Privacy notice.
How Supa Games handles your data under UK GDPR. Plain English, no dark patterns. Updated 3 June 2026.
1. Who's the data controller
Supa Games Trading Ltd, registered office Vault 3, 26 Inverness Street, London NW1 7HJ, is the data controller for everything we process under this notice. ICO registration is on file under reference ZB-528-114 — email [email protected] for a copy.
2. What we collect, when, and why
- Order data — name, postal address, email, phone (optional), order history. Lawful basis: contract. Held seven years per HMRC.
- Newsletter — email only. Lawful basis: consent. Unsubscribe link in every send.
- Site analytics — anonymised page-views via a self-hosted Plausible instance. No cookies, no fingerprinting, no IP storage. Lawful basis: legitimate interest.
- Customer service — emails and call notes for active queries. Held two years from last contact.
3. What we don't collect
We do not run Google Analytics, Meta Pixel, TikTok Pixel or any third-party retargeting tag on the site. The only third party that sees your order data is Stripe (payment processing) and Royal Mail (despatch). Both have their own UK GDPR-compliant privacy notices.
4. Cookies
Two first-party cookies only: SUPAGAMES (session, your cart and stash) and a CSRF nonce. Both expire on browser close. No analytics cookies, no third-party cookies, no consent banner needed under PECR Reg 6(4)(b).
5. Your rights
You can ask us to: (a) show you what we hold; (b) correct anything wrong; (c) erase your records (unless we're required to keep them under tax law); (d) restrict processing; (e) port your data to another controller; (f) object to processing.
Send any of these requests to [email protected] with "GDPR" in the subject. We respond within 30 days.
6. Complaints
If you think we've mishandled your data, please tell us first — but you have a statutory right to complain to the Information Commissioner's Office at ico.org.uk, phone 0303 123 1113.