Stepping Stones Games Limited Privacy Policy

This policy is effective as of August 2021

​

At Stepping Stones Games Limited we are committed to respecting and protecting your online privacy. This includes your right to know what we do with the personal information you share with us. It also guides our policies regarding the management of your data, including how the information is collected, how it is processed, and for what purposes.
It is important to us that we communicate our policies and procedures with you clearly and in a manner that provides clarity to you the gameplayer and your family. As such, this policy covers the following key areas:

1. Background Information

2. Why we need your data

3. Categories of Data

4. What data we collect

5. What data we share

6. How we contact you

7. How we protect your information

8. Retention Periods

9. Automated Decision Making

10. Your rights to manage your data

1. Background Information

Stepping Stones Games Limited is a UK-based private limited company (Registration Number: 13387045) that ultimately oversees the delivery of games across the world. Stepping Stones Games Limited collects, manages, and processes all associated data from its games and is therefore considered the data controller for all Stepping Stones Games group companies and all Stepping Stones Games events worldwide.
Our designated Data Protection Officer is Annie Coles (Finance Director, Stepping Stones Games Limited).
Questions about this privacy policy may be submitted to Stepping Stones Games Limited via team@steppingstonesgames.com or by post to the address below.

Stepping Stones Games Limited
FAO: Data Protection Officer
1st Floor
53 Frith Street
London
United Kingdom
W1D 4SN

2. Why We Need Your Data

In order to support our global network of games it is critical we understand who is participating. There are many reasons for this, from simple stuff like providing participants with information around how and when they have taken part, through to more complex challenges such as measuring the impact of our games on those communities most in need of increasing their physical activity levels and social engagement.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require that all information we collect must be done so under a specific lawful basis. There are six clearly-defined lawful bases for processing information, and we categorise the majority of our data processing under three of those: Contract, Legitimate Interests and Consent.

2.1. Contract

When you register for Stepping Stones Games we need certain information about you to enable us to provide you with the level of game that the player will enter at, and to ensure those games are delivered to an appropriate standard and level of curriculum, and to allow us to provide you with accurate records of your participation.
This lawful basis also includes any administrative or service-related emails, for example, to confirm that you have registered with us or taken part in one of our games, or to alert you of an update to this Privacy Policy or other policies that are relevant to you. These therefore do not offer an option to unsubscribe as they are necessary to provide the services you requested.
If you do not provide the information required then we will not be able to provide you with records of your participation.

2.2. Legitimate Interests

Outside of your direct participation we also wish to develop the reach and impact of our games and as such have a legitimate interest to process certain information with this aim. This includes things like carrying-out research to further understand who is or isn’t participating in our games (in order to understand our ability to impact those most in need) and improvement in performance for those playing the games or capturing and sharing images of our events taking place, helping us to inspire other people to engage in physical activity and redefine what it means to be active.

2.3. Consent

Above and beyond simple participation as a player, there are a number of ways you can help us to ensure our games positively impact the health and happiness of their local communities.
One of the best ways to support us in this way is by consenting to receive emails regarding things like milestone t-shirts, game profiles, offers, competitions and emails from our partners, training tips, and more. We therefore provide the opportunity at registration, and via your profile, to opt into these communications. You can opt out at any time.
Due to GDPR requirements for providing consent, we do not process any data on children under the age of 13 if it would require consent as the lawful reason for processing. For this reason, children under the age of 13 do not have the option to opt into the above emails.

2.4. Other Bases

Although extremely rare, there can be occasions where we are required to process information under one of the other three lawful bases: Legal Obligation, Vital Interest, Public Task.

3. Categories of Data

We utilise the following definitions for the types of data we collect:

3.1. Profile & Identity

Stepping Stones ID, password, participation, date of birth, gender, full name, images, postcode (not used for purposes of contact), marketing preferences, third party linking information.

3.2. Contact

Email address, mobile phone number (SMS results service).

3.3. Technical

IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, records of pages visited and other information about the devices you use to access the site.

3.4. Incident

As part of our continual review of incidents at Stepping Stones game events we maintain a record of relevant details.

3.5. Survey

Any data submitted to us as part of research activities.

3.6. Event Imagery

Filming and photography captured at our events.

4. What Data We Collect

There are a number of ways where either you are able to explicitly share data with us or we are able to collect it as a result of your actions:

4.1. At registration

We collect information about you that allows us to support your participation in our games. We use this information to create a profile for you on our database, to which we can connect spelling, maths and steps to track the players progress toward curriculum achievement. We also collect information around your activity levels and other relevant personal information that may help us support your participation more appropriately.

4.2. Using your profile

You can update information such as email address, and mobile number in order to receive participation notifications via SMS (in some countries).

4.3. By linking your Stepping Stones Games account with a third-party account

Such as by connecting your parkrun profile with Strava you can connect services that you use.

4.4. Research Surveys

From time-to-time we send out research surveys that allow us to develop an understanding of Rockstepper and its participants.

4.5. Partner surveys

Sent out by us, help to support our sponsors and other stakeholders in understanding their level of connection with the Rockstepper communities they support.

4.7. Cookies

When you visit our websites, cookies will be stored on your computer. Generally, cookies and similar technologies work by assigning to your browser or device a unique number that has no meaning outside of Rock Stepper. We use these technologies to personalise your experience and to assist in delivering content specific to your interests. Additionally, after you’ve entered your Rock Stepper ID and password we save that information so you don’t have to re-enter it repeatedly. Most browsers automatically accept cookies.
Some third-party services we use, such as Google Analytics, may place cookies in your browser. This Privacy Policy covers use of cookies by Rock Stepper only, and not the use of cookies by third parties.
To manage the collection of information through cookies or other equivalent technology you can use the settings on your browser or mobile device.

4.8. Log Files

The collection of information: Every time you connect to Stepping Stones Games websites your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to you. We do not use this technology to obtain any personal data against your knowledge or free will (i.e. automatically recording email addresses of visitors). Nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.

4.9. Web Beacons

These are small pieces of code that deliver a graphic image on a web page or in an email for the purpose of transferring data back to us. The information collected via this process will include information such as IP Address, as well as information about how you respond to an email campaign (e.g. at what time the email was opened, which links you click on in the email, etc.).
We may use web beacons on our websites or include them in e-mails that we send to you. We use this information for a variety of purposes, including but not limited to, site traffic reporting, unique visitor counts, advertising, email auditing and reporting, and personalisation.
In some cases we allow our partners to include web beacons in emails served by us on their behalf. In these instances they are only able to collect anonymous data and have no access to personal information.

4.11. Social Media

When you engage with Stepping Stones Games over social media, it will usually be as a registered user of that social media platform. The use of personal data on social media is governed by your agreement with that platform’s own privacy policy or terms and conditions. Rock Stepper official social media pages are administered by Stepping Stones Games Limited as a data controller of these pages. These social media platforms may process user personal data to deliver anonymised user statistics to the local administrator of that page or event. We do not use the personal data you have made available on social media outside of that platform, unless you have given us your consent to do so.

5. What Data We Share

5.1. Publicly Available Information

We do not offer privacy settings in relation to your games participation, and as such our websites display your name, age category, gender, age grade,

5.2. Third-Party Connections

Across Rock Stepper territories we offer a number of opportunities for our members to connect their Rock Stepper accounts with other accounts in their name. This could be for the purposes of linking to activity tracking platforms, or sending activity data to incentivised wellness programmes. This can only happen at the request of the user, the specific data shared is clearly defined, and the integration can be stopped at any time by the user simply opting out.

5.3. Anonymised Participant Data

Our mission statement is to create a healthier and happier planet and, as a result, much of our internal work centres around understanding the health and wellbeing of our communities.

Under the lawful basis of Legitimate Interest, we pass anonymised & published participant data to our research department who are then able to carry out health-focused research using this data. Out of this work we are able to modify our processes to achieve greater health and wellbeing impact, and research articles may be published containing anonymised data.

All research carried out by us or approved third parties is required to have ethical approval from an independent research ethics board.

5.4. Personal Contact Details

We do not share our users’ personal contact details with any third parties. All communications sent to our database on behalf of our partners are sent directly by us and only where you have consented for us to do so.

6. How We Contact You

The large majority of our outgoing communication, to the Rock Stepper community, is via app/email. Sending a notification or email to you is a form of data processing, and as such may only be carried out under a specific lawful basis.

6.1. Under the Lawful Basis of Fulfilling a Contract

In order to fulfil our obligation to you as a Rock Stepper, to ensure our events are delivered in a safe and appropriate manner, and to ensure the Stepping Stones Games  organisation is managed appropriately, there are some communications we send to everyone. The following communications fall into this category:

1. Confirmation you have registered with us.

2. Updates to key documents, such as this privacy policy.

3. Notification that you have joined a Rock Stepper league and are eligible to claim any associated items such as t-shirts, wristbands, or certificates.

6.2. Under the Lawful Basis of Legitimate Interest

There are some occasions where we may contact you as part of our mission to make the world healthier and happier. For example, where we write to people who’ve registered but not participated, with the aim of understanding why and then being able to create a more supportive environment. The following types of communications fall into this category:

1. Questionnaires aimed at developing our understanding of who is participating in Rock Stepper.

2. Emails sign-posting participants to peer-support groups we feel may be suitable based on information you have provided.

3. Questionnaires for research aimed at understanding the effect of Rock Stepper on the performance of the participants using it.

You have a right to object to receiving these emails, please contact team@steppingstonegames.com

6.3. Under the Lawful Basis of Consent

Not only is our mission statement focussed on improving the \health and happiness of our communities, but we have also made a commitment that Rock Stepper will achieve improvements in the performance of those using it. There are ways in which we rely on Rock Steppers to achieve both of those ambitions, some of which require us to be able to send certain communications. We therefore offer all Rock Steppers the chance to opt-in (at registration or via their profile) to receive regular updates from us and our partners.
Consent can be withdrawn at any time but does not apply to processing that happened before the consent was withdrawn.
 

7. How We Protect Your Information

We work extremely hard to apply appropriate security measures in order to protect your data from being accessed or disclosed without your permission, or lost. We have a relatively small staff team, who are regularly updated on good practice in data handling, all personal data is password protected and only available to those with a specific need for access.
In the event of a data breach we will notify you and any applicable regulator, where legally required to do so.
Some event teams also use Facebook to communicate with participants, in these cases we retain admin control centrally and are able to control/remove access when required.

7.1. Third Country Data Transfers

On occasion we may use third parties for the purposes of data processing, and these may reside outside of the European Economic Area (EEA). These third parties are selected only if they exist in a territory deemed compliant with relevant legislation (read more) or with regards to third parties based in the US they must be part of the Privacy Shield (read more).

8. Retention Periods

In order to present our data retention periods as simply as possible we have chosen to do so using our definitions of categories of data defined in section 3 above.

8.1. Profile & Identity Data – In perpetuity

This is in order to create our results tables, maintain historic records of participation in  games, to allow participants to access their participation records, and to allow anyone who is registered with us to participate in any future league without the requirement to re-register.

8.2. Technical Data – Three years from point of data collection

In order to provide the best possible service to our users, to support the administration of our systems and processes, and to comply with legal obligations.

8.4. Incident Data – In perpetuity

We retain this data in order to keep a historical record of our incident profile, from which we are able to continually review our operating policies in order to enable the safe and appropriate delivery of our events.

8.5. Survey Data – In perpetuity

This data is used for the purposes of understanding our community in greater detail. Changes over time are of particular interest where comparison of current versus historical data allows us to assess the impact of our events and associated interventions.

9. Automated Decision Making and Profiling

In some situations we make automated decisions based on various types of data that we hold, this also also known as profiling. Examples of where we use this might be to send research surveys to people who have only ever participated once or to market products to specific demographics of people, such as advertising a new game to Rocksteppers in that area.
Whilst our automated decision making processes do not have a legal or similarly significant effect on the individuals concerned, you do have the right to object to us applying these processes to your data.
To understand more about automated decision making and profiling please see this section of the ICO website.

10. Your Rights

You have the right to:

10.1. Be informed if your personal data is being used

Where appropriate we endeavour to inform you of this at the point where your data is being collected, however for circumstances where that is not practical or possible please refer to this Privacy Policy.

10.2. Get copies of your data

You are also free, at any time, to request a downloadable copy of all the data we hold on you. This would include details of all your walking, running, and volunteering instances and as such is something we particularly recommend prior to any request for us to delete your data. To do this please contact us via support.

10.3. Have your data corrected

If at any time you feel the data we hold on you is incorrect, and you are unable to change it via your profile, please contact us via support.

10.4. Have your data deleted

Should you wish, at any time, for us to delete your data then please contact us via support and we can enable this process. Please note that this is not something that can be undone and as such we would recommend downloading your historical results (see next section) before doing so.
Although we approach every request for deletion on a case-by-case basis, we do not as a rule remove volunteer data simply on request. This is in order support potential future challenges, enquiries, or investigations where this information may be critical.

10.5. Limit how we use your data

If you are concerned about the accuracy of the data or how it is being used please contact us via support. Where you have previously provided us with consent to use your personal data in a specific way, you can remove your consent at any time (or opt-out) via your profile page.

10.6. Data portability

Following from point 10.2 (above) we will provide copies of your data in standard machine-readable formats. In such cases, please contact team@steppingstonesgames.com

10.7. Object to the use of your data

Where we are processing your data under the lawful basis of Legitimate Interest you have the right to raise an objection to that processing. This is not an absolute right to object and we will carry out a balancing test where we assess the reasons for your objection in the context of our legitimate interests.

10.8. Raise a concern

If, at any time, you have a concern as to how we are handling your information then please contact us – team@steppingstonegames.com.