Arcane Mysteries
How Arcane Mysteries processes personal data for browsing, ordering, payment, activation, team play, route functions, support, security, and optional marketing.
AM-PP-2026-07
Prague Adventures s.r.o., operating under the Arcane Mysteries brand, is the controller for the personal data described in this policy. Registered office: náměstí 14. října 1307/2, Smíchov, 150 00 Praha 5, Czech Republic. IČO 26703190. DIČ CZ26703190.
Use the protected Arcane Mysteries contact form and select the privacy-request option to exercise data-protection rights or ask a privacy question. We may ask for information reasonably necessary to verify identity and locate the relevant order or gameplay record.
This policy applies to the public website, checkout, payment confirmation, sealed-order and lobby functions, gameplay, support, marketing preferences, and related technical systems.
Depending on how you use the service, we may process:
We receive data directly from purchasers, players, organisers, and people who contact us. We also receive payment status and transaction references from payment providers, technical data from browsers and infrastructure, and progress or event data generated when the service is used.
A purchaser or organiser may provide contact or allocation information for other team members. They should share only information they are authorised to provide and should direct participants to this policy where appropriate.
| Purpose | Typical data | Legal basis |
|---|---|---|
| Create and fulfil an order | Contact, order, payment status, selected product | Contract performance and pre-contract steps |
| Activate and operate the mystery | Seal record, codes, device and gameplay progress | Contract performance |
| Provide support, recovery, and remedies | Order, gameplay, communications, and diagnostics | Contract performance, legal obligation, and legitimate interests |
| Accounting, tax, disputes, and compliance | Order, payment, invoice, acceptance, and complaint records | Legal obligation and establishment, exercise, or defence of legal claims |
| Security and fraud prevention | Device, IP/security, access, payment, and event logs | Legitimate interests in protecting customers and the service |
| Location-based gameplay | Browser location or proximity result | Contract performance after the user enables the browser permission; consent where legally required |
| Optional marketing | Email, consent timestamp, source, and preferences | Consent, with withdrawal available at any time |
| Optional analytics or attribution | Usage, device, and campaign data | Consent where required; limited legitimate interests only where law permits |
Where we rely on legitimate interests, we consider the purpose, necessity, and effect on individuals. You may object where GDPR provides that right.
Checkout records that the purchaser accepted the applicable Terms version and acknowledged the Privacy Policy version. Marketing consent, where offered, is recorded separately and is optional.
Public payments use Comgate. Comgate processes payment credentials under its own responsibilities and returns transaction status and reference information required to complete the order.
For bespoke corporate or organised events, a payment link may use GP webpay or another provider identified on the payment page or in the proposal. The payment provider's own privacy information applies to data entered directly into its hosted payment environment.
When the purchaser deliberately activates a paid order, we record information reasonably necessary to evidence and administer the action. This may include:
The activation confirmation may be delivered by email or another durable customer-accessible record. These records are used for contract administration, support, legal compliance, and dispute handling.
Gameplay systems store the state needed to keep the shared mystery working: team membership, captain/teammate roles, progress, completed challenges, hints, score events, recovery state, and the final result.
A browser or app-like session may create a random device identifier in local storage so the service can reconnect a device to the correct team role and progress. The identifier is not intended to reveal the player's civil identity by itself.
Where a route uses browser location, the browser asks for permission. Current coordinates may be used on the device or transmitted to the service to calculate distance, confirm arrival, or support navigation. We do not intend to build a continuous precise movement history unless a feature clearly says that it does so. The service may retain checkpoint or arrival status as part of game progress.
Players can deny or revoke browser location permission, but some route functions may then require a manual alternative or may not operate as designed.
Strictly necessary technologies support checkout, security, order recovery, legal-version records, device reconnection, team access, language, and game progress. Blocking them may prevent important features from working.
Non-essential analytics, attribution, and marketing technologies are used only in accordance with the choices presented by the site and applicable law.
Where an access link is rendered as a QR image using an external technical provider, that provider may receive the URL encoded in the QR request. We minimise access-link disclosure and are moving sensitive QR generation to local or first-party processing where practical.
We disclose personal data only where reasonably necessary. Current categories include:
We do not sell personal data, provide customer conversations to advertisers, or share customer data with these providers for their own marketing.
Some service providers or their support operations may process data outside the European Economic Area. Where required, we use an adequacy decision, European Commission Standard Contractual Clauses, or another lawful transfer mechanism, together with appropriate supplementary safeguards.
Provider locations and subprocessor arrangements can change. The current provider register and cookie information should be maintained as the operational source of detail.
We retain data only for as long as necessary for the purpose and any applicable legal period. The criteria include:
| Record type | Retention approach |
|---|---|
| Orders, payments, invoices, and tax records | For the statutory Czech accounting and tax period and any related audit period. |
| Terms, Privacy, and seal-activation evidence | For the period needed to administer the contract, address claims, and evidence compliance. |
| Team codes and gameplay progress | For the access and recovery period, followed by a reasonable operational, dispute, and fraud-prevention period. |
| Support and complaint records | Until the matter is resolved, then for a reasonable claims and quality-review period. |
| Security and technical logs | For a shorter operational period unless required for an incident, fraud investigation, or legal claim. |
| Marketing records | Until consent is withdrawn or the record is otherwise no longer valid, while retaining a minimal suppression record where needed to honour an opt-out. |
Data may be anonymised or aggregated where individual identification is no longer needed.
We use technical and organisational safeguards appropriate to the service, including encrypted transport, access controls, secret management, provider security controls, monitoring, backups or recovery measures, and restrictions on staff or contractor access.
No internet service can guarantee absolute security. If a personal-data breach creates a legal notification duty, we will notify the competent authority and affected individuals as required.
Keep order links and team codes private. Contact us promptly if access information has been exposed or used without authorisation.
Subject to the applicable conditions and exceptions, you may request:
Submit the request through the protected contact form. We normally respond within the GDPR timeframe and may request reasonable identity verification.
You may complain to the Czech Office for Personal Data Protection or another competent supervisory authority.
The public checkout is intended for adults capable of making the purchase. We do not intentionally ask young children to create independent accounts.
A responsible adult should purchase for and supervise younger participants where appropriate. Organisers should avoid entering unnecessary personal data about participants into team names, support messages, or gameplay fields.
We may update this policy when products, providers, legal duties, or technical systems change. The current effective date and version appear at the top of the page.
Material changes are communicated where required. Historical versions connected to completed orders are retained in the legal archive.
Use the protected contact form and select the privacy-request option. We may ask for reasonable information to verify identity and locate the relevant record.