Privacy Policy

1. Definitions

• Platform: The Enigma Papers website, applications, services, and related features.
• User: Any individual who accesses or uses the Platform (including Players and Builders).
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, etc.).
• Third-Party Services: External providers, APIs, hosts, analytics, payment processors, or other services used in connection with the Platform.

2. Data Controller & Contact

The data controller for your personal data is Purple Mallet. located at 61 Bridge St, Kington, HR5 3DJ, UK, email: [email protected]. If you are in the EEA/UK or other jurisdictions with data-protection rights, you may also contact our Data Protection Officer (DPO) at [email protected], if applicable.

3. What Data We Collect

We collect different types of personal and non-personal data, including:

• Registration & account data: name, email address, username, (no password), organisation/tier metadata (if applicable).
• Usage & technical data: IP address, device identifiers, browser type/version, operating system, session IDs, timestamps, pages visited, clickstream data.
• Puzzle participation data: stage progress, scores, attempts, unlocks, objective data tied to your user account or anonymous token.
• Transaction/payment data: if you access paid features, payment processor tokens, billing address, taxation details (not full card data).
• Cookies & tracking data: cookies, local storage, identifiers, analytics and performance data, location data (where you enable location-based features).
• Communications: messages, support requests, feedback, dispute data.

4. How and Why We Use Your Data

We use your data for the following purposes with the associated lawful bases:

• Performance of contract: To provide the Platform services, manage accounts, enable puzzle access, process payments, deliver features.
• Legitimate interests: For enhancing Platform security, analytics and monitoring, fraud prevention, improving the Platform and features (so long as these do not override your rights).
• Consent: Where required (e.g., cookies, marketing communications, optional features). You may withdraw consent at any time.
• Legal compliance: To comply with laws, enforce our Terms & Conditions, protect rights or safety of users, third parties or the Platform.

5. Cookies & Tracking

We use cookies and similar technologies for authentication, session management, feature preferences, analytics, and personalised content. Our cookie banner or consent mechanism (where required by law) allows you to accept, decline or manage tracking cookies.

6. Data Sharing & Third-Party Services

We may disclose your personal data to:

• Service providers and contractors who perform services on our behalf (hosting, cloud infrastructure, analytics, payment processors).
• Affiliated entities of our organisation.
• Law enforcement, regulators or other third parties when required by law or to protect rights, property or safety.
• In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the business transaction, subject to confidentiality and security obligations.

We are not responsible for privacy practices, disclosures or security of third-party services accessed via the Platform. Please review their applicable policies.

7. International Data Transfers

Because we operate globally, your data may be processed or stored in countries outside your jurisdiction. We implement appropriate safeguards (such as Standard Contractual Clauses (SCCs), binding corporate rules, or adequacy decisions) when transferring data from the EEA/UK/or other jurisdictions requiring protection.

By using the Platform, you consent to such transfers, unless local law provides otherwise.

8. Data Retention

We retain your personal data as long as necessary to fulfil the purposes outlined in this policy, provide the Platform, comply with legal obligations, resolve disputes, enforce our agreements, and prevent abuse. When no longer needed, we delete, anonymise or de-identify data, unless retention is required by law.

9. Your Rights

If you are located in the EEA/UK/or other jurisdictions with local data-protection regulation, you may have the following rights under certain conditions:

• Right to access the personal data we hold about you.
• Right to request correction or update of inaccurate or incomplete data.
• Right to request deletion of your data (“right to be forgotten”).
• Right to restrict or suspend processing of your data.
• Right to data portability (receive your data in structured format when applicable).
• Right to object to certain processing (e.g., direct marketing or automated decision-making) where applicable.
• Right to withdraw consent at any time (without affecting the legality of prior processing).
• Right to lodge a complaint with your local supervisory authority if you believe your rights under data-protection law have been violated.

To exercise any of these rights, please contact us at [email protected]. We will respond within applicable legal timeframes.

10. Security

We implement technical and organisational measures to protect your personal data from unauthorised or unlawful processing, accidental loss, destruction or damage. However, no transmission over the internet or method of storage is 100% secure, and absolute security cannot be guaranteed.

11. Children’s Privacy

The Platform is not intended for children under the age of 13 (or the applicable minimum legal age in your jurisdiction). We do not knowingly collect personal data from children under that age without verified parental or guardian consent. If you become aware that we have collected personal data from a child under that age, please contact us and we will take steps to delete the data.

12. Automated Decision-Making & Profiling

Some Platform features may use algorithms or AI-assisted evaluation to assess answers, track progress, or personalise content. These processes are provided on an “as is” basis. You have the right to request human review of any automated decision where required by law.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top. We encourage you to review the policy periodically. Your continued use of the Platform after changes indicates your acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data-processing practices, please contact us using the details in section 2 of this policy.