🔒 Your Data, Your Rights
Under UK GDPR, you have the right to access, correct, delete, and port your personal data. You can exercise these rights at any time by contacting info@playobvio.app.
1. Who We Are
SYNQ Ltd ("we", "us", "our") is the data controller for personal data processed in connection with the Obvio platform. We are registered in England and Wales.
This Privacy Policy applies to all personal data we collect through the Obvio website, mobile application, and related services. It should be read alongside our Terms & Conditions.
We are committed to processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
2.1 Account & Identity Data
When you register, we collect: full name, email address, date of birth (for age verification), username, and password (stored as a hashed value — we never store your plain-text password).
2.2 Identity Verification Data
To comply with our 18+ age requirement, we may collect: government-issued photo ID (passport, driving licence), selfie/biometric data for liveness checks (processed by our third-party verification provider), and proof of address. See Section 8 for how this data is handled.
2.3 Payment & Financial Data
We collect: bank account details or digital wallet identifiers for withdrawals, transaction history (deposits, entry fees, prizes, withdrawals), and wallet balance. We do not store full card numbers — payment processing is handled by our third-party payment provider (Stripe or equivalent) under their own privacy policy.
2.4 Gameplay Data
We collect complete records of your game participation including: games entered, questions answered, answers submitted, rounds survived, eliminations, prizes won, and game session timestamps. This data is necessary for game integrity, dispute resolution, and prize distribution.
2.5 Device & Technical Data
We automatically collect: IP address, device type and operating system, browser type and version, app version, session duration, and error logs. This data is used for security, fraud prevention, and service improvement.
2.6 Communications Data
If you contact us, we retain records of that communication including email content, support ticket history, and any attachments you provide.
2.7 Marketing Preferences
Where you have given consent, we collect your marketing preferences and communication history (emails opened, links clicked). You can withdraw consent at any time.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation & management | Identity, account data | Contract performance |
| Age verification | DOB, ID documents, biometrics | Legal obligation / Legitimate interest |
| Running game sessions | Gameplay data, account data | Contract performance |
| Processing payments & withdrawals | Payment & financial data | Contract performance |
| Fraud prevention & security | Device data, IP, transaction data | Legitimate interest |
| Dispute resolution | Gameplay logs, communications | Legitimate interest / Legal obligation |
| Customer support | Communications, account data | Contract performance |
| Legal & regulatory compliance | All categories as required | Legal obligation |
| Service improvement & analytics | Gameplay data, device data (anonymised) | Legitimate interest |
| Marketing communications | Email, preferences | Consent |
4. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Obvio service, including account management, game operation, and prize distribution.
- Legal obligation (Art. 6(1)(c)): Processing required by law, including age verification, anti-money laundering checks, and tax record-keeping.
- Legitimate interests (Art. 6(1)(f)): Processing for fraud prevention, security, dispute resolution, and service improvement, where our interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): Marketing communications and optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.
For special category data (biometric data used in age verification), we rely on Art. 9(2)(g) (substantial public interest — age verification) and explicit consent.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 7 years | Legal / tax obligations |
| Gameplay logs | Duration of account + 7 years | Dispute resolution / legal |
| Payment records | 7 years from transaction | HMRC / legal obligation |
| Identity verification documents | 90 days after verification | Minimisation; re-verified on request |
| Biometric data (liveness check) | Deleted immediately after verification | Data minimisation |
| Marketing preferences | Until consent withdrawn + 1 year | Compliance record |
| Support communications | 3 years from last contact | Dispute resolution |
| Device / technical logs | 90 days | Security / fraud prevention |
When your account is closed, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
7. Your Rights
Under UK GDPR, you have the following rights. To exercise any of them, contact info@playobvio.app. We will respond within 30 days.
| Right | What It Means |
|---|---|
| Right of Access (Art. 15) | Request a copy of all personal data we hold about you (Subject Access Request) |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Right to Erasure (Art. 17) | Request deletion of your data ("right to be forgotten"), subject to legal retention obligations |
| Right to Restriction (Art. 18) | Request that we limit processing of your data in certain circumstances |
| Right to Portability (Art. 20) | Receive your data in a structured, machine-readable format and transfer it to another controller |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing |
| Right to Withdraw Consent | Withdraw consent for marketing or optional processing at any time |
| Right to Lodge a Complaint | Complain to the ICO (ico.org.uk) if you believe we have breached UK GDPR |
ICO Contact: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF | ico.org.uk | 0303 123 1113
8. Age Verification Data
Sensitive Data Notice
Identity documents and biometric data used for age verification are special category data under UK GDPR. We apply enhanced protections to this data.
8.1 What We Collect
For age verification, our third-party provider may collect: a photo of your government-issued ID, a selfie or short video for liveness detection, and extracted data fields (name, date of birth, document number).
8.2 How It's Processed
Age verification is processed by our third-party provider (e.g. Onfido or Jumio) under their own privacy policy and our data processing agreement. We receive only the verification result (pass/fail) and the extracted name and date of birth. We do not receive or store the raw ID image or biometric data.
8.3 Retention
Identity documents are retained by our verification provider for a maximum of 90 days after verification, then deleted. Biometric liveness data is deleted immediately after the check completes. We retain only the verification result and extracted identity fields for the duration of your account.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Password hashing using bcrypt with appropriate work factors
- Access controls limiting data access to authorised personnel only
- Regular security assessments and penetration testing
- Incident response procedures with 72-hour breach notification to the ICO
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay.
11. International Data Transfers
Some of our third-party service providers are located outside the UK (e.g. in the United States). Where we transfer data internationally, we ensure appropriate safeguards are in place, including:
- UK adequacy decisions (for transfers to countries with equivalent protection)
- UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses
- Binding corporate rules where applicable
You can request details of the specific safeguards in place for any international transfer by contacting info@playobvio.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or regulatory guidance. We will notify you of material changes by email and/or in-app notification at least 14 days before they take effect.
The current version of this policy is always available at obvio.gg/privacy. The effective date at the top of this page indicates when it was last updated.
13. Contact & Data Protection Officer
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:
SYNQ Ltd — Privacy Team
Email: info@playobvio.app
Data Protection Officer
Email: info@playobvio.app
Our DPO can be contacted directly for matters relating to your data subject rights or to raise a concern about our data practices.
Supervisory Authority
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk | 0303 123 1113
Last updated: 18 February 2026
Read alongside our Terms & Conditions.