LIVE STUDY PLAY LTD
(Last updated 16 July 2025)
1. Purpose of This Policy
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you can exercise under the UK GDPR / EU GDPR and the UK Privacy and Electronic Communications Regulations (PECR). It applies to all visitors, registered players and purchasers of Digital Goods on <hikariworld.uk> (including play.hikariworld.com).
2. Data Controller & Contact Details
| Item | Detail |
| Legal entity | LIVE STUDY PLAY LTD, Company No 15280324 |
| Registered office | Dept 4558a, 126 East Ferry Rd, London E14 9FP, United Kingdom |
| Operational email | info@hikariworld.uk |
| Data Protection Officer (DPO) | Appointed internally; contact via the operational email (subject line “FAO DPO”). |
| Supervisory authority | UK Information Commissioner’s Office (ICO). |
A European Union Article 27 representative will be appointed before EU resident data processing exceeds the occasional threshold.
3. Categories of Personal Data We Process
| Category | Examples | Source |
| Account Data | Email address, username, hashed password, age declaration, IP address on sign-up | Direct from you |
| Payment & Fulfilment Data | Transaction amount, currency (USD/EUR/AUD/GBP/CAD), card token, country, fraud-risk score | Payment gateway |
| Gameplay & Device Data | Session ID, in-game actions, virtual-currency balance, browser type, OS, screen resolution | Automatically collected |
| Support & Compliance Records | Tickets, refund requests, KYC/AML checks (if triggered), chat logs relevant to investigations | Direct / generated |
| Marketing Preferences | Opt-in / opt-out flags for email news and cookie categories | Direct from you |
We do not collect special-category data (e.g., health, biometrics) or precise geolocation.
4. Why We Use Your Data & Our Legal Bases
| Purpose | Legal basis (UK GDPR Art. 6) | Key activities |
| Account creation & contract performance | Art. 6(1)(b) – contract | Verify age, provide login, deliver Digital Goods |
| Payment processing & fraud prevention | Art. 6(1)(b) & (f) – contract / legitimate interest | Tokenise card, screen chargebacks, investigate abuse |
| Game operation & service optimisation | Art. 6(1)(f) – legitimate interest | Balance gameplay, fix bugs, ensure uptime |
| Marketing communications (email) | Art. 6(1)(a) – consent | Send patch notes, promotions; you can withdraw at any time |
| Legal / regulatory compliance | Art. 6(1)(c) – legal obligation | Record-keeping, respond to ICO or card-scheme requests |
Where legitimate interest is used, we perform and document a balancing test to ensure your interests are not overridden.
5. Cookies & Similar Technologies
- Essential cookies – session ID, CSRF token (strictly necessary; no consent required).
- Analytics cookies – player flow, retention metrics (loaded only after explicit opt-in via our consent banner).
- Marketing cookies – none at launch; any future deployment will be disabled by default.
See our separate Cookie Policy (Doc 4) for full details.
6. Children’s Privacy
- Minimum age to register is 13 years; in-game purchases require parental consent for users under 18.
- The game does not feature user-generated voice or unrestricted chat.
- We comply with the UK ICO Children’s Code by applying high privacy settings by default and avoiding behavioural advertising to minors.
7. Sharing & International Transfers
| Recipient | Reason for sharing | Safeguard |
| PCI-DSS certified payment processor (EU/UK servers) | Card payments & fraud checks | UK GDPR Art. 28 contract |
| Cloud hosting provider (EEA data centre) | Game servers & database | SCCs if server migrates outside EEA |
| Analytics provider (future) | Usage statistics | Consent + SCCs |
| Law-enforcement / regulators | Legal obligation, fraud, IP rights | Statutory exemptions |
We never sell personal data.
8. Data Retention Periods
| Data set | Retention rule |
| Account data | Active account + 3 years of inactivity |
| Transaction records | 7 years (HMRC & card-scheme audit) |
| Gameplay logs | 12 months (security & balancing) |
| Support tickets | 2 years after closure |
| Marketing consent logs | Duration of consent + 2 years |
Upon expiry, data are securely erased or anonymised.
9. Security Measures
- TLS 1.3 enforced site-wide; HSTS preload.
- Bcrypt-hashed passwords with per-user salting.
- Role-based access control and MFA for admin accounts.
- Quarterly penetration tests; critical findings patched within 30 days.
- Incident-response plan aligned with NIST SP 800-61.
10. Your Rights
| Right | What it means | How to exercise |
| Access | Obtain a copy of your data | Email the DPO; response within 30 days |
| Rectification | Correct inaccurate data | Self-service in account settings or email support |
| Erasure | “Right to be forgotten” | Not possible while active transactions exist; otherwise processed within 30 days |
| Restrict / object | Limit processing based on legitimate interest | Email request; we pause disputed processing |
| Data portability | Receive data in CSV/JSON | Available for account & transaction data |
| Withdraw consent | Stop marketing emails & non-essential cookies | Use unsubscribe link or cookie banner |
| Lodge a complaint | ICO or your EU authority | ico.org.uk / EU list |
We will authenticate requests and may refuse or charge a fee where requests are manifestly unfounded or excessive.
11. Automated Decision-Making & Profiling
We do not use automated decisions that produce legal or similarly significant effects. Fraud-risk scoring is reviewed by human analysts before any adverse action.
12. Updates to This Policy
Substantive changes will be posted here and announced in-game 14 days before they take effect. Previous versions are archived for audit.
13. Contact
For privacy questions or to exercise your rights:
DPO – LIVE STUDY PLAY LTD
Dept 4558a, 126 East Ferry Rd, London E14 9FP, UK
info@hikariworld.uk (subject: “FAO DPO”)
We are committed to handling your data fairly, lawfully and transparently.