Privacy and data

Privacy

How Blue Donut Games handles personal information submitted through this website.

Privacy Notice

Last updated: 16 July 2026

1. Who we are

Blue Donut Studios Limited trades as Blue Donut Games.

In this notice, “Blue Donut Games”, “we”, “us” and “our” mean Blue Donut Studios Limited.

Company name: Blue Donut Studios Limited
Company number: 09592070
Registered office: 8 Spur Road, Cosham, Portsmouth, England, PO6 3EB
ICO data protection registration: ZA218782
Website: BlueDonutGames.com
Privacy contact: info@bluedonutstudios.com

Blue Donut Studios Limited is the data controller responsible for personal information collected through BlueDonutGames.com.

This notice explains how we collect, use, share and protect personal information when you visit our website, contact us, register for one of our services, apply for a Trade account, place an order, join one of our directories, vote for a product or subscribe to updates.

2. Our privacy principles

We aim to operate Blue Donut Games in a straightforward and privacy-respecting way.

In particular:

  • we do not sell private user information;

  • we do not operate an advertising network;

  • we do not create behavioural advertising profiles;

  • we do not share mailing-list information with advertisers;

  • we do not deliberately use tracking pixels in Weekly Discoveries emails;

  • we do not use personal information submitted through this website to train generative artificial intelligence systems;

  • information marked as private is not intentionally displayed on public profiles;

  • public listings and submitted content are reviewed before publication; and

  • we collect only the information reasonably needed to provide, secure and administer our services.

3. Information we collect

The information we collect depends on how you use the website.

3.1 Website and security information

When you visit the website, our systems may record:

  • your IP address;

  • the date and time of your request;

  • the page or file requested;

  • browser and device information;

  • referring page information;

  • session identifiers;

  • login attempts;

  • form submissions and validation events; and

  • technical, error and security logs.

We use this information to deliver the website, maintain security, prevent abuse, diagnose faults and investigate suspicious activity.

We do not currently use this information for behavioural advertising.

3.2 Enquiries and support

When you contact us, we may collect:

  • your name;

  • email address;

  • telephone number;

  • company or organisation;

  • the content of your enquiry;

  • relevant order, product or account information;

  • correspondence and support history; and

  • any documents or images you choose to provide.

Please do not submit confidential, sensitive or special-category information unless it is genuinely necessary and we have agreed to receive it.

3.3 Trade account applications and accounts

When you apply for or use a Trade account, we may collect:

  • contact name and role;

  • registered and trading names;

  • email address and telephone number;

  • website;

  • country;

  • customer type;

  • company registration number;

  • VAT and EORI information;

  • billing and delivery addresses;

  • sales channels;

  • expected ordering frequency;

  • application notes and declarations;

  • account approval status;

  • assigned discounts, price tiers and payment terms;

  • login credentials stored in protected or hashed form;

  • password-reset and account-security records; and

  • order, payment, fulfilment and account correspondence.

Trade applications and account decisions are reviewed by a person. We do not use solely automated decision-making to approve or refuse Trade accounts.

3.4 Orders and payments

When you place an order, we may collect:

  • customer and contact details;

  • billing and delivery addresses;

  • products and quantities ordered;

  • prices, discounts and tax treatment;

  • VAT, EORI or other business information;

  • payment status and transaction references;

  • fulfilment and delivery information;

  • refund, dispute and cancellation information; and

  • related correspondence.

Card payments are handled by Stripe. Blue Donut Games does not receive or store your complete payment-card number or card security code. Stripe may provide us with limited payment and transaction information needed to confirm, administer or refund a payment.

Stripe processes payment information under its own legal and privacy responsibilities as well as providing services to us.

3.5 Supplier Network registrations

If you register for the GameCrowd Supplier Network through this website, we may collect:

  • first and last name;

  • country;

  • role;

  • email address;

  • preferred contact method;

  • company or practice name;

  • supplier type;

  • company description;

  • website, portfolio or catalogue links;

  • regions served;

  • languages;

  • capabilities and service categories;

  • public-profile preferences;

  • opportunity-contact consent;

  • update and mailing preferences; and

  • moderation and approval records.

Private contact information is used for administration, verification, matching and agreed communications. It is not automatically made public.

Where you separately permit a public supplier profile, approved business information may be published. You can ask us to correct, hide or remove the profile.

3.6 Community, shop, café, club, venue and event listings

When a community place is submitted, claimed or updated, we may collect:

  • business, club, venue or event name;

  • listing type;

  • descriptions;

  • address and map coordinates;

  • website and social links;

  • telephone number;

  • opening, event and schedule information;

  • stock and facility information;

  • logos, photographs, videos and gallery images;

  • a private moderation and verification email;

  • an optional public email address;

  • claim, update and verification records; and

  • listing PIN or access information stored in protected form.

The private business contact email is used for moderation, verification, PIN delivery and listing administration. It is not displayed publicly.

An optional public email is displayed only where the submitter has asked us to show it.

Approved listing information, including the business address, location, description, schedule, website, public contact information and images, may be visible to anyone using the directory.

3.7 Publicly sourced business listings

Some directory entries may initially be created from publicly available business information, including:

  • official business websites;

  • retailer, café, club or event websites;

  • manufacturer or distributor stockist lists;

  • public business directories;

  • public social-media pages; and

  • information supplied by relevant business partners.

This may include business names, trading addresses, public websites, general business telephone numbers and general business email addresses.

Our legitimate interest is to provide a useful, accurate and free community directory helping players find shops, cafés, clubs, venues and events.

We aim to use business-level information rather than private personal contact information. Listing owners can claim, correct, update or request removal of a listing.

Where information identifies an individual, such as a sole trader or named contact, it is treated as personal information and protected accordingly.

3.8 Content Creator profiles and reviews

If you register as a creator or submit a review, we may collect:

  • your name or creator name;

  • country;

  • email address;

  • profile description;

  • logo, avatar or images;

  • website, channel and social links;

  • review links and information about games covered;

  • verification, PIN and moderation information; and

  • correspondence about the profile or reviews.

Approved profile information and review links may be published.

Private verification information and creator PIN information are not intended for public display.

3.9 Product votes, comments and Weekly Discoveries

When you vote for a game or product, leave a comment or request updates, we may collect:

  • email address;

  • product or subject preferences;

  • vote information;

  • comments or feedback;

  • subscription and consent records;

  • confirmation, unsubscribe and preference changes; and

  • delivery, rejection, bounce and suppression information.

Comments may be reviewed and, where the form explains that publication is possible, may be published after moderation. We will not intentionally publish your email address.

Weekly Discoveries is an optional email service. It sends a compact roundup only when there is relevant new information for the subjects you have selected.

You can unsubscribe or change your preferences at any time.

3.10 Social networks and third-party communications

If you contact us through Facebook, Instagram, LinkedIn, Discord, Mastodon, YouTube or another platform, we may receive your account name, profile information, message and any information you choose to share.

The social network also processes your information under its own privacy terms.

We do not control the privacy practices of external social networks.

4. Why we use personal information

We use personal information only where we have a lawful basis.

Contract and steps before entering a contract

We use this basis when necessary to:

  • consider a Trade application;

  • create and administer an approved account;

  • process an order;

  • arrange payment, delivery, support, refunds or returns;

  • provide a booked or requested service; or

  • respond to a request made before entering into an agreement.

Legal obligations

We may use and retain information to:

  • maintain accounting, VAT and company records;

  • meet tax and regulatory requirements;

  • respond to legally valid requests;

  • exercise consumer, payment and product-safety obligations; and

  • prevent or report unlawful activity where required.

Legitimate interests

We may use information where reasonably necessary for our legitimate interests or those of another organisation, provided those interests are not overridden by your rights.

These interests include:

  • operating and securing the website;

  • preventing fraud, spam and misuse;

  • responding to enquiries;

  • reviewing applications and submissions;

  • administering accounts and business relationships;

  • moderating public listings, profiles, comments and reviews;

  • maintaining useful business and community directories;

  • protecting our legal rights;

  • recovering debts;

  • understanding aggregate demand for products;

  • improving website reliability and services; and

  • maintaining accurate records of business communications.

Where appropriate, we carry out and document a legitimate-interests assessment.

You may object to processing based on legitimate interests. We will consider your objection and stop processing unless we have a compelling lawful reason to continue.

Consent

We rely on consent where you choose to:

  • receive Weekly Discoveries or other optional email updates;

  • permit publication of optional personal contact information;

  • create an optional public supplier profile;

  • receive optional Supplier Network or GameCrowd updates; or

  • participate in another activity that specifically asks for consent.

You may withdraw consent at any time. Withdrawal does not affect processing that took place lawfully before consent was withdrawn.

5. Email communications

We distinguish between service communications and optional marketing or update emails.

Service communications

We may send emails needed to:

  • confirm a form submission;

  • respond to an enquiry;

  • administer a Trade or directory account;

  • provide a verification or password-reset link;

  • provide a listing or creator PIN;

  • communicate an application decision;

  • confirm or administer an order;

  • provide customer support;

  • notify you of important security or service matters; or

  • fulfil another service you requested.

These messages are not treated as optional marketing where they are necessary to provide or secure the service.

Optional updates

Weekly Discoveries and other optional promotional or development updates are sent only where an appropriate permission or other lawful basis exists.

Every optional marketing email will provide a reasonable way to unsubscribe.

When someone unsubscribes or objects to marketing, we may retain a minimal suppression record so that we do not accidentally contact that address again.

We may record operational email events such as delivery, rejection, blocking, bouncing or unsubscribe requests. We do not deliberately add behavioural profiling to Weekly Discoveries emails.

6. Cookies and similar technologies

The website uses essential session technology where necessary for:

  • website and account security;

  • form operation;

  • login sessions;

  • password-reset processes;

  • administrative access; and

  • remembering essential choices during a session.

These technologies are necessary for the website or requested service to operate.

We do not currently use non-essential advertising or behavioural-tracking cookies on BlueDonutGames.com.

Our separate Cookies Notice provides more information. If we introduce non-essential analytics, advertising or similar technology, we will update our notices and introduce an appropriate consent mechanism before using it where consent is required.

7. OpenStreetMap locator

The community locator uses OpenStreetMap map data.

When a map is displayed, your browser may request map tiles or related resources from OpenStreetMap infrastructure or an associated map service. That service may receive technical information such as your IP address, browser information and the tiles requested.

Blue Donut Games does not use map searches to create advertising profiles.

The OpenStreetMap Foundation and any applicable map-service provider process technical request information under their own privacy terms.

8. Who we share information with

We share personal information only where reasonably necessary.

Recipients may include:

  • website hosting and infrastructure providers, including DigitalOcean;

  • communications and email-delivery providers, including Twilio SendGrid;

  • payment providers, including Stripe;

  • UK or EU fulfilment providers, including Spiral Galaxy and Meeples Group B.V., where they are selected to fulfil an order;

  • postal, courier, freight and delivery providers;

  • professional advisers such as accountants, insurers, solicitors and tax advisers;

  • technical contractors working under appropriate confidentiality and data-protection obligations;

  • public authorities, regulators, courts or law-enforcement bodies where disclosure is legally required or necessary to protect legal rights;

  • a purchaser, investor or professional adviser involved in a genuine proposed sale, restructure or transfer of the business, subject to appropriate confidentiality protections; and

  • another party where you have specifically asked or authorised us to make an introduction.

A Maker’s private information is not released to a supplier, and a supplier’s private information is not released to a Maker, merely because both use a directory. Contact information is shared only where the service permits it, it has been made public by the relevant party, or an appropriate introduction has been agreed.

Public directory, creator, supplier, review and comment information can be viewed by website visitors after approval. Do not include information in a public submission that you do not want published.

We do not sell personal information to data brokers or advertisers.

9. International transfers

Some service providers operate internationally and may process information outside the United Kingdom.

Where UK data-protection law requires a safeguard, we use an appropriate transfer mechanism. Depending on the destination and provider, this may include:

  • UK adequacy regulations;

  • the UK Extension to an approved data privacy framework;

  • the UK International Data Transfer Agreement;

  • the UK Addendum to approved standard contractual clauses; or

  • another legally recognised safeguard.

You may contact us for more information about the safeguards relevant to your information.

10. How long we keep information

We do not keep personal information indefinitely merely because storage is available.

Our normal retention periods are:

  • Website security and server logs: normally up to 12 months, unless required for an investigation, legal claim or security incident.

  • General enquiries and support correspondence: normally up to 24 months after the matter is closed.

  • Unsuccessful or withdrawn Trade applications: normally up to 12 months after the decision or withdrawal, unless a dispute or legal requirement requires longer retention.

  • Approved Trade account information: for the life of the account and normally up to 24 months after closure or the last meaningful account activity, except for transaction and legal records.

  • Orders, invoices, payment and accounting records: normally at least six years from the end of the relevant financial year, or longer where VAT, VAT One Stop Shop, tax, dispute or other legal requirements apply.

  • Supplier registrations: while the registration remains active and normally up to 24 months after withdrawal, removal or the last meaningful activity.

  • Community and creator listings: while the listing remains active, useful or publicly available, followed by a reasonable administrative period after removal.

  • Submitted reviews, descriptions, images and public content: while the associated listing, profile or content remains published, unless earlier removal is requested and no lawful reason requires continued retention.

  • Product votes and comments: while reasonably useful for product-development and demand analysis. Identifying information will be removed or anonymised when it is no longer necessary.

  • Weekly Discoveries subscriptions: until you unsubscribe, withdraw consent or the service ends.

  • Consent records: for as long as needed to demonstrate how and when permission was obtained.

  • Suppression records: a minimal record may be retained for as long as reasonably necessary to respect an unsubscribe or direct-marketing objection.

  • Legal complaints, disputes and claims: for the duration of the matter and the relevant legal limitation period.

Data deleted from active systems may remain temporarily in protected rotating backups until those backups are overwritten. Backups are used for security and disaster recovery rather than ordinary business activity.

We may securely delete or anonymise information sooner where it is no longer required.

11. Public information and search engines

Information published in a public listing, profile, review or comment may be:

  • viewed by anyone;

  • indexed by search engines;

  • linked to from other websites;

  • cached by browsers, search engines or archives; or

  • copied by a third party outside our control.

If we remove information from BlueDonutGames.com, copies may remain temporarily in third-party caches or search results.

We will consider reasonable requests to correct, hide or remove public information. We cannot guarantee that every independently made copy will also be removed.

12. Security

We use reasonable technical and organisational measures appropriate to the nature of the information we hold.

These may include:

  • encrypted website connections;

  • access controls;

  • secure administrative sessions;

  • password hashing;

  • limited administrative permissions;

  • protected environment values and credentials;

  • input validation;

  • form and login throttling;

  • backups;

  • moderation controls;

  • security logging; and

  • review of suspicious activity.

No internet or storage system can be guaranteed completely secure. Please use a strong, unique password and do not share account, reset, claim or PIN links with unauthorised people.

If we become aware of a personal-data breach, we will investigate it and notify affected people and the ICO where the law requires us to do so.

13. Your rights

Depending on the circumstances, you may have the right to:

  • be informed about how your information is used;

  • ask whether we hold personal information about you;

  • receive a copy of your personal information;

  • correct inaccurate or incomplete information;

  • ask us to erase information;

  • restrict how information is used;

  • object to processing based on legitimate interests;

  • object at any time to direct marketing;

  • withdraw consent;

  • receive certain information in a portable format; and

  • challenge a decision made solely by automated processing that has a legal or similarly significant effect.

These rights are not absolute. For example, we may need to retain invoices or transaction information to meet tax and legal obligations.

To exercise a right, email info@bluedonutstudios.com or write to:

Data Protection Request
Blue Donut Studios Limited
8 Spur Road
Cosham
Portsmouth
England
PO6 3EB

Please explain what you are requesting and provide enough information for us to locate the relevant records. We may ask for proportionate proof of identity where necessary to prevent unauthorised disclosure.

We normally respond without undue delay and within one month. The law permits additional time for particularly complex or numerous requests, and we will explain if this applies.

We do not normally charge a fee. A reasonable fee may be permitted where a request is manifestly unfounded or excessive.

14. Children

People of different ages may browse our games and public website content.

However, Trade accounts, supplier registrations, creator profiles, directory submissions and business-service applications are intended for adults acting personally or on behalf of an organisation.

We do not knowingly create these accounts for children.

A parent or guardian who believes that a child has submitted personal information without appropriate permission should contact us so that we can investigate and, where appropriate, remove it.

15. External websites

The website contains links to other websites and services, including payment, booking, social-media, game, manufacturer and community websites.

Following an external link may allow that organisation to collect information from you. Its own privacy notice applies.

This Blue Donut Games Privacy Notice does not control how an independent external website processes personal information.

GameCrowd.co, HorrorInTheLibrary.com and other separately operated websites may provide their own privacy information where their data processing differs from BlueDonutGames.com.

16. Complaints

Please contact us first if you have a concern about how we have handled your information. We will investigate and try to resolve the matter.

You also have the right to complain to the UK Information Commissioner’s Office.

The ICO provides an online complaint service through its website and can currently be contacted by telephone on 0303 123 1113.

You may also seek a legal remedy through the courts where applicable.

17. Changes to this notice

We may update this Privacy Notice when:

  • website features change;

  • new service providers are introduced;

  • our processing activities change;

  • legal or regulatory requirements change; or

  • we identify a need to explain our practices more clearly.

The latest version will be published on this page with its revision date.

Where a change would materially affect how we use information already collected, we will provide an appropriate additional notice and obtain consent where the law requires it.