Welcome to Epic Escape UK. We take the protection of your personal data very seriously. This Privacy Policy provides detailed information on how Ludewig und Würffel GbR ('we', 'us', or 'our') collects, processes, and protects your personal data in strict compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR). 1. DATA CONTROLLER AND CONTACT The data controller responsible for the processing of your data on this website is: Ludewig und Würffel GbR Andreas-Schubert-Straße 23 01069 Dresden Germany Email: hello@epicescape.co.uk Phone: +49 351 64829290 2. WEB HOSTING AND LOG FILES Our website is hosted on infrastructure provided by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). - Scope of processing: When you access our website, your browser automatically transmits connection data to our server. This includes your IP address, date and time of the request, time zone, specific page accessed, HTTP status code, data volume transferred, referencing website, and browser type/version. - Legal basis: The processing is necessary for our legitimate interests in ensuring system security, stability, and the technical administration of the website (Art. 6(1)(f) GDPR / UK GDPR). - Data retention: Server log files are automatically deleted or anonymized after 7 days, unless required for further investigation of security incidents. 3. INQUIRIES, CRM, AND INTERNATION DATA TRANSFERS When you submit an enquiry through our contact form or via email, we process the provided data (e.g., name, company name, email address, phone number, group size, and preferred date) to handle your request. To automate and streamline our internal workflows, we utilize a combination of cloud services: - Microsoft 365 (Microsoft Ireland Operations Ltd.): For email routing and professional communication. Based on Art. 6(1)(b) GDPR (pre-contractual measures). - Airtable (Formagrid Inc., USA): Used as our central Customer Relationship Management (CRM) database to log inquiries and event planning details. - Make (Celonis s.r.o., Czech Republic): An automation platform used to securely synchronize data between our web forms, email systems, and Airtable. - Legal basis: Processing is based on Art. 6(1)(b) GDPR for contract performance or pre-contractual measures. Where we optimize our workflows, processing is based on our legitimate commercial interests (Art. 6(1)(f) GDPR). - International Transfers: Some data is transferred to entities in the USA (e.g., Airtable). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office (ICO), and where applicable, the EU-US and UK-US Data Privacy Frameworks. - Retention: Inquiry data is retained as long as necessary to process your request or for the duration of statutory retention periods (up to 6 or 10 years for commercial and tax records). 4. ARTIFICIAL INTELLIGENCE AND VOICE PROCESSING We utilize advanced Artificial Intelligence (AI) systems to optimize customer service, enable automated bookings, and process requests rapidly: - Phone AI Voice Assistant (ElevenLabs Inc., USA): If you contact us by phone, your call may be processed by an automated AI assistant. ElevenLabs records and processes your voice data, transcribing your spoken words into text in real-time to understand and fulfill your request. The legal basis for processing voice data is your explicit consent (Art. 6(1)(a) GDPR) given at the start of the call, or Art. 6(1)(b) GDPR if the call serves to prepare or execute a contract. Audio files are deleted immediately after transcription unless required to resolve a specific booking issue. - Automated Text & Support AI: We use processing models from OpenAI LLC (USA), Google Cloud / Google Gemini (Google Ireland Ltd. / Google LLC, USA), and Anthropic PBC (USA) to analyze written inquiries, generate summaries, and support customer communication. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in rapid and scalable customer service) or Art. 6(1)(b) GDPR. - Safeguards: For all US-based AI providers, strict Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) have been established to ensure a level of data protection equivalent to UK and EU standards. 5. COOKIES, TRACKING, AND MARKETING TOOLS Our website uses cookies and similar technologies to evaluate visitor behavior and optimize our advertising. These tools are strictly consent-based and will only activate if you explicitly agree via our Cookie Consent Banner (Art. 6(1)(a) GDPR / UK GDPR): - Google Analytics 4 & Google Tag Manager (Google Ireland Ltd.): Used to analyze website traffic, user journeys, and interactions. User-level data is automatically anonymized (IP masking) and deleted after 14 months. - Google Ads Conversion Tracking (Google Ireland Ltd.): Measures the effectiveness of our search engine marketing campaigns. - Meta Pixel (Meta Platforms Ireland Ltd.): Tracks interactions on our website to optimize targeted advertising campaigns on Facebook and Instagram. You have the right to withdraw your consent at any time with future effect by adjusting your preferences in the Cookie Settings link found in the footer of our website. 6. BOOKING AND PAYMENT PROCESSING If you proceed to book an outdoor escape event, your personal and payment details are processed to execute the contract (Art. 6(1)(b) GDPR): - Payment Gateways: Depending on your selection, financial transactions are handled securely by PayPal (Europe) S.à r.l. et Cie, S.C.A., Stripe Payments Europe Ltd., or Klarna Bank AB. We do not store credit card or full banking details on our own servers. Your data is transmitted directly and encrypted via SSL to the respective payment provider. - Retention: Transaction-related data is subject to strict commercial and tax retention laws, requiring us to preserve invoice records for up to 10 years. 7. YOUR LEGAL DATA RIGHTS Under the UK GDPR and EU GDPR, you possess the following unalienable rights regarding your personal data: - Right of access (Art. 15 GDPR) - Right to rectification (Art. 16 GDPR) - Right to erasure / 'right to be forgotten' (Art. 17 GDPR) - Right to restriction of processing (Art. 18 GDPR) - Right to data portability (Art. 20 GDPR) - Right to object to processing based on legitimate interests (Art. 21 GDPR) - Right to withdraw consent at any time (Art. 7(3) GDPR) without affecting the lawfulness of processing based on consent before its withdrawal. To exercise any of these rights, please email us at hello@epicescape.co.uk. You also have the right to lodge a official complaint with a data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) (www.ico.org.uk). In Germany, you may contact the Saxon Data Protection Commissioner (Sächsischer Datenschutzbeauftragter).