Privacy Policy
Last updated: 31 May 2026 · Effective date: 31 May 2026
The short version. Lad Bingo is built and run in the United Kingdom by 21C-TECH LIMITED. Every byte of your data — your device identifier, your nickname, the photos you upload, the games you create — lives on Amazon Web Services (AWS) infrastructure in the London (eu-west-2) region. AWS is our sole infrastructure supplier. We do not sell your data, we do not share it with advertisers, and we do not use it for anything other than running the app, processing payments through Apple or Google, and the small handful of operational services listed below.
1. Who we are
This Privacy Policy describes how 21C-TECH LIMITED ("21C-TECH", "we", "us", "our") collects, uses, and protects personal data when you use Lad Bingo (the "Service"), our mobile and web applications operated under the brand domain ladbingo.co.uk.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, 21C-TECH LIMITED is the data controller.
| Company | 21C-TECH LIMITED |
|---|---|
| Company number | 13919300 (England and Wales) |
| Registered office | Apartment S2 The Shore, 22-23 The Leas, Westcliff-On-Sea, SS0 8FF, United Kingdom |
| Contact | hello@ladbingo.co.uk |
2. What we collect
2.1 When you use the app as a player
- Device identifier. A randomly-generated identifier created and stored on your device. It is not linked to any other identifier (no email, no phone number, no Apple ID, no Google account). It is how the Service recognises your device between sessions.
- Nickname. The name you pick when you join a game (e.g. "Smithy", "Big Dave"). You choose it; we have no way to verify it.
- Profile photo. Optional. Used as your avatar in games you play.
- Prove-it photos. Optional. Photos you upload to claim a "photo-required" square. EXIF metadata is automatically stripped server-side before the image is stored.
- Game activity. Which squares you've marked, which games you're in, your position on the leaderboard, your badge tier.
2.2 When you host (organise) a game
- Everything in 2.1, plus:
- Game configuration. The game name, challenges, stakes information (£ pot and forfeit text, displayed only — see "What we never collect" below), approval mode setting, optional note to joiners.
- Subscription / purchase status. Whether your Apple App Store or Google Play account has an active per-trip pass or annual subscription. We do not see, store, or process your payment card or App Store / Play account details — those stay with Apple and Google.
2.3 Server logs
Like any web service, our servers automatically log operational data including IP address, timestamp, requested URL, HTTP user agent, and response status. These logs are used for security monitoring, abuse prevention, and debugging. They are retained for 30 days and then deleted.
2.4 What we never collect
- Payment card details. Never. All payments are processed by Apple or Google.
- Real money for stakes. Never. Stakes (the £ pot, forfeits) are visual display only. We do not handle, hold, or transfer any money between players. Settlement of any stakes is entirely between players and outside the app.
- Location data. Never. We do not request or use GPS, Wi-Fi-based, or IP-based location data for personalisation.
- Contacts, calendar, microphone. Never. We do not request permission to access your contacts, calendar, or microphone.
- Tracking identifiers across other apps and websites. Never. We do not use Apple's Identifier for Advertisers (IDFA), Google's Advertising ID, or any third-party analytics SDK that tracks you outside of Lad Bingo.
3. Where your data lives
Single supplier statement. 21C-TECH LIMITED uses Amazon Web Services, Inc. ("AWS") as our sole infrastructure supplier. All personal data described in this policy is stored on AWS infrastructure in the London (eu-west-2) region of the United Kingdom. No personal data leaves the United Kingdom in the ordinary course of operating the Service.
Specifically:
- Game state, leaderboards, accounts, and audit logs are stored in a database running on AWS EC2 in the London region.
- Profile photos and prove-it photos are stored in AWS S3 buckets in the London region.
- Outbound transactional emails (administrator 2FA codes and similar) are sent through AWS Simple Email Service (SES) in the London region.
- DNS records for ladbingo.co.uk are managed in AWS Route 53. DNS records are not personal data but are listed here for completeness.
- TLS certificates are issued and rotated through AWS Certificate Manager (ACM). ACM certificates for our content delivery network are issued in the us-east-1 (N. Virginia) region because AWS requires this; no personal data is stored in us-east-1 — only the certificate material, which contains the domain name and public key.
4. Third parties who receive data on our behalf or work alongside us
| Provider | Purpose | Data shared |
|---|---|---|
| AWS, Inc. | Sole infrastructure supplier (compute, storage, email, DNS, CDN) | All data processed by the Service. Held in eu-west-2 London (with certificate material in us-east-1 as noted above). |
| Apple Inc. | iOS App Store distribution, in-app purchase processing, push notification delivery (if you opt in) | Whatever Apple requires to process your purchase. We receive only an entitlement confirmation back. |
| Google LLC | Google Play Store distribution, in-app purchase processing, push notification delivery (if you opt in) | Whatever Google requires to process your purchase. We receive only an entitlement confirmation back. |
| OpenAI, L.L.C. | AI-suggested bingo challenges when a host uses the "✨ Generate with AI" feature | The event name and event type the host typed. No device identifier, no nickname, no photo, no game state. Calls are made server-to-server from AWS in the UK; OpenAI processes the prompt in their own infrastructure and we discard the response after returning it to the host. |
We do not share personal data with advertisers, data brokers, or analytics providers. We have no affiliate, advertising, or "growth" SDKs in the app.
5. Lawful bases for processing (UK GDPR Article 6)
- Performance of a contract (Article 6(1)(b)) — for everything required to deliver the Service to you when you play or host a game.
- Legitimate interests (Article 6(1)(f)) — for fraud prevention, abuse detection, rate-limiting, security monitoring, and server log retention. We balance these against your rights; you can object at any time using the contact details in section 1.
- Consent (Article 6(1)(a)) — for any feature you explicitly opt into (e.g. push notifications, optional photo upload, AI-suggested challenges).
- Legal obligation (Article 6(1)(c)) — for retaining data we are required to keep by law (e.g. audit logs in response to a lawful information request).
6. How long we keep your data
- Prove-it photos. 30 days after the game ends, the host receives an in-app prompt: keep (extends 90 days, repeatable) or remove (immediately deletes all photos in that game). No response defaults to remove. A bucket lifecycle rule deletes anything that escapes this process after 365 days as a backstop.
- Game state and leaderboards. Held for the life of the game (default 30 days, renewable as above). Removed games are tombstoned for 7 days (so anyone currently playing sees a graceful "removed by [host]" message) and then hard-deleted.
- Account / device record. Held while your device record is active. You can request deletion at any time (see section 7).
- Subscription state. Held while you have an active or recently-active entitlement. If you cancel an annual subscription, all games you host and any Trip Recap links you created are removed when the paid period ends.
- Administrative audit logs. Retained for 12 months, then archived for a further 12 months for compliance, then deleted.
- Server access logs. 30 days.
7. Your rights under UK GDPR
You have the right to:
- Request access to the personal data we hold about you (subject access request).
- Request correction of inaccurate or incomplete data.
- Request deletion of your data ("right to be forgotten") — subject to any retention required by law.
- Request restriction or object to processing.
- Request data portability (a machine-readable export of data you provided).
- Withdraw any consent you previously gave (this does not affect processing already carried out).
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk or by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
To exercise any of these rights, contact us at hello@ladbingo.co.uk. We will respond within one month.
8. Security
We take security seriously. Measures we have in place include:
- All connections to the Service use HTTPS / TLS 1.2 or higher.
- Photos and other object storage are encrypted at rest (AES-256) in AWS S3.
- Administrative accounts use scrypt password hashing and email-based two-factor authentication.
- Production access to AWS uses temporary credentials via instance metadata. No long-lived AWS access keys are stored on the application server.
- Per-source and per-prefix rate limiting on invite code lookups to prevent enumeration attacks.
- Inbound email security: SPF and DKIM are configured for the ladbingo.co.uk domain.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected users without undue delay.
9. Children
Lad Bingo is intended for users aged 17 and over, matching the App Store age rating. The Service is not intended for use by children. We do not knowingly collect personal data from anyone under 17. If you believe a person under 17 has provided us with personal data, please contact us at hello@ladbingo.co.uk and we will delete it.
10. Cookies and similar technologies
The Lad Bingo mobile app does not use cookies. The web pages at ladbingo.co.uk use only strictly-necessary local storage to remember your device identifier and your most recent nickname so the experience is continuous between sessions. We do not use analytics cookies, advertising cookies, or any third-party tracking.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated in-app and the "Last updated" date at the top of this page will change. Continued use of the Service after a change constitutes acceptance of the updated policy.
12. Contact
For any questions about this policy or your data, contact us at hello@ladbingo.co.uk.