Origin LRP – Pact of Privacy version 2.0
Well met adventurer, and welcome to the world of Origin! This Pact of Privacy (sometimes also known as a “Privacy Notice” or “Fair Processing Notice”) tells you how information about you is collected and used by Origin LRP, when this happens, who we may share it with and your rights.
This Pact of Privacy was published on <INSERT DATE OF PUBLICATION HERE>. It contains updates to make our notice easier to understand. We haven’t made any changes to the ways we use your personal information since the previous version was published.
A few definitions you’ll find in this Pact of Privacy
“You” means you, the merry adventurer reading this Pact, where Origin collects and uses your personal information.
“Us”, “We” and “Origin” means Origin LRP Ltd, the owner and operator of the Origin LARP events.
“Third Party” means someone that isn’t you or us.
“Your information” means information that identifies and relates to you, also referred to in the common tongue as “personal data”.
“LARP” means Live Action Role Play, a common term for events where people can create fictional characters and actively participate in fantastical worlds.
“ICO” means the Information Commissioner’s Office, who are the UK supervisory authority tasked with upholding data rights in the public interest.
Who we are and how you can contact us
We are the owner and operator of the world of Origin, a LARP system based in the UK. Origin is registered in England with Companies House under company number 12914217 and our registered office is Treetops, Kings Drive, Midhurst, GU29 0BJ.
When we collect your information, we are considered a “controller” of personal data under current UK laws and are registered for this purpose with the ICO under reference ZB136869.
We respect your right to privacy and your views and opinions matter to us. Should you ever need to contact us, the best way to do so is via e-mail: firstname.lastname@example.org.
You can also reach out to us via our social media pages, or write to us at our registered office address above.
When we collect your personal information
Most of the information we collect comes from you directly, and this predominantly occurs when you register for or attend one of our events. We also collect information when you contact us with an enquiry or concern, either directly or via one of our social media profiles, and when you visit our website.
Occasionally, we may also receive your information from other sources, for example if someone contacts us on your behalf, or if the police contact us to ask for our help with a criminal investigation.
What information we collect
Depending on how we receive your information and why, we may hold the following about you:
- Your name and other general details, such as your date of birth
- Your contact details such as your telephone number and e-mail address
- Details of your Origin character(s), their backstory and skill sets
- Payment details, such as credit/debit card, bank account or PayPal information
- Specific details of any enquiry, complaint or concern you raise
- Information about your health, disabilities or medical conditions
What we use the information for and why
Your personal information is used by us for several legitimate reasons under current legislation, which are listed below.
Most of our use of your information relates to running our events. Where these activities are necessary to perform the contract between you and us, our lawful basis for processing is “contractual necessity”, for example when we register you for an event, or use your information to contact you with important information such as event timings, rules, and directions to our sites, or event disruptions.
We must also process your personal information to meet certain legal requirements, and where we do so our lawful basis for processing is “legal obligation”, for example when we record your payment information to meet accounting and book-keeping requirements, when we respond to certain types of request under current laws, make arrangements under Health and Safety or Food Hygiene regulations, or when we are ordered to do something by a relevant authority such as the police, the ICO or a court of justice.
Some information is only processed if you specifically consent to it. This predominantly relates to any marketing we send you about future events and other news or information you may have expressed an interest in receiving. When we do so, our lawful basis for processing is “consent”, and you may withdraw your consent at any time.
Other types of processing arise out of a genuine business need, and when this arises our lawful basis for processing is “legitimate interest”. This kind of use only arises when we believe that our use of your personal data is proportionate to the business need pursued, for example when we need to arrange insurance or catering, understand where our events are performing well or where they need to improve, and to respond to any concerns or enquiries raised by our players. You can challenge our legitimate interests at any time.
Finally, and although we hope this situation never arises, we can’t rule out having to process your information to protect your life or the life of others. Should we ever need to do this, our legal basis for processing would be “vital interests”, and examples include where we need to arrange for critical medical attention in the event someone becomes injured at one of our events.
Some of the information we collect is considered “sensitive” under current laws and constitutes information which you will likely deem more private and be more cautious about disclosing. Most of the “sensitive” information we use relates to your health, and is collected for the following purposes:
- Where necessary to arrange appropriate insurances for our events
- Where necessary to allow our caters to accommodate dietary requirements or allergies
- Make any necessary adjustments to make our events as accessible as possible for those with disabilities
- Where essential to provide any non-emergency medical care such as First Aid
Less often, and in specific circumstances, you might give us health-related information with infers or reveals other sensitive types of data, for example if you inform us of your relationship with a nominated emergency contact, or if you provide us with certain medical instructions based on your religious or philosophical beliefs (such as a “do not resuscitate” instruction).
Occasionally, and only where we have a justifiable reason, we may also have to process personal data which infers or reveals a criminal conviction, for example in some safeguarding scenarios, or where we are asked by the authorities to help with an investigation.
Our lawful basis for collecting and using sensitive data depends on the specific scenario involved and how current legal requirements apply.
How long we keep information for and how we keep it safe
While we hold and process your information, it is protected in accordance with current laws by “appropriate technical and organisational measures”. This includes the data being stored in an encrypted environment and restricting access to the information to only specific individuals within Origin.
Generally, we will keep your information for a period of seven years from the end of the year when it was first collected. This is so that we can demonstrate compliance with the relevant laws and regulations, to permit us to analyse and improve our events, and to respond to any enquiries, complaints or disputes that may arise.
There are some scenarios where we may be required to retain data for longer, although these only arise in isolated and exceptional circumstances, such as insurance claims relating to serious injury, or if ordered to by a court of justice or another relevant authority.
Who we share information with and why
In order to run our events and operate our business, we sometimes need to share your personal information with Third Parties associated with us, where they provide products and services necessary to run our events. These Third Parties include:
- Accountants and book-keepers – where needed in relation to our accountancy and taxation processes
- Banks and payment service providers – to process payments and refunds
- Computer system and software providers – to communicate with you and store your information
- Caterers – to ensure numbers and specific dietary requirements are catered for
- First Aid providers – to ensure they are aware how to treat you in the event of injury
- Insurers – to arrange insurance cover for the events we arrange and administer any insurance claims
- Site owners and management companies – to arrange locations to hold our events at, and ensure you can access them easily
- Social media services – to respond to comments or messages you send us via those platforms
- Government agencies, regulators and other authorities – where information is requested by them in a formal capacity.
Transferring information internationally
Most of our processing activities take place using premises, systems and services located in the UK, however occasionally we may need to send information internationally.
If we ever send your information to a Third Party based country, state or other territory which is not deemed to have appropriate protections for your privacy under UK law, we will ensure that the Third Party enters approved and authorised contract terms, to ensure your information is kept confidential and appropriately protected.
Your information rights
You have rights in relation to how your information is used by us. Some of these rights are essentially “absolute” and have a broad reach, while others are niche and only apply in specific circumstances.
The right to be informed: You have the right to be told how your data will be used, and the information you are entitled to broadly corresponds to that contained in this Pact of Privacy. If at any point you would like further information, you can contact us using the details shown above with any questions, queries or concerns you have.
The right to access: You have the right to access the data we hold, and receive both copies of this data and certain information relating to how we use it. This right always applies, however there are instances where it can be restricted, for example when providing access would adversely impact an official investigation, or negatively affect the privacy, rights and freedoms of other individuals.
The right to rectification: If you become aware that any information we hold is incomplete or incorrect, and this has an impact on you or how we use your information, you have the right to tell us to make the necessary corrections.
The right to erasure (also known as the “right to be forgotten”): You have the right to ask us to delete or anonymise your personal information in the following circumstances:
- Retention of the information is no longer necessary in relation to the purposes it was originally collected for
- If we process the information with your consent and you withdraw this, and there is no other legal ground for processing to continue
- You exercise your right to object (see below) and there is no other legal ground for the processing to continue
- The information is being processed unlawfully
- The information must be erased to meet a legal or regulatory requirement, or a similar requirement such as a court order.
The right to data portability: You have the right to ask for a copy of your information in a common, machine-readable format (e.g. JSON, XML or CSV) if all the following apply:
- The information in question was provided by you to us
- We use your personal information with your “consent” or out of “contractual necessity”
- We use automated means (i.e. computer systems) to process your personal information.
You also have the right to ask us to send this information to another organisation on your behalf, instead of providing it to you directly.
The right to challenge our legitimate interests: where we use your personal information to meet our “legitimate interests”, you have the right to object to this type of use. If you do this, we will either stop processing your information for these purposes, or explain to you why we are unable to do so.
The right to object to direct marketing: You have the right to tell us to stop sending you direct marketing at any time.
The right to complain: You have the right to contact us at any time if you have any concerns about your personal information or how we handle or use it.
If you are unhappy with our response to your complaint, you also have the right to escalate your concerns to the ICO. Although the ICO do not award compensation, they can investigate issues escalated to them, and tell organisations to take remedial action if they determine data protection laws are not being met.
Profiling and automated decision making
We don’t use profiling (building a picture of you and other individuals to categorise you using automated algorithms) or automated decision-making (decisions made by computer without human oversight or intervention).
Because of this, your rights regarding profiling and automated decision-making do not apply to the ways we use your personal information.
Where you can find further information
As the UK’s supervisory authority on data rights in the public interest, the ICO has published detailed guidance on various privacy-related topics, the applicable roles and their role and approaches. You can find this information on their website www.ico.org.uk, under the heading “your data matters”.