Boadman
Policy · Legal & Compliance

Privacy Policy

Last updated 27 May 2026

What personal data we collect, why, how long we keep it, and your rights under applicable data-protection law.

{"content_md":"# Boadman — Privacy Policy\n\nVersion: v2 (placeholder)\nEffective from: [TO BE FILLED ON LAUNCH]\nLast reviewed: May 2026\nStatus: ⚠️ PLACEHOLDER — drafted by the engineering team based on the SP4 compliance posture. Subject to legal counsel review and rewrite before live deployment. Treat the wording as a working specification, not a binding consumer-facing document.\nv2 change summary: Adds §14 (Brand accounts and entry-gated tournaments) for the SP6 brand-as-host feature. All §14 sub-sections are marked [DRAFT — pending legal counsel review] and are NOT binding until counsel sign-off.\n\n---\n\n## 1. Who we are\n\nBoadman ("we", "us", "our") operates an online esports infrastructure platform. We are based in the United Kingdom.\n\n| Field | Detail |\n|---|---|\n| Operating entity | [TBC — UK Ltd. registration to be inserted before launch] |\n| Registered address | [TBC] |\n| Companies House number | [TBC] |\n| Data Protection Officer (DPO) | dpo@boadman.com |\n| General privacy queries | privacy@boadman.com |\n\nIf you have a complaint about our handling of your personal data, you can contact our DPO using the address above. If you believe we have not handled your data correctly, you also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk.\n\n---\n\n## 2. What this policy covers\n\nThis policy explains:\n\n- What personal data we collect about you\n- Why we collect it (the lawful basis for processing)\n- How long we keep it\n- Who we share it with\n- The rights you have under UK GDPR and the Data Protection Act 2018, and how to exercise them\n\nIt applies to your use of:\n\n- The Boadman website at https://boadman.com (and subdomains such as app.boadman.com)\n- Any mobile or desktop app we publish\n- Email communications you receive from us\n\n---\n\n## 3. The personal data we collect\n\n### 3.1 At account creation (KYC Level 0)\n\n- Email address (used for authentication, transactional notices, and required regulatory communications)\n- Username + display name (publicly visible; you choose them)\n- Password (stored hashed via Supabase Auth — we never see your plaintext password)\n- Date of birth (you must be 18 or older; we verify via your ID document at KYC Level 1 if required)\n- Country of residence (used for geofencing per FATF requirements + service availability decisions)\n- Phone number (we send an SMS verification code; required for account creation)\n- Your consent to this Privacy Policy and our Terms of Service (timestamped and version-tracked)\n\n### 3.2 At first deposit\n\n- Declared legal name (the name on your payment card; locked once set, cannot be self-edited)\n- Card payment metadata received from our payment processor (card last 4 digits, card-issuing country, billing-name extract, Stripe / Paystack payment method fingerprint)\n\n### 3.3 At Level 1 KYC (triggered by first withdrawal or cumulative deposits over £200/30 days)\n\n- Government-issued identity document (passport, driving licence, national identity card)\n- Selfie + facial liveness video\n\nThese documents are uploaded directly to our identity verification provider (Didit) and held by them, not by us. We receive only the extracted metadata (verified legal name, date of birth, country of issuance, document type, document number hash) and the verdict (approved / declined / requires-review).\n\n### 3.4 At Level 2 KYC (triggered by withdrawal over £2,000 single or £5,000/12 months)\n\n- Proof of address (utility bill or bank statement)\n- Source of wealth declaration (questionnaire response)\n\n### 3.5 During use\n\n- Wallet activity (deposits, redemptions, in-platform stake / win history, all recorded in an append-only ledger)\n- Match participation (which competitions you joined, results, evidence you submitted)\n- Hashed IP address (we never store your raw IP; we hash it with a secret salt for deduplication purposes only)\n- Device session signals (limited fingerprint information, retained 90 days, used solely for fraud and collusion detection)\n- Communications you send to support (email content, attachments)\n\n### 3.6 Optional data\n\n- Profile avatar (if you upload one)\n- Marketing preferences (if you opt in to non-essential communications)\n\n---\n\n## 4. Why we collect it (lawful basis)\n\n| Purpose | Lawful basis | Notes |\n|---|---|---|\n| Account creation, authentication, providing the service | Performance of a contract (UK GDPR Art. 6(1)(b)) | Required to operate your account |\n| Identity verification (KYC) | Legal obligation (UK GDPR Art. 6(1)(c)) under the Money Laundering Regulations 2017 | Mandatory; you cannot opt out and continue to use wallet features |\n| Anti-money-laundering monitoring | Legal obligation under MLR 2017 | Includes sanctions screening, transaction pattern analysis |\n| Fraud and collusion prevention | Legitimate interest (UK GDPR Art. 6(1)(f)) | Includes session signal analysis, cardholder name match |\n| Marketing communications | Consent (UK GDPR Art. 6(1)(a)) | Opt-in only; you can opt out at any time |\n| Cookies (non-essential) | Consent under PECR | We will display a cookie banner |\n| Sharing with payment processors (Stripe, Paystack) | Performance of a contract | Required to take payment / make payouts |\n| Sharing with Didit (identity verification) | Performance of a contract + legal obligation | Required for KYC |\n\n---\n\n## 5. How long we keep it\n\n| Data category | Retention period | Why |\n|---|---|---|\n| Wallet ledger entries (deposits, redemptions, stakes, wins) | 5 years from last activity | UK Money Laundering Regulations 2017, §40 |\n| Identity verification metadata (KYC submissions) | 5 years from account closure | Same |\n| Profile data (PII fields) | Until you request deletion, OR 3 years of inactivity (whichever first) | UK GDPR data minimisation |\n| Audit log entries | Indefinite | Tamper-evident regulatory record |\n| Session signal data (hashed IP, device fingerprint) | 90 days | Limited to AML detection window |\n| Match evidence files (screenshots, replays) | 30 days after match resolution | Storage minimisation |\n| Marketing preferences | Until you opt out | n/a |\n| Support communications | 2 years from last interaction | Service-quality + dispute resolution |\n\nWe will anonymise inactive accounts after 3 years of no login activity. You will receive an email warning 30 days before this happens, giving you time to log in if you want to retain your data.\n\n---\n\n## 6. Who we share your data with\n\nWe share the minimum necessary data with the following providers, all under contractual data-processing agreements:\n\n| Provider | What we share | Why |\n|---|---|---|\n| Supabase (database + authentication, EU region — Frankfurt) | All database content | Core infrastructure |\n| Cloudflare R2 (file storage, EU region) | Avatars, evidence files | File hosting |\n| Stripe (UK card payments) | Payment data, identifying details for fraud prevention | UK card processing |\n| Paystack (Nigerian card payments) | Payment data, identifying details | NG card processing |\n| Didit (identity verification) | Identity documents, selfie, liveness video, declared name | KYC verification |\n| OpenExchangeRates (currency rates) | No personal data | FX rates for multi-currency display |\n| MaxMind GeoLite2 (IP geolocation) | Hashed IP only | Geofencing per FATF |\n| Twilio Verify (SMS verification) | Phone number, verification code | Phone verification |\n| Resend (transactional email) | Email address, communication content | Email delivery |\n| Sentry (error monitoring) | Truncated stack traces with redacted user identifiers | Operational monitoring |\n\nWe do not sell your data to third parties. We do not use your data for behavioural advertising.\n\nWe may disclose your data to UK regulators (FCA, ICO, NCA, HMRC) where legally required, including filing Suspicious Activity Reports under the Proceeds of Crime Act 2002.\n\n---\n\n## 7. International transfers\n\nYour data may be transferred to providers located outside the UK / EEA (notably Resend in the United States, and parts of MaxMind / Sentry infrastructure). All such transfers are governed by Standard Contractual Clauses (SCCs) per UK GDPR Article 46, and we apply additional safeguards as required.\n\nIf you are based in Nigeria, your data is also subject to the Nigerian Data Protection Act 2023, and we maintain alignment with NDPA requirements via the same data-handling controls.\n\n---\n\n## 8. Your rights\n\nUnder UK GDPR, you have the following rights:\n\n| Right | What it means | How to exercise |\n|---|---|---|\n| Access (Art. 15) | Get a copy of all your data | GET /users/me/export in your account, or email privacy@boadman.com |\n| Portability (Art. 20) | Get your data in machine-readable form | Same endpoint — JSON output |\n| Erasure (Art. 17) | Delete your account and personal data | DELETE /users/me in your account, or email privacy@boadman.com |\n| Rectification (Art. 16) | Correct inaccurate data | Edit in your profile, or for locked fields (legal name, DOB, country) submit a rectification request via the Settings page with supporting evidence |\n| Object (Art. 21) | Object to certain processing | Email privacy@boadman.com |\n| Restrict processing (Art. 18) | Limit how we use your data | Email privacy@boadman.com (handled case-by-case) |\n| Withdraw consent | For consent-based processing | Profile preferences page |\n\nImportant caveat on erasure: when you delete your account, we anonymise your personally identifying data (name, email, etc.) but we are legally required to retain financial records (deposits, redemptions, wallet ledger) for 5 years under the UK Money Laundering Regulations 2017 §40. After 5 years from your last financial activity, those records are also deleted.\n\nYou can also lodge a complaint with the UK ICO at https://ico.org.uk/concerns/.\n\n---\n\n## 9. Security\n\nWe protect your data through:\n\n- Encryption at rest (AES-256 on Supabase + Cloudflare R2)\n- Encryption in transit (TLS 1.2 or higher on all connections)\n- Row-level security in our database, with column-scoped access controls preventing users from self-modifying compliance-controlled fields (KYC level, account status, verified payout details, etc.)\n- Append-only audit log with database-level rules preventing tampering, retained indefinitely for regulatory record\n- Service-role access restricted to backend systems only; never exposed to clients\n- MFA / 2FA required for all admin staff\n- Regular backups (weekly database snapshots)\n\nIf a personal data breach occurs that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours per UK GDPR Article 33, and we will notify you directly without undue delay where required by Article 34.\n\n---\n\n## 10. Cookies and tracking\n\nOur website uses:\n\n- Strictly necessary cookies for authentication and session management (no consent required under PECR)\n- Optional analytics cookies to improve the service (only if you opt in via the cookie banner)\n\nWe do not use behavioural advertising cookies. We do not allow third-party advertising trackers.\n\n---\n\n## 11. Children\n\nBoadman is not intended for users under 18. We verify your date of birth at signup and at KYC. If we discover that we have collected data from a person under 18, we will erase that data without delay.\n\n---\n\n## 12. Changes to this policy\n\nWhen we update this Privacy Policy, we will:\n\n- Post the new version at the same URL with an updated Last reviewed date\n- Notify you by email of material changes\n- Require you to re-accept the new policy at next login if changes are substantial\n\nYou can review previous versions at https://boadman.com/legal/privacy/archive/ (TBC link before launch).\n\n---\n\n## 13. Contact\n\n| Purpose | Address |\n|---|---|\n| Privacy queries | privacy@boadman.com |\n| Data Protection Officer | dpo@boadman.com |\n| General compliance | compliance@boadman.com |\n| ICO complaints | https://ico.org.uk/concerns/ |\n| Postal | [TBC — registered company address] |\n\n---\n\n## 14. Brand accounts and entry-gated tournaments\n\n> [DRAFT — pending legal counsel review] This entire section is an\n> engineering-drafted working specification for the SP6 brand-as-host feature.\n> It is not binding and must not be presented to users or brands as a\n> final privacy notice until legal counsel has reviewed the controller /\n> processor analysis and lawful-basis characterisation below.\n\n### 14.1 Brand account data (KYB) (DRAFT — pending legal counsel review)\n\n- When a business applies for a brand account, we collect business-identity\n data: company name, registration number and country, registered office\n address, business email, and the identity of the brand managers (natural\n persons), who each complete individual identity verification as ordinary\n users.\n- We use this data to perform Know Your Business (KYB) checks (including\n company-registry verification and sanctions screening of the entity and its\n managers) and to administer the brand relationship.\n- Lawful basis: performance of a contract with the brand and compliance with\n our legal obligations (anti-money-laundering / counter-terrorist-financing\n customer due diligence on legal persons).\n- Brand KYB and sanctions records are retained on the same regulatory\n record-retention basis as user verification records (see §5).\n\n### 14.2 Entry-gating application and task-verification data (DRAFT — pending legal counsel review)\n\n- A brand-hosted tournament may require an application or task\n completion/verification to enter. If you choose to enter such a tournament\n we collect the information you submit in the application and/or the evidence\n you submit to demonstrate task completion.\n- Lawful basis: your consent, given at the point of entry, and performance\n of the tournament you are entering. You are told what is collected before you\n submit, and you may withdraw a pending application (which may make you\n ineligible to enter that tournament).\n- This data is retained only as long as necessary to administer the\n tournament, resolve disputes, and meet applicable regulatory record-keeping,\n after which it is deleted or anonymised in line with §5. It is not used for\n unrelated profiling or advertising.\n\n### 14.3 Sharing data with hosting brands (DRAFT — pending legal counsel review)\n\n- In application or task entry modes, the limited participant data\n necessary for the brand to assess your application or verify your tasks (for\n example, your in-platform handle and the application/task evidence you\n submitted) is shared with the hosting brand, with your consent, at the\n point of entry.\n- The hosting brand is an independent controller of the data it receives\n for its own purposes and is required to use it only to administer that\n tournament unless you separately consent to other use. The brand's own\n handling of that data is subject to the brand's own privacy obligations.\n- We do not share your identity-verification (KYC) documents, payment\n instruments, or financial records with brands. Brands never see more than the\n entry-gating data described above.\n- This sharing is in addition to, and does not change, the list of processors\n in §6 (brands are recipients, not our processors).\n\n---\n\n## ⚠️ Notes for legal counsel review\n\nThe following items require legal counsel review and may need amendment:\n\n- Operating entity name + registered address + Companies House number (currently [TBC])\n- Specific cooling-off / right of withdrawal language for digital content (Consumer Rights Act 2015 §28(3) waiver)\n- Regulator-specific language for any future Gambling Commission licensing (V4 milestone)\n- Wording for Nigerian users under NDPA — may need a separate parallel policy or country-specific addendum\n- Cookie banner copy and PECR-compliant opt-in implementation (frontend task)\n- Confirmation that the providers list in §6 is complete (audit any newly-added vendors before publication)\n- Specific dispute resolution / arbitration clauses (typically lives in ToS but cross-referenced here)\n- Final review of the 5-year retention claim in §5 against current MLR + tax law\n- §14 (Brand accounts / entry-gating, added in v2): confirm the controller / processor / independent-controller analysis for brand↔player data sharing is correct under UK GDPR, and that the lawful bases asserted (consent for entry-gating data; contract + legal obligation for KYB) are the right ones\n- §14.2: confirm the consent mechanism (captured at point of entry, withdrawable) meets UK GDPR consent standards, and that retention of application/task-verification data is correctly scoped and time-bounded\n- §14.3: confirm the "we do not share KYC/payment/financial data with brands" assurance is accurate against the final data flows, and that brands as recipients (not processors) is the correct §6 characterisation\n- Consider whether a brand-facing data-processing/sharing addendum or data-sharing agreement is required between Boadman and each hosting brand\n- Whether DPO needs to be a designated UK resident or can be a service (dpo@boadman.com mailbox routed through compliance counsel is one common pattern)\n","version":"v2","effective_at":"2026-05-27T23:34:58.140814+00:00","doc_type":"privacy","status":"draft"}

© 2026 Boadman Ltd · AML-registeredTerms of ServiceCookie PolicyResponsible Play