Privacy policy

Last updated: 10 September 2025

#Contents

  1. Introduction

  2. Who are we?

  3. Scope

  4. Data we collect

  5. Purposes & legal bases

  6. Cookies & consent

  7. Who do we share your data with?

  8. Transfers outside the EEA

  9. Retention periods

  10. Security

  11. Your rights

  12. Children & consent

  13. B2B information (companies/schools)

  14. Account deletion

  15. Changes to this policy

  16. Contact

#1) Introduction

This policy explains how Coddy processes your personal data when you use our platforms: the coddygames.com website (and its subdomains) and the Coddy mobile application (iOS/Android) (together, the “Services”). Coddy designs on-foot urban exploration games for consumers, schools and businesses.

We respect your privacy and comply with the GDPR and applicable local laws. This policy sets out the data we collect, why we collect it, how long we keep it, who we share it with, your rights, and how to contact us.

By using the Services, you agree to this policy. Where required by law (e.g., geolocation, marketing, non-essential cookies), we will ask for your explicit consent.

#2) Who are we?

Controller:
Coddy SRL
Av. des Volontaires 19, 1160 Brussels, Belgium
Company number: BE 0698.613.596
E-mail: hello@coddygames.com

#3) Scope

  • Browsing on coddygames.com (purchases, content, blog, FAQ, “Family & Friends”, “Team building”, “Schools”, etc.).

  • Use of the mobile application (account creation, gameplay, support, notifications, geolocation).

  • B2B journeys (quote requests, corporate/school event management, participant invitations).

  • Interactions with our team (form, email, in-app/site chat, social networks, phone).

#4) Data we collect

4.1 Identity and contact data

First name, last name, email, phone number, language, password (hashed), photo/avatar (if provided).

4.2 Account and profile data

Purchase and activation history, game codes, teams created, preferences (language, city, type of adventure), ratings/reviews, exchanges with support.

4.3 Technical and usage data

IP address, device identifiers, OS and version, browser type, time zone, pages/screens viewed, usage events (e.g., starting a game), performance/error logs.

4.4 Location data

In the app: collection of GPS position (precise or approximate depending on your settings) to display, guide and trigger nearby steps.
On the website: you can share your browser location so we can suggest nearby activities. You can refuse at any time via your device/browser settings.

4.5 Transaction data

Products purchased, date/time, amounts, currency, payment status, payment method. We do not store your card numbers; payments are processed by our certified providers. Payments are processed by Stripe. No in-app purchases.

4.6 “B2B” data (companies/schools)

Organisation, role, event details (city, date, number of participants), participant lists that may be provided by the organiser (name/first name/email if required to deliver access).

4.7 Communications & marketing

Consents, contact preferences, subscriptions, interactions with our emails (opens/clicks), participation in contests/surveys.

4.8 Content you provide

Photos/videos/texts posted as part of the game, puzzle answers, messages to support.

We do not collect sensitive data within the meaning of the GDPR (e.g., health, political opinions) and we do not carry out automated decision-making producing legal effects.

We process your data when necessary: (i) for the performance of a contract, (ii) for our legitimate interests (security, improvement, statistics) subject to your rights, (iii) to comply with the law, or (iv) on your consent (e.g., geolocation, marketing, non-essential cookies).

PurposeExamplesLegal basis
Create and manage your accountAuthentication, profile settingsContract
Sell and deliver the gamesOrders, service emails, invoicingContract / Legal obligation (accounting)
GeolocationShow nearby activities on app and site, guide the routeConsent (withdrawable at any time)
Support & securitySupport, debugging, abuse preventionLegitimate interest / Legal obligation
Measurement & product improvementUsage analytics (aggregated/pseudonymised)Legitimate interest or Consent (depending on the tool)
MarketingNewsletters, offers, eventsConsent (opt-in). B2B: legitimate interest with right to object
Contests/surveysParticipation and prize awardingContract / Consent

We use cookies and similar technologies to operate the site, measure the audience, personalise content and—if you agree—improve our marketing. Choices are managed via our CMP Axeptio. For more details (list of trackers, durations, purposes) and to change your preferences, see our Cookie Policy and the Axeptio panel available on every page.

#7) Who do we share your data with?

We do not sell your data. We only share it with:

Category / ProviderRoleNotes
Hosting & infrastructure: AWS, Google Cloud, DigitalOceanHosting, CDN, backupsAccess limited to what is strictly necessary, contractual security measures
Analytics: Google Analytics, MatomoAudience and journey measurementConfigured according to your cookie choices / consent mode
Monitoring: SentryError diagnostics and stabilityTechnical data (logs, events)
Emailing: BrevoSending transactional and marketing emailsPreference management, unsubscribes
Support: CrispChat and assistanceHistory of exchanges
Payments: StripeOnline payment processingWe do not store your card numbers
CMP: AxeptioCollection and recording of cookie consentsGranular vendor management (Consent Mode)
Advisers / authoritiesLegal obligations, defence of rightsDisclosure limited to what is necessary

Each provider only accesses the data necessary for its services and is bound by a GDPR-compliant agreement (including processing clauses and, where applicable, transfer mechanisms).

#8) Transfers outside the EEA

Some providers may be located outside the European Economic Area. In such cases, we use recognised mechanisms (European Commission Standard Contractual Clauses, adequacy decisions, binding corporate rules) and additional technical/organisational measures if needed (encryption, minimisation).

#9) Retention periods

  • Account/customer: as long as the account is active; deletion after 24 months of inactivity (or on request), except where the law requires retention.

  • Transactions/invoices: 10 years (accounting/tax obligations).

  • Game data (progress, teams): up to 24 months after last activity, then anonymisation.

  • Technical logs: 6 to 13 months depending on purpose (security/statistics).

  • Marketing: until consent is withdrawn or you object.

Beyond these periods, data is securely deleted or anonymised.

#10) Security

We implement appropriate technical and organisational measures: encryption in transit (TLS), access controls, logging and monitoring, backups, updates and regular testing. As no system is infallible, we reduce risks through data minimisation and segmentation.

#11) Your rights

You can: access your data, rectify it, request its erasure, restrict processing, object to certain processing (including marketing), exercise portability, and withdraw your consent at any time (for the future). We respond within one month (extendable for complex cases).

To exercise your rights: hello@coddygames.com.

You may also lodge a complaint with the Data Protection Authority (Belgium), Rue de la Presse 35, 1000 Brussels — contact@apd-gba.be – +32 (0)2 274 48 00.

Our Services are not intended to be used directly by children without supervision. Where processing is based on consent and the service is offered directly to a child, the age of consent depends on the country:

  • Belgium: 13 years (below this, consent of the parent/guardian is required).

  • France: 15 years (below this, joint consent of parent/child).

  • If unspecified: 16 years (default GDPR threshold).

For family activities, the purchaser/account holder must be an adult and is responsible for minor participants.

#13) B2B information (companies/schools)

Roles: for events organised by your employer/school, they generally act as the controller for participant lists they provide to us, and Coddy acts as the processor to perform the service. A data processing agreement (DPA) can be put in place upon request.

Participants: information shared with the organiser may include access activation status and non-nominal aggregated statistics.

#14) Account deletion

  • From the app: Settings → Account → Delete my account.

  • By email: write to hello@coddygames.com from the address linked to your account.

Deletion is irreversible and does not affect data we must keep for legal reasons (e.g., invoicing).

#15) Changes to this policy

We may update this policy to reflect legal, technical or service changes. The new version will display a last updated date and, for material changes, we will notify you through an appropriate channel (banner, email, in-app notice).

#16) Contact

For any privacy questions or requests about your personal data: hello@coddygames.com.