TalesNTokens

UK GDPR Compliance Statement

Last updated: 17 June 2026

This statement explains TalesNTokens' compliance approach for UK GDPR, EU GDPR, the Data Protection Act 2018, PECR, and related privacy laws. It should be read with the Privacy Policy, GDPR Data Rights Policy, Cookie Policy, Security Policy, and Subprocessor Disclosure Page.

Definitions

"UK GDPR" means the UK General Data Protection Regulation as incorporated into UK law.

"EU GDPR" means Regulation (EU) 2016/679.

"PECR" means the Privacy and Electronic Communications Regulations 2003.

"Restricted transfer" means a transfer of personal data outside the UK or EEA that requires a lawful transfer mechanism.

Scope

This statement covers TalesNTokens processing for accounts, gameplay, maps, uploads, marketplace transactions, creator tools, analytics, cookies, email, moderation, support, reporting, and security.

Controller And Processor Roles

TalesNTokens is generally the controller for account data, platform usage, User Content hosting, marketplace records, support, reporting, moderation, analytics, and security processing.

TalesNTokens may act as a processor only where a separate written agreement says it processes data on behalf of another controller.

Supabase, Stripe, Resend, Fly.io, Cloudflare, and Google act as processors or independent controllers depending on the processing context described in their own terms and data processing agreements.

Lawful Bases

TalesNTokens relies on:

  • contract for account access, rooms, uploads, marketplace purchases, creator services, support, and payments;
  • consent for non-essential cookies, analytics, marketing emails, and optional processing;
  • legitimate interests for security, fraud prevention, abuse prevention, product improvement, support, and enforcement;
  • legal obligation for tax, accounting, consumer, copyright, safety, payment, and regulatory compliance;
  • vital interests where necessary to protect someone's life or safety.

Data Protection Principles

TalesNTokens will:

  • process data lawfully, fairly, and transparently;
  • collect data for specified and legitimate purposes;
  • limit data to what is necessary;
  • keep data accurate where relevant;
  • retain data only as long as needed;
  • protect data with appropriate security;
  • maintain accountability records.

International Transfers

TalesNTokens uses providers that may process data outside the UK or EEA. Where required, TalesNTokens will use:

  • UK adequacy regulations;
  • EU adequacy decisions;
  • EU Standard Contractual Clauses;
  • UK International Data Transfer Agreement or Addendum;
  • Data Privacy Framework participation where applicable;
  • transfer impact assessments where required.

Subprocessor transfer details are listed in the Subprocessor Disclosure Page.

Cookies And Electronic Communications

TalesNTokens must obtain consent before non-essential cookies, analytics, marketing tags, or similar device storage are used, unless an exemption applies. Marketing emails require valid consent or another lawful basis under PECR and data protection law. See the Cookie Policy.

Children's Data

The platform is not intended for children under 13. Because games and user-generated rooms may be likely to be accessed by children, TalesNTokens must complete child privacy and online safety assessments before public launch. See the Child Safety Policy.

Data Protection By Design

TalesNTokens will integrate privacy and security controls into product design, including:

  • access control by room and user role;
  • private-by-default settings for rooms and creator drafts;
  • clear marketplace licence notices;
  • upload restrictions;
  • cookie consent controls;
  • account export and deletion controls;
  • moderation and reporting workflows;
  • audit logs;
  • minimised analytics.

DPIAs And Risk Assessments

TalesNTokens should complete data protection impact assessments for:

  • user-generated content and public sharing;
  • child-accessible features;
  • marketplace payments and creator verification;
  • moderation and reporting systems;
  • analytics and tracking;
  • WebSocket/gameplay telemetry;
  • file upload and malware scanning;
  • international transfers.

Breach Notification

TalesNTokens will assess personal data breaches and notify the ICO or other competent authority where required without undue delay and, where feasible, within 72 hours of becoming aware. Affected users will be notified without undue delay where the breach is likely to result in high risk.

User Obligations

Users must not submit unnecessary sensitive personal data, upload other people's personal data without lawful authority, misuse reports, or attempt to access data belonging to others.

Platform Obligations

TalesNTokens will maintain privacy notices, lawful-basis records, retention schedules, processor contracts, transfer safeguards, breach records, data rights workflows, cookie consent records, and security measures.

Contact Procedures

Privacy and UK GDPR queries: privacy@talesntokens.com Data rights requests: privacy@talesntokens.com Legal notices: legal@talesntokens.com

Enforcement Procedures

Privacy violations may result in account restrictions, content removal, marketplace delisting, suspension, termination, processor notification, regulator notification, or authority referral.

Appeals Process

Users may appeal privacy decisions by emailing appeals@talesntokens.com within 30 days. Users may complain to the ICO or an EU supervisory authority.