Privacy Policy
Last updated: April 2026
1. Who is responsible for your data?
Subspotter (subspotter.co.uk) is operated by Chelsea Gordon ("Subspotter" or "the operator"), an individual based in Scotland, United Kingdom. The operator is the data controller for personal data collected through this service. You can contact the operator at hello@subspotter.co.uk.
2. What data Subspotter collects and why
The table below sets out each category of personal data Subspotter collects, the reason for collecting it, and the legal basis under UK GDPR.
| Data | Purpose | Legal basis |
|---|---|---|
| Name and email address | Creating and managing your account; sending transactional emails (e.g. password resets, welcome email) | Performance of a contract (Article 6(1)(b)) |
| Password (stored as a hash) | Authenticating your account | Performance of a contract (Article 6(1)(b)) |
| Company and country (optional) | Displaying your results on company and location leaderboards | Legitimate interests (Article 6(1)(f)) — you choose to provide this to participate in leaderboards |
| Daily puzzle guesses, scores, and streak data | Running the game, calculating leaderboard positions, and displaying your score history | Performance of a contract (Article 6(1)(b)) |
| Email address (for newsletter) | Sending a weekly update about the leaderboard, game features, and fundraising progress | Consent (Article 6(1)(a)) |
| Server-side analytics (e.g. page visit counts) | Understanding how the service is used in order to improve it | Legitimate interests (Article 6(1)(f)) |
3. Cookies
Subspotter uses only essential cookies. No advertising, tracking, or third-party analytics cookies are used. Essential cookies do not require your consent under the UK Privacy and Electronic Communications Regulations (PECR).
- Session cookie — keeps you logged in during your visit.
- CSRF token — protects form submissions from cross-site request forgery attacks.
4. Third-party services
Subspotter uses the following third-party services which may process your data as data processors acting on the operator's behalf:
- Google Maps Platform — used to display Street View imagery and interactive maps. Your browser communicates directly with Google's servers when the map is loaded. Google's privacy policy is available at policies.google.com/privacy.
- IONOS — used to deliver transactional emails and optional newsletter updates. Your email address is shared with this provider solely for this purpose.
5. Donations
Subspotter contains links to a Cancer Research UK fundraising page hosted on fundraise.cancerresearchuk.org. If you click this link and make a donation, any data you provide is collected by Cancer Research UK under their own privacy policy. The operator does not receive or process any payment or donation data.
6. How long Subspotter keeps your data
- Account data (name, email, password hash) — retained for as long as your account is active.
- Score and streak data — retained for as long as your account is active. Upon account deletion, score records are anonymised and retained indefinitely for leaderboard integrity and historical scoring fairness. Streak data is deleted along with your account.
- Optional profile data (company, country) — retained for as long as your account is active and can be removed by updating your account settings at any time.
- Newsletter consent — retained until you withdraw consent.
- Server-side analytics — retained for up to 12 months.
7. Account deletion and anonymisation
You may delete your account at any time via your account settings. When you do:
- Your name, email address, and password hash are permanently deleted.
- Your score records are anonymised — the link between your scores and your identity is removed — and retained to preserve leaderboard integrity and historical scoring fairness. Anonymised scores cannot be linked back to you.
8. International transfers
Subspotter is operated from the United Kingdom. Some third-party services the operator uses, including Google, may process data outside the UK. Where this occurs, the operator relies on those providers' compliance with the UK's international data transfer framework and their published data processing terms.
9. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data Subspotter holds about you;
- Rectification — ask the operator to correct inaccurate or incomplete data;
- Erasure — ask the operator to delete your personal data (subject to the anonymisation approach described in section 7);
- Restriction — ask the operator to restrict processing of your data in certain circumstances;
- Portability — request your data in a structured, machine-readable format;
- Object — object to processing based on legitimate interests;
- Withdraw consent — withdraw consent for newsletter emails at any time via your account settings or by emailing hello@subspotter.co.uk. Withdrawal does not affect the lawfulness of processing before withdrawal.
10. Complaints
If you are unhappy with how Subspotter has handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:
- Website: ico.org.uk
11. Changes to this policy
Subspotter may update this Privacy Policy from time to time. The date at the top of this page will reflect when it was last revised. Continued use of Subspotter after changes are posted constitutes acceptance of the updated policy.