Privacy Policy

Maintaining your privacy is really important to us. You entrust us with your information, and we take that responsibility seriously.

We may modify or update this Privacy Policy from time to time to reflect the changes in our business and practices, and so you should review this page periodically. When we change the policy in a material manner we will let you know and update the 'last updated' header as below.

This Privacy Policy was last amended on 12/05/2026

This policy was last updated on 15/05/2026 in line with UK GDPR and Data Protection Act 2018 requirements. It may be updated in the future and we will post the new version here on our website. We will never deviate from our overall philosophy of maintaining your privacy, though.

1. General Information

We take security and privacy seriously. This Privacy Policy explains how we collect, store and use personal data when you browse our website or otherwise provide your personal data to us. Please read this Privacy Policy carefully to understand how we will treat your personal data.

Data controller: The data controller for the personal information collected via this website is Black Dingo Limited (trading as Nerdvana), a company registered in Scotland under number SC706416, with registered office at 32 Loanfoot Crescent, Uphall, Broxburn, West Lothian EH52 6DN. VAT registration number GB 451 4494 92. You can reach us using the contact details at the end of this policy.

2. What information we collect about you

Your personal data

When we say your "personal data", we mean any information that identifies any person that you provide to us.

Your "personal data" may also be contained in information that we collect about you in connection with your order or otherwise interact with us for example by electronic mail.

When it comes to your personal data, we comply with our obligations under the General Data Protection Regulation and any other applicable data protection legislation from time to time.

Your personal data includes the information you provide on our website (including any forms you complete), or during an electronic mail enquiry about you.

Examples of this personal data include your name, your email address, address including postcode which you provide to us when you set up an account and subsequently amend in the My Account section when you go to checkout; and any correspondence when you contact us.

We do not knowingly collect or solicit any personal data from anyone under the age of sixteen or knowingly allow such persons to purchase goods from us. Our website is not directed at children under the age of sixteen. In the event that we learn that we have collected personal data from a child under age sixteen without verification of parental consent, we will delete that information as quickly as possible.

Information we collect

We collect information about your website usage, to improve our service and to understand trends to enhance and customise our website. Some of this data may be "personal data", where it identifies a person. Here's the information that we collect and how we use it:

• We monitor patterns of usage, such as abandoned cart data, so we can understand what people are interested in buying from Nerdvana to develop and improve our products and understand customer behaviour.
• We do not store any credit card data. When payments are processed via credit card, we use third-party vendors that are PCI-DSS compliant. At no point do we have access to your credit card information.
• Account & authentication data: name, email, phone, address, date of birth (used only to verify you are 16+ at registration), password hash (never the password itself), and — if you enable multi-factor authentication — your TOTP secret and one-time backup codes. If you sign in via Google or Discord we also store the external account ID (and, for Discord, your Discord username) so we can match you on the next sign-in.
• Orders, bookings & gift cards: the contents of your orders, any shipping / billing addresses you enter at checkout, your event and table bookings (including attendee names you provide for bookings you host), gift card buyer & recipient details (name + email), and membership / subscription status.
• Analytics Data: With your consent, we use Google Analytics 4 to collect anonymised information about how you use our website, including pages visited, time spent on site, and general location (country/region level only). This data does not identify you personally and is only collected after you have accepted analytics cookies. You can withdraw consent at any time via our Cookie Preferences page. The lawful basis for this processing is your consent (UK GDPR Article 6(1)(a)).
• Security Logging: We log authentication attempts (including failed logins), payment transactions, admin actions, and system events for fraud prevention and security purposes. These logs contain your IP address, user agent, timestamps, and event details. Low and medium severity logs are retained for 90 days; high and critical severity logs (such as security breaches or failed login attempts) are retained for 365 days. Logs are automatically deleted after these periods and are protected with encryption. This processing is based on our legitimate interest in maintaining system security, preventing fraud, and investigating security incidents.
• Fraud & reliability flags: if a booking or pay-in-store collection order is cancelled late or missed, we record a count and a flag on your account so staff can apply deposits or restrictions on future high-risk bookings. See our Fraud Prevention page for what those flags do and how to appeal.

3. How we use the information we collect

We use your personal data for legitimate business reasons, for example emailing you when your order has been received or when a booking is confirmed. It also lets us contact you by email, post, SMS or telephone where necessary about an order or booking you have placed, record your personal preferences, and personalise our services (such as pre-populating fields so you don't have to re-enter them). It enables us to produce reports you request as part of the services we provide.

Contacting you for Marketing Purposes

We may use your personal data to contact you by email about our own services, content, offers or product ranges that may be of interest to you. We only send you marketing messages where you have given us consent (for example by ticking the "marketing updates" box during registration or on your Manage My Data page) and you can withdraw that consent at any time using the same controls or by emailing us.

Legal Requirements

We may use your personal data to comply with any legal obligations to which we are subject.

4. Why do we use your personal data?

Under UK GDPR we must have a specific lawful basis for every way we use your personal data. The basis depends on what we're doing:

• Performance of a contract (Art 6(1)(b)): when you place an order, subscribe to a membership, or make a booking we need your account and order details to provide what you've asked for. Without this information we cannot fulfil the contract.
• Legal obligation (Art 6(1)(c)): we keep order and payment records to meet UK tax and accounting requirements.
• Legitimate interests (Art 6(1)(f)): we use security logs, fraud-prevention checks, and reliability flags to protect our customers, staff, and stock; we also use aggregated non-identifying usage data to understand how our services are used and improve them. You can object to processing based on legitimate interests at any time using the rights below.
• Consent (Art 6(1)(a)): we rely on your consent for analytics cookies, marketing emails, and anything else where consent is the appropriate basis. You can withdraw that consent at any time — via Cookie Preferences for cookies, or Manage My Data for marketing — without affecting the service we provide under the other bases above.

5. How we share information we collect

Except as described in this policy, we do not divulge any personal information gathered via our services to third parties.

We may share your personal data with third parties in certain circumstances:

• We may disclose your data to any member of our group (which means our subsidiaries or our ultimate holding company)
• In the event that we, our business, or substantially all of its assets are acquired by a third party (in which case personal information about customers will be one of the transferred assets)
• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation; to cooperate with law enforcement officials in the investigation of unlawful activities or relating to our users; or in order to enforce or apply any contract with you; or to protect our rights, property, or safety of our employees, customers, or others

Sub-processors we use:

International Transfers: Some processors are located outside the UK/EEA. We ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) and processor certifications.

6. How long do we store your data for?

We only store your data for as long as necessary for the purposes of processing set out in this policy. Our full Data Retention Policy is available in our technical documentation.

Data Retention Summary

What happens when you delete your account: we run a single transaction that (1) anonymises records we're legally or operationally required to keep — orders (kept for 7 years for HMRC), paid table / room bookings (kept as a financial record with your name, email and phone removed), gift cards (purchaser and recipient sides), gift-card transactions, and admin / audit log entries that referenced you as the actor; and (2) deletes everything else — your account row, addresses, password reset tokens, abandoned cart, plus any bookings (unpaid or free ones only), booking-modification requests, invites you sent, and waitlist entries. Anonymised records have your name, email, postal address, and any free-text PII fields stripped or replaced with a deterministic placeholder so the financial totals still reconcile but you can no longer be identified from them. If you also want a copy of your data first, use the Export Your Data button on the Manage My Data page before you delete.

7. How to access and control your information

You are free to change your personal details in the My Account section of your account at any time, if you have set up an account with us.

You can also ask us for a copy of your personal data that we hold. We may ask for proof of your identity before providing any information and reserve the right to refuse to provide information requested if identity is not established.

Your individual rights

8. Data security

We take security and privacy seriously. We will endeavour to take all reasonable steps to keep your personal data secure once it has been transferred to our systems. We adopt appropriate, industry standard data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction.

9. Data Breach Notification

In the unlikely event of a data breach that may affect your personal data, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach (UK GDPR Article 33)
• Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms (UK GDPR Article 34)
• Provide clear information about the nature of the breach, likely consequences, and measures taken
• Offer guidance on steps individuals can take to protect themselves

If you believe your personal data has been compromised, please contact us immediately at hello@nerdvanalivingston.co.uk with the subject line "Data Security Concern".

10. How to Contact Us

If you have any queries relating to this Privacy Policy or how Black Dingo Limited (trading as Nerdvana) uses your personal or financial data, please contact: