third-Party Services

Stripe

We use Stripe to process payments. Stripe collects and processes your payment information according to their privacy policy. We do not store your full payment card details. Please review Stripe's Privacy Policy.

Twilio

We use Twilio to deliver WhatsApp messages. Twilio processes your phone number to deliver messages but does not store it for our purposes. Please review Twilio's Privacy Policy.

Redis/Upstash

We use Upstash Redis to store game state and access codes. Data is stored in encrypted form and automatically expires as described above.

Database Storage

All order information is stored in a secure PostgreSQL database managed by our backend service. The frontend application does not have direct database access - all data operations are handled securely through our backend API. Data is encrypted in transit and at rest, with row-level security enabled.

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. We ensure appropriate safeguards are in place to protect your data, including standard contractual clauses and encryption.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you via email.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Email: hello@isca-tours.co.uk
• Website: isca-tours.co.uk

Data Controller Information

Data Controller: Isca Tours
Email: hello@isca-tours.co.uk
Jurisdiction: United Kingdom (UK GDPR applies)