Arcane Mysteries

Privacy Policy

How Arcane Mysteries processes personal data for browsing, ordering, payment, activation, team play, route functions, support, security, and optional marketing.

Controller: Prague Adventures s.r.o., operating as Arcane Mysteries. Version AM-PP-2026-07.

AM-PP-2026-07

1. Controller, Scope, and Contact

Prague Adventures s.r.o., operating under the Arcane Mysteries brand, is the controller for the personal data described in this policy. Registered office: náměstí 14. října 1307/2, Smíchov, 150 00 Praha 5, Czech Republic. IČO 26703190. DIČ CZ26703190.

Use the protected Arcane Mysteries contact form and select the privacy-request option to exercise data-protection rights or ask a privacy question. We may ask for information reasonably necessary to verify identity and locate the relevant order or gameplay record.

This policy applies to the public website, checkout, payment confirmation, sealed-order and lobby functions, gameplay, support, marketing preferences, and related technical systems.

2. Categories of Personal Data

Depending on how you use the service, we may process:

  • identity and contact data: name where supplied, email address, and support-contact details;
  • order data: order number, selected mystery, city, team configuration, currency, price, tax information, promotion, and accepted document versions;
  • payment data: payment status, provider, method category, transaction reference, amount, timestamps, and settlement information; we do not store full card details;
  • activation data: seal status, activation timestamp, seal-notice version, and evidence of the deliberate activation action;
  • team and gameplay data: team codes, roles, connected-device state, progress, checkpoints, answers, hints, scores, accusation, and recovery records;
  • technical data: browser, device, operating system, user agent, IP/security metadata, error logs, request timestamps, and performance information;
  • location data: current browser-provided position or proximity result where the player enables a location-based function;
  • communications: contact-form submissions, support history, complaints, refund requests, and feedback;
  • marketing and preference data: optional marketing choice, unsubscribe/suppression status, language, and cookie choices; and
  • corporate/event data: organisation, billing information, attendee or organiser details, proposal, and payment-link records where relevant.

3. Where the Data Comes From

We receive data directly from purchasers, players, organisers, and people who contact us. We also receive payment status and transaction references from payment providers, technical data from browsers and infrastructure, and progress or event data generated when the service is used.

A purchaser or organiser may provide contact or allocation information for other team members. They should share only information they are authorised to provide and should direct participants to this policy where appropriate.

4. Purposes and Legal Bases

PurposeTypical dataLegal basis
Create and fulfil an orderContact, order, payment status, selected productContract performance and pre-contract steps
Activate and operate the mysterySeal record, codes, device and gameplay progressContract performance
Provide support, recovery, and remediesOrder, gameplay, communications, and diagnosticsContract performance, legal obligation, and legitimate interests
Accounting, tax, disputes, and complianceOrder, payment, invoice, acceptance, and complaint recordsLegal obligation and establishment, exercise, or defence of legal claims
Security and fraud preventionDevice, IP/security, access, payment, and event logsLegitimate interests in protecting customers and the service
Location-based gameplayBrowser location or proximity resultContract performance after the user enables the browser permission; consent where legally required
Optional marketingEmail, consent timestamp, source, and preferencesConsent, with withdrawal available at any time
Optional analytics or attributionUsage, device, and campaign dataConsent where required; limited legitimate interests only where law permits

Where we rely on legitimate interests, we consider the purpose, necessity, and effect on individuals. You may object where GDPR provides that right.

5. Checkout, Document Acceptance, and Payment Providers

Checkout records that the purchaser accepted the applicable Terms version and acknowledged the Privacy Policy version. Marketing consent, where offered, is recorded separately and is optional.

Public payments use Comgate. Comgate processes payment credentials under its own responsibilities and returns transaction status and reference information required to complete the order.

For bespoke corporate or organised events, a payment link may use GP webpay or another provider identified on the payment page or in the proposal. The payment provider's own privacy information applies to data entered directly into its hosted payment environment.

6. Break the Seal Evidence and Durable Confirmation

When the purchaser deliberately activates a paid order, we record information reasonably necessary to evidence and administer the action. This may include:

  • order identifier;
  • date and time;
  • seal-notice and button-text version;
  • Terms and Privacy versions connected to the order;
  • device or browser information;
  • the route or technical source of the action; and
  • security metadata needed to prevent fraud or resolve a dispute.

The activation confirmation may be delivered by email or another durable customer-accessible record. These records are used for contract administration, support, legal compliance, and dispute handling.

7. Gameplay, Device Identifiers, and Location Functions

Gameplay systems store the state needed to keep the shared mystery working: team membership, captain/teammate roles, progress, completed challenges, hints, score events, recovery state, and the final result.

A browser or app-like session may create a random device identifier in local storage so the service can reconnect a device to the correct team role and progress. The identifier is not intended to reveal the player's civil identity by itself.

Where a route uses browser location, the browser asks for permission. Current coordinates may be used on the device or transmitted to the service to calculate distance, confirm arrival, or support navigation. We do not intend to build a continuous precise movement history unless a feature clearly says that it does so. The service may retain checkpoint or arrival status as part of game progress.

Players can deny or revoke browser location permission, but some route functions may then require a manual alternative or may not operate as designed.

8. Cookies, Local Storage, QR Links, and Similar Technologies

Strictly necessary technologies support checkout, security, order recovery, legal-version records, device reconnection, team access, language, and game progress. Blocking them may prevent important features from working.

Non-essential analytics, attribution, and marketing technologies are used only in accordance with the choices presented by the site and applicable law.

Where an access link is rendered as a QR image using an external technical provider, that provider may receive the URL encoded in the QR request. We minimise access-link disclosure and are moving sensitive QR generation to local or first-party processing where practical.

9. Processors, Recipients, and Disclosures

We disclose personal data only where reasonably necessary. Current categories include:

  • payment providers, including Comgate and, where used for a bespoke payment link, GP webpay;
  • hosting, database, storage, security, and delivery providers, including Cloudflare infrastructure used by the current platform;
  • transactional email and communication providers, currently including Resend where configured;
  • mapping and location-service providers, including Geoapify where a route or map uses it;
  • monitoring, error, and analytics providers where enabled;
  • QR or media-rendering providers where an external rendering function is used;
  • professional advisers and contractors bound by confidentiality and data-protection duties; and
  • authorities, courts, or counterparties where disclosure is legally required or necessary for legal claims.

We do not sell personal data, provide customer conversations to advertisers, or share customer data with these providers for their own marketing.

10. International Transfers

Some service providers or their support operations may process data outside the European Economic Area. Where required, we use an adequacy decision, European Commission Standard Contractual Clauses, or another lawful transfer mechanism, together with appropriate supplementary safeguards.

Provider locations and subprocessor arrangements can change. The current provider register and cookie information should be maintained as the operational source of detail.

11. Retention

We retain data only for as long as necessary for the purpose and any applicable legal period. The criteria include:

Record typeRetention approach
Orders, payments, invoices, and tax recordsFor the statutory Czech accounting and tax period and any related audit period.
Terms, Privacy, and seal-activation evidenceFor the period needed to administer the contract, address claims, and evidence compliance.
Team codes and gameplay progressFor the access and recovery period, followed by a reasonable operational, dispute, and fraud-prevention period.
Support and complaint recordsUntil the matter is resolved, then for a reasonable claims and quality-review period.
Security and technical logsFor a shorter operational period unless required for an incident, fraud investigation, or legal claim.
Marketing recordsUntil consent is withdrawn or the record is otherwise no longer valid, while retaining a minimal suppression record where needed to honour an opt-out.

Data may be anonymised or aggregated where individual identification is no longer needed.

12. Security and Incident Handling

We use technical and organisational safeguards appropriate to the service, including encrypted transport, access controls, secret management, provider security controls, monitoring, backups or recovery measures, and restrictions on staff or contractor access.

No internet service can guarantee absolute security. If a personal-data breach creates a legal notification duty, we will notify the competent authority and affected individuals as required.

Keep order links and team codes private. Contact us promptly if access information has been exposed or used without authorisation.

13. Your GDPR Rights

Subject to the applicable conditions and exceptions, you may request:

  • access to your personal data;
  • correction of inaccurate or incomplete data;
  • deletion where there is no overriding legal basis to retain it;
  • restriction of processing;
  • objection to processing based on legitimate interests or direct marketing;
  • data portability where legally applicable; and
  • withdrawal of consent without affecting earlier lawful processing.

Submit the request through the protected contact form. We normally respond within the GDPR timeframe and may request reasonable identity verification.

You may complain to the Czech Office for Personal Data Protection or another competent supervisory authority.

14. Children and Group Participants

The public checkout is intended for adults capable of making the purchase. We do not intentionally ask young children to create independent accounts.

A responsible adult should purchase for and supervise younger participants where appropriate. Organisers should avoid entering unnecessary personal data about participants into team names, support messages, or gameplay fields.

15. Policy Updates

We may update this policy when products, providers, legal duties, or technical systems change. The current effective date and version appear at the top of the page.

Material changes are communicated where required. Historical versions connected to completed orders are retained in the legal archive.

Privacy Requests

Use the protected contact form and select the privacy-request option. We may ask for reasonable information to verify identity and locate the relevant record.

    Privacy Policy - Arcane Mysteries | Arcane Mysteries