Privacy Policy

Effective: 15th January 2026

We strive to provide high quality digital products and online services that are safe, reliable, and fair to use. This includes our games, services, software products, and any related platforms or tools we operate. Respecting your privacy and safeguarding your personal data is a core part of that commitment.

This privacy policy explains how we collect, use, store, and protect personal data when you visit our website or use any of our products or services, including games, software applications, and related online platforms, regardless of how or where you access them. It also explains the choices available to you in relation to your personal data.

For the purposes of this policy, references to “services” include all digital products we operate, including our games, software applications, websites, and any related platforms or tools.

Privacy Policy Summary (TL;DR)

We know privacy policies can be long and technical, so this short summary is here to explain the essentials in plain language. The full policy below contains the complete legal details and always takes priority.

We collect and use personal data only where it is genuinely needed to operate our products and services, manage user accounts, process purchases or subscriptions, keep our systems secure, and improve the overall experience. This applies equally to our games and any other software or online services we provide. We do not sell personal data.

We aim to keep personal data for as little time as possible. Where data is no longer needed for service operation, user-facing features, legal, or security purposes, it is deleted in line with our data minimisation practices.

Some content created through our services, such as messages, profile information, or user-submitted text, may be reviewed using automated tools to help enforce our rules and maintain safe and compliant communities. This processing is carried out solely for moderation, security, and abuse prevention purposes.

Marketing communications are strictly opt-in. You will only receive marketing if you choose to, and consent is managed separately for each service. You can unsubscribe at any time using a single click.

You stay in control of your data. You can access your information, update it, withdraw marketing consent, or delete your account at any time through your account settings or by contacting us.

Scope

This policy applies to Galahad Creative Ltd and governs how we collect and process personal data through our website and through our products and services, including games, software applications, and any other digital services we operate now or in the future. This includes personal data you provide when creating an account, using our products or services, interacting with user-facing features, or contacting us.

Our products and services may be accessible via desktop, mobile applications, web-based platforms, or other supported environments, and this policy applies across all supported platforms.

Our products and services are not intended for children under the age of 13, and we do not knowingly collect personal data relating to children. If we become aware that an account is being used by a person under the age of 13, we will suspend or restrict access to the account and take steps to remove the associated personal data, unless we are required to retain certain information for legal, security, or compliance purposes.

This privacy policy should be read together with any additional privacy notices or data processing notices we may provide at specific points, such as during registration or when using particular features. Those notices are intended to supplement this policy and provide more detail about how your data is used in specific contexts.

Data Controller and Contact Details

Galahad Creative Ltd is the data controller for the purposes of this privacy policy and is responsible for your personal data; all references to “we”, “use” or “our” refers to Galahad Creative Ltd.

Our details are as follows:

Galahad Creative Ltd
International House, 
101 King's Cross Road, 
London, 
England, 
WC1X 9LP

This privacy policy is intended to comply with the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR). Galahad Creative Ltd acts as the data controller under both regimes in respect of the personal data processed through our website, games, and services. Where users are located outside the United Kingdom or the European Economic Area, local data protection laws may also apply.

How to contact us about your rights and data

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us at privacy@galahadcreative.com. We are regulated by the Information Commissioner’s Office and you have the right to make a complaint at any time to them. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Third-Party Links

Our website and services may contain links to third party websites, plug ins, or applications. Interacting with those links or features may allow third parties to collect or share data about you. We do not control third party websites or services and are not responsible for their privacy practices. When you leave our website or access third party services from within our services, we encourage you to review the relevant privacy policies of those third parties.

Information Collected About You

We set out below the categories of personal data that we may collect, use, store, and transfer when you interact with us through our website, our services, or any related services we operate. Personal data means any information that can be used to identify you as an individual. It does not include data that has been anonymised.

Identity and contact data includes your email address, username, or other similar identifiers associated with your account.

Financial and transaction data includes payment card details and information relating to payments made to or from you, as well as details of any purchases or subscriptions you have made through our services.

Technical data includes your internet protocol (IP) address, login data, browser type and version, time zone and location settings, browser plug in types and versions, operating system and platform, and other technology used on the devices you use to access our website or services.

Profile data includes your username and password, purchase and order history, membership or subscription information, account preferences, product or service settings, feedback, and survey responses.

Usage data includes information about how you use our website, products, and services, including interactions with features, service activity, and any content you submit through community, collaboration, or discussion features.

Marketing and communications data includes your preferences for receiving marketing communications from us or third parties and your communication preferences.

We also collect, use, and share aggregated data for analytical and statistical purposes. Aggregated data may be derived from personal data but does not, by itself, identify you. For example, we may aggregate usage data to understand how users interact with specific features. Where aggregated data is combined with personal data in a way that could identify you, it is treated as personal data and handled in accordance with this privacy policy.

We do not knowingly collect special categories of personal data. This includes information relating to race or ethnicity, religious or philosophical beliefs, sex life or sexual orientation, political opinions, trade union membership, health information, or genetic and biometric data. We also do not collect information relating to criminal convictions or offences.

Some content you create through our services may be visible to other users, such as public profile information, discussion posts, comments, or shared content. Other content, such as private messages or direct communications, is treated as private between users. All user-generated content, whether public or private, may be processed by us for moderation, security, and enforcement purposes. This includes the use of automated tools to help detect spam, harassment, abuse, or other behaviour that violates our terms or applicable law.

The technical, usage, and account-related data described above is primarily collected and processed to help us operate our products and services securely and reliably. This includes identifying and preventing fraudulent activity, abuse, automated misuse, and other behaviour that may undermine the integrity, security, or stability of our systems. This information is used to protect our users, enforce our rules, and maintain a safe and consistent service experience.

How your data is collected

We use different methods to collect personal data from and about you, including the following.

Direct interactions
You may provide us with identity, contact, and financial data when you create an account, use our games or services, or communicate with us. This includes personal data you provide when you register for an account, make purchases, request marketing communications, participate in community or discussion features, enter competitions, promotions, or surveys, provide feedback, or contact us for support or other enquiries.

Automated technologies and interactions
As you interact with our website, games, and services, we automatically collect technical data about your device, browsing actions, and usage patterns. This data is collected through technologies such as cookies, server logs, and similar tracking mechanisms.

Third parties
We may receive personal data about you from third party providers, including:
- Technical data from analytics and infrastructure providers such as Google, DigitalOcean, Laravel Nightwatch, and Fathom Analytics.
- Financial and transaction data from providers of payment and transaction services such as Stripe, Google Play Store, and Apple App Store.

How we use your information

We process personal data only where we have a valid lawful basis to do so under applicable data protection law. For most core service functionality, account management, and purchase-related activities, the primary lawful basis is the performance of a contract with you. Where processing is required to meet statutory or regulatory requirements, we rely on compliance with a legal obligation. In certain limited circumstances, such as security, fraud prevention, service improvement, analytics, and content moderation, we rely on our legitimate interests, having assessed that these interests are not overridden by your rights and freedoms. Where consent is used as the lawful basis, it is obtained explicitly and may be withdrawn at any time.

The General Data Protection Regulation ("GDPR") requires organisations that process personal data of individuals in the European Union to identify the lawful basis relied upon for that processing. Depending on the context and type of data involved, we rely on one or more of the following lawful bases.

Consent
When you create an account or use certain features of our services, we may ask for your consent to process your personal data as described in this policy. This includes, where applicable, consent to receive marketing communications. You have the right to withdraw your consent at any time. Where consent is the lawful basis for processing, you may withdraw that consent at any time through the relevant settings, by using unsubscribe mechanisms provided, or by contacting us directly. Withdrawal of consent does not affect the lawfulness of processing carried out before it was withdrawn.

Contractual obligations
We process personal data where it is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes providing access to your account, delivering product features or digital content, and managing subscriptions, memberships, or other service entitlements.

Legal or regulatory obligations
We process personal data where it is necessary to comply with a legal or regulatory obligation. This includes obligations relating to financial records, tax, accounting, fraud prevention, and compliance with applicable laws.

Legitimate interests
We may process personal data where it is necessary for our legitimate business interests, or the legitimate interests of a third party, provided those interests are not overridden by your rights and freedoms. This includes activities such as maintaining the security of our services, preventing abuse, improving product features, and understanding how our services are used. Where we rely on legitimate interests, we consider and balance the impact on your rights before proceeding.

Further details about how we use specific categories of personal data and the lawful basis applied in each case are set out in the sections below.

Lawful Reasons

We use your personal data for the purposes set out below. For each purpose, we identify the categories of personal data involved and the lawful basis relied upon under the GDPR.

To register and manage your account
Types of data: Identity, Contact
Lawful basis: Performance of a contract with you

This processing is necessary to create and administer your account and to provide access to our services.

To facilitate and process purchases and subscriptions
Types of data: Identity, Contact, Financial, Transaction, Marketing and Communications
Lawful basis: Performance of a contract with you; Legitimate interests (to manage payments and recover amounts owed)

This includes processing payments, managing fees and charges, and handling refunds or debt recovery where required.

To manage our relationship with you
Types of data: Identity, Contact, Profile, Marketing and Communications
Lawful basis: Performance of a contract with you; Legal obligation; Legitimate interests (to keep records up to date and understand how our services are used)

This includes notifying you of changes to our terms or privacy policy and inviting you to provide feedback, reviews, or survey responses.

To enable participation in competitions, prize draws, or surveys
Types of data: Identity, Contact, Profile, Usage, Marketing and Communications
Lawful basis: Performance of a contract with you; Legitimate interests (to analyse engagement, improve our services, and grow our business)

To administer and protect our business and services
Types of data: Identity, Contact, Technical
Lawful basis: Legitimate interests (to operate our business, provide IT and administrative services, ensure network security, prevent fraud, and support business continuity); Legal obligation

This includes troubleshooting, data analysis, testing, system maintenance, support, reporting, and data hosting.

To deliver relevant content and measure advertising effectiveness
Types of data: Identity, Contact, Profile, Usage, Marketing and Communications, Technical
Lawful basis: Legitimate interests (to understand how users engage with our services, improve relevance, and inform our marketing strategy)

To use analytics to improve our services and user experience
Types of data: Technical, Usage
Lawful basis: Legitimate interests (to improve our services, marketing, and customer relationships)

To make recommendations about goods or services
Types of data: Identity, Contact, Technical, Usage, Profile, Marketing and Communications
Lawful basis: Legitimate interests (to develop our services, grow our business, and tailor our offerings)

To monitor and moderate user generated content and enforce community standards
Types of data: Identity (username only), Profile, Usage (including chat messages, comments, posts, and profile content)
Lawful basis: Legitimate interests (to keep our services and communities safe, enforce our rules, and prevent misuse or abuse)

MARKETING

We aim to give you clear choices about how your personal data is used, particularly in relation to marketing and promotional communications. The following explains how we manage marketing preferences and your rights in this area.

Consent

When you create an account for one of our services, you may be invited to consent to receiving marketing and promotional communications relating specifically to that service. Marketing consent is managed on a per-service basis. Providing consent for marketing in one service does not result in marketing communications for any other service we operate.

Withdrawing your consent for marketing will not affect our ability to send you non promotional service communications. These include essential messages such as service updates, planned maintenance, security notices, changes to our terms, or updates to this privacy policy.

Promotional offers from us

Where you have provided consent, we may use your identity, contact, technical, usage, and profile data to understand your interests and preferences. This allows us to decide which products, services, features, or offers may be relevant to you.

You may receive marketing communications from us where you have requested information from us, made a purchase, or otherwise engaged with our services, provided you have not opted out of receiving such communications.

Third-party marketing

We will only share your personal data with third parties for marketing purposes where you have given your explicit consent. We do not permit third parties to use your personal data for their own marketing purposes without your permission.

Opting Out

You can withdraw your marketing consent at any time by using the unsubscribe link included in our marketing emails. This process is designed to be immediate and does not require you to log into your account or contact support.

If you opt out of receiving marketing communications, this will not affect personal data processed as part of a purchase, subscription, service delivery, warranty registration, or other transactional or contractual relationship with us.

Cookies and other technologies

Cookies are small data files that are placed on your device to collect and store information about your interaction with our website and services. We use cookies and similar technologies for a number of purposes, including to ensure the secure and reliable operation of our website, to remember your preferences, and to understand how our services are used so we can make ongoing improvements.

Some cookies are required for core functionality and security. Others help us recognise you when you return, retain your settings, or analyse usage patterns. Many cookies are linked to your browser session and are deleted when you close your browser. Other cookies may remain on your device for a longer period in order to support functionality or analytics.

Where required by law, we obtain your consent before placing non essential cookies on your device. You can manage your cookie preferences through your browser settings or through any cookie management tools we provide.

For more detailed information about the specific cookies and technologies we use, including their purposes and retention periods, please refer to our Cookie Policy.

Information Sharing & Disclosure

We share the information we collect or that is provided to us as follows:

Sharing with our Partners

We may share your personal data with the parties set out below for the purposes we have identified above.

• External Third Parties, who help us in providing Our Services. Currently, we use the following trusted Partners:
  • Stripe & Apple, Google Play: to securely process payments in respect of any purchases you make through Our Services;
  • DigitalOcean: Our cloud provider.
• Google Firebase: To track crashes and errors that happen on the Android and iOS apps.
• Laravel Nightwatch: Our Application Performance Monitoring (APM) provider. This helps to monitor and improve the applications performance.
• OpenAI LLC (United States): We process limited user-generated text content, such as messages, profile information, and other user submissions, through automated content moderation services to detect spam, harassment, and other behaviour that violates our terms or applicable law. This processing is carried out on the basis of our legitimate interests in maintaining safe, secure, and compliant services.
• Shattered Silicon: Provides database management and infrastructure support services in relation to SimpleMMO only. Their access is limited to what is necessary to perform these services and is subject to contractual confidentiality and data protection obligations.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

International Transfers

Unless otherwise stated, your personal data is hosted and processed within the United Kingdom or the European Economic Area. Where we transfer personal data to third parties located outside the UK or the EEA, we ensure that appropriate safeguards are in place in accordance with applicable data protection law. This includes reliance on the European Commission’s Standard Contractual Clauses (2021/914/EU) and, where required under UK GDPR, the UK International Data Transfer Addendum or another approved UK transfer mechanism, together with appropriate technical and organisational safeguards.

Where we share data with OpenAI LLC (USA), the transfer is governed by the European Commission’s Standard Contractual Clauses (2021/914/EU, controller–processor) together with additional technical and organisational safeguards (encryption in transit, strict retention limits and data-minimisation).

How we safeguard your data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Retention and Deletion

We operate under a strict data minimisation policy and retain personal data only for as long as it is necessary for the purposes for which it was collected. Where data is no longer required for service operation, product features, or user-facing functionality, it is deleted, unless longer retention is required for legal, security, or compliance purposes. This policy applies across all of our services.

In some circumstances, data may be retained for a shorter or longer period where necessary for legal, security, enforcement, or dispute-related reasons.

Account Deletion and Service-Specific Retention

When an account is marked for deletion, a short 21-day grace period applies during which the user may log in to cancel the deletion. Once this period expires, the account is permanently deleted and personal data associated with the account is removed from our active systems, unless retention is required for legal, security, enforcement, or compliance purposes.

Retention practices may vary slightly between our services depending on how specific features operate. For example, guest or inactive accounts may be removed after a period of inactivity, and accounts involved in violations of our Terms of Service may be deleted after a reasonable period, with relevant data retained where necessary for enforcement or legal reasons.

Certain in-service communications and user-generated content may be retained for limited periods to support moderation, security, and abuse prevention. Where such data is no longer required for these purposes, it is permanently deleted in line with our data minimisation practices.

Retention decision criteria

To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised access or disclosure, the purposes for which the data is processed, whether those purposes can be achieved through other means, and applicable legal, regulatory, tax, or accounting requirements.

We may retain personal data for longer periods where required to comply with legal obligations or where there is a legitimate need, such as investigating abuse, enforcing our Terms of Service, handling complaints, or responding to potential disputes. In some cases, personal data may be anonymised so that it can no longer be associated with an individual, in which case it may be used indefinitely for research or statistical purposes.

Users may request deletion of their personal data by contacting us using the details provided below, subject to the limitations and exceptions described above.

Your Data, Your Rights

Under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR) and, where relevant, the EU General Data Protection Regulation (EU GDPR), individuals whose personal data we process have a number of rights in relation to that data. These rights apply to you where you are within the scope of the relevant legislation, regardless of nationality or citizenship.

You may exercise your rights by contacting us using the details provided below. In many cases, you can also exercise certain rights directly by managing your account settings, including deleting your account or ending your use of our services.

In addition to the rights described below, you may also have the right to request restriction of processing in certain circumstances, the right to object to processing based on legitimate interests or direct marketing, and the right to data portability where processing is carried out by automated means and based on consent or contract. You also have the right to lodge a complaint with a supervisory authority, including the UK Information Commissioner’s Office or the relevant authority in your country of residence.

1. Right to Correction: if you believe any of the information on your profile to be inaccurate you have a right to request that we correct this. This right also extends to various other information we collect about you which you can request a copy of (see Right to Copies below).
2. Right to Copies of your data: you have a right to request a copy of the information that we hold about you along with an explanation from us as to why we process that information. We will provide this information to you free of charge for a first request, but will charge for reasonable administrative costs for further requests.
3. Right to Erasure: You have the right to request the deletion of your personal data at any time. You may do this by deleting your account through the account settings within the service, or by contacting us directly. Where a deletion request is submitted, we will review it carefully. In some cases, we may be required to retain certain information for legal, security, or other legitimate purposes, such as enforcing our Terms of Service or complying with regulatory obligations. Where we determine that data does not need to be retained for these purposes, it will be deleted in accordance with your request. If you have any questions or concerns about how your personal data is processed, you may contact us at privacy@galahadcreative.com.

UPDATES TO OUR POLICY

When we make material changes to this privacy policy, we will take reasonable steps to inform users through in-service notices, patch notes, or prominent messages displayed when loading or accessing our services. These notifications are designed to ensure changes are clearly visible to active users. We encourage you to review this policy periodically to stay informed about how we protect your personal data.