This policy is effective as of August 2021
At Stepping Stones Games Limited we are committed to respecting and protecting your online privacy. This includes your right to know what we do with the personal information you share with us. It also guides our policies regarding the management of your data, including how the information is collected, how it is processed, and for what purposes.
It is important to us that we communicate our policies and procedures with you clearly and in a manner that provides clarity to you the gameplayer and your family. As such, this policy covers the following key areas:
1. Background Information
Stepping Stones Games Limited is a UK-based private limited company (Registration Number: 13387045) that ultimately oversees the delivery of games across the world. Stepping Stones Games Limited collects, manages, and processes all associated data from its games and is therefore considered the data controller for all Stepping Stones Games group companies and all Stepping Stones Games events worldwide.
Our designated Data Protection Officer is Annie Coles (Finance Director, Stepping Stones Games Limited).
Stepping Stones Games Limited
FAO: Data Protection Officer
53 Frith Street
2. Why We Need Your Data
In order to support our global network of games it is critical we understand who is participating. There are many reasons for this, from simple stuff like providing participants with information around how and when they have taken part, through to more complex challenges such as measuring the impact of our games on those communities most in need of increasing their physical activity levels and social engagement.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require that all information we collect must be done so under a specific lawful basis. There are six clearly-defined lawful bases for processing information, and we categorise the majority of our data processing under three of those: Contract, Legitimate Interests and Consent.
When you register for Stepping Stones Games we need certain information about you to enable us to provide you with the level of game that the player will enter at, and to ensure those games are delivered to an appropriate standard and level of curriculum, and to allow us to provide you with accurate records of your participation.
If you do not provide the information required then we will not be able to provide you with records of your participation.
2.2. Legitimate Interests
Outside of your direct participation we also wish to develop the reach and impact of our games and as such have a legitimate interest to process certain information with this aim. This includes things like carrying-out research to further understand who is or isn’t participating in our games (in order to understand our ability to impact those most in need) and improvement in performance for those playing the games or capturing and sharing images of our events taking place, helping us to inspire other people to engage in physical activity and redefine what it means to be active.
Above and beyond simple participation as a player, there are a number of ways you can help us to ensure our games positively impact the health and happiness of their local communities.
One of the best ways to support us in this way is by consenting to receive emails regarding things like milestone t-shirts, game profiles, offers, competitions and emails from our partners, training tips, and more. We therefore provide the opportunity at registration, and via your profile, to opt into these communications. You can opt out at any time.
Due to GDPR requirements for providing consent, we do not process any data on children under the age of 13 if it would require consent as the lawful reason for processing. For this reason, children under the age of 13 do not have the option to opt into the above emails.
2.4. Other Bases
Although extremely rare, there can be occasions where we are required to process information under one of the other three lawful bases: Legal Obligation, Vital Interest, Public Task.
3. Categories of Data
We utilise the following definitions for the types of data we collect:
3.1. Profile & Identity
Stepping Stones ID, password, participation, date of birth, gender, full name, images, postcode (not used for purposes of contact), marketing preferences, third party linking information.
Email address, mobile phone number (SMS results service).
IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, records of pages visited and other information about the devices you use to access the site.
As part of our continual review of incidents at Stepping Stones game events we maintain a record of relevant details.
Any data submitted to us as part of research activities.
3.6. Event Imagery
Filming and photography captured at our events.
4. What Data We Collect
There are a number of ways where either you are able to explicitly share data with us or we are able to collect it as a result of your actions:
4.1. At registration
We collect information about you that allows us to support your participation in our games. We use this information to create a profile for you on our database, to which we can connect spelling, maths and steps to track the players progress toward curriculum achievement. We also collect information around your activity levels and other relevant personal information that may help us support your participation more appropriately.
4.2. Using your profile
You can update information such as email address, and mobile number in order to receive participation notifications via SMS (in some countries).
4.3. By linking your Stepping Stones Games account with a third-party account
Such as by connecting your parkrun profile with Strava you can connect services that you use.
4.4. Research Surveys
From time-to-time we send out research surveys that allow us to develop an understanding of Rockstepper and its participants.
4.5. Partner surveys
Sent out by us, help to support our sponsors and other stakeholders in understanding their level of connection with the Rockstepper communities they support.
When you visit our websites, cookies will be stored on your computer. Generally, cookies and similar technologies work by assigning to your browser or device a unique number that has no meaning outside of Rock Stepper. We use these technologies to personalise your experience and to assist in delivering content specific to your interests. Additionally, after you’ve entered your Rock Stepper ID and password we save that information so you don’t have to re-enter it repeatedly. Most browsers automatically accept cookies.
To manage the collection of information through cookies or other equivalent technology you can use the settings on your browser or mobile device.
4.8. Log Files
The collection of information: Every time you connect to Stepping Stones Games websites your IP (Internet Protocol) address registers on our servers. Your IP address reveals no information other than the number assigned to you. We do not use this technology to obtain any personal data against your knowledge or free will (i.e. automatically recording email addresses of visitors). Nor do we use it for any purpose other than to help us monitor traffic on our website, or (in case of criminal activity or misuse of our information) to cooperate with law enforcement.
4.9. Web Beacons
These are small pieces of code that deliver a graphic image on a web page or in an email for the purpose of transferring data back to us. The information collected via this process will include information such as IP Address, as well as information about how you respond to an email campaign (e.g. at what time the email was opened, which links you click on in the email, etc.).
We may use web beacons on our websites or include them in e-mails that we send to you. We use this information for a variety of purposes, including but not limited to, site traffic reporting, unique visitor counts, advertising, email auditing and reporting, and personalisation.
In some cases we allow our partners to include web beacons in emails served by us on their behalf. In these instances they are only able to collect anonymous data and have no access to personal information.
4.11. Social Media
5. What Data We Share
5.1. Publicly Available Information
We do not offer privacy settings in relation to your games participation, and as such our websites display your name, age category, gender, age grade,
5.2. Third-Party Connections
Across Rock Stepper territories we offer a number of opportunities for our members to connect their Rock Stepper accounts with other accounts in their name. This could be for the purposes of linking to activity tracking platforms, or sending activity data to incentivised wellness programmes. This can only happen at the request of the user, the specific data shared is clearly defined, and the integration can be stopped at any time by the user simply opting out.
5.3. Anonymised Participant Data
Our mission statement is to create a healthier and happier planet and, as a result, much of our internal work centres around understanding the health and wellbeing of our communities.
Under the lawful basis of Legitimate Interest, we pass anonymised & published participant data to our research department who are then able to carry out health-focused research using this data. Out of this work we are able to modify our processes to achieve greater health and wellbeing impact, and research articles may be published containing anonymised data.
All research carried out by us or approved third parties is required to have ethical approval from an independent research ethics board.
5.4. Personal Contact Details
We do not share our users’ personal contact details with any third parties. All communications sent to our database on behalf of our partners are sent directly by us and only where you have consented for us to do so.
6. How We Contact You
The large majority of our outgoing communication, to the Rock Stepper community, is via app/email. Sending a notification or email to you is a form of data processing, and as such may only be carried out under a specific lawful basis.
6.1. Under the Lawful Basis of Fulfilling a Contract
In order to fulfil our obligation to you as a Rock Stepper, to ensure our events are delivered in a safe and appropriate manner, and to ensure the Stepping Stones Games organisation is managed appropriately, there are some communications we send to everyone. The following communications fall into this category:
Confirmation you have registered with us.
Notification that you have joined a Rock Stepper league and are eligible to claim any associated items such as t-shirts, wristbands, or certificates.
6.2. Under the Lawful Basis of Legitimate Interest
There are some occasions where we may contact you as part of our mission to make the world healthier and happier. For example, where we write to people who’ve registered but not participated, with the aim of understanding why and then being able to create a more supportive environment. The following types of communications fall into this category:
Questionnaires aimed at developing our understanding of who is participating in Rock Stepper.
Emails sign-posting participants to peer-support groups we feel may be suitable based on information you have provided.
Questionnaires for research aimed at understanding the effect of Rock Stepper on the performance of the participants using it.
You have a right to object to receiving these emails, please contact email@example.com
6.3. Under the Lawful Basis of Consent
Not only is our mission statement focussed on improving the \health and happiness of our communities, but we have also made a commitment that Rock Stepper will achieve improvements in the performance of those using it. There are ways in which we rely on Rock Steppers to achieve both of those ambitions, some of which require us to be able to send certain communications. We therefore offer all Rock Steppers the chance to opt-in (at registration or via their profile) to receive regular updates from us and our partners.
Consent can be withdrawn at any time but does not apply to processing that happened before the consent was withdrawn.
7. How We Protect Your Information
We work extremely hard to apply appropriate security measures in order to protect your data from being accessed or disclosed without your permission, or lost. We have a relatively small staff team, who are regularly updated on good practice in data handling, all personal data is password protected and only available to those with a specific need for access.
In the event of a data breach we will notify you and any applicable regulator, where legally required to do so.
Some event teams also use Facebook to communicate with participants, in these cases we retain admin control centrally and are able to control/remove access when required.
7.1. Third Country Data Transfers
On occasion we may use third parties for the purposes of data processing, and these may reside outside of the European Economic Area (EEA). These third parties are selected only if they exist in a territory deemed compliant with relevant legislation (read more) or with regards to third parties based in the US they must be part of the Privacy Shield (read more).
8. Retention Periods
In order to present our data retention periods as simply as possible we have chosen to do so using our definitions of categories of data defined in section 3 above.
8.1. Profile & Identity Data – In perpetuity
This is in order to create our results tables, maintain historic records of participation in games, to allow participants to access their participation records, and to allow anyone who is registered with us to participate in any future league without the requirement to re-register.
8.2. Technical Data – Three years from point of data collection
In order to provide the best possible service to our users, to support the administration of our systems and processes, and to comply with legal obligations.
8.4. Incident Data – In perpetuity
We retain this data in order to keep a historical record of our incident profile, from which we are able to continually review our operating policies in order to enable the safe and appropriate delivery of our events.
8.5. Survey Data – In perpetuity
This data is used for the purposes of understanding our community in greater detail. Changes over time are of particular interest where comparison of current versus historical data allows us to assess the impact of our events and associated interventions.
9. Automated Decision Making and Profiling
In some situations we make automated decisions based on various types of data that we hold, this also also known as profiling. Examples of where we use this might be to send research surveys to people who have only ever participated once or to market products to specific demographics of people, such as advertising a new game to Rocksteppers in that area.
Whilst our automated decision making processes do not have a legal or similarly significant effect on the individuals concerned, you do have the right to object to us applying these processes to your data.
To understand more about automated decision making and profiling please see this section of the ICO website.
10. Your Rights
You have the right to:
10.1. Be informed if your personal data is being used
10.2. Get copies of your data
You are also free, at any time, to request a downloadable copy of all the data we hold on you. This would include details of all your walking, running, and volunteering instances and as such is something we particularly recommend prior to any request for us to delete your data. To do this please contact us via support.
10.3. Have your data corrected
If at any time you feel the data we hold on you is incorrect, and you are unable to change it via your profile, please contact us via support.
10.4. Have your data deleted
Should you wish, at any time, for us to delete your data then please contact us via support and we can enable this process. Please note that this is not something that can be undone and as such we would recommend downloading your historical results (see next section) before doing so.
Although we approach every request for deletion on a case-by-case basis, we do not as a rule remove volunteer data simply on request. This is in order support potential future challenges, enquiries, or investigations where this information may be critical.
10.5. Limit how we use your data
If you are concerned about the accuracy of the data or how it is being used please contact us via support. Where you have previously provided us with consent to use your personal data in a specific way, you can remove your consent at any time (or opt-out) via your profile page.
10.6. Data portability
Following from point 10.2 (above) we will provide copies of your data in standard machine-readable formats. In such cases, please contact firstname.lastname@example.org
10.7. Object to the use of your data
Where we are processing your data under the lawful basis of Legitimate Interest you have the right to raise an objection to that processing. This is not an absolute right to object and we will carry out a balancing test where we assess the reasons for your objection in the context of our legitimate interests.
10.8. Raise a concern
If, at any time, you have a concern as to how we are handling your information then please contact us – email@example.com.