🏢 1. Who We Are
This Privacy Policy is issued by Gamification Consultancy Ltd, trading as CompetitionLabs ("we", "us", "our"), a company registered in Malta.
| Detail | Information |
|---|---|
| Legal name | Gamification Consultancy Ltd |
| Trading name | CompetitionLabs |
| Registered address | Sammut Offices, Triq Ta' L-Ibrag, Is-Swieqi, SWQ 2037, Malta |
| Website | www.competitionlabs.com |
| Privacy contact | info@competitionlabs.com |
We are the data controller for personal data collected through this website and associated marketing activities. For data processed through our platform on behalf of our B2B clients, we act as a data processor — your operator or studio is the data controller and their privacy policy governs that processing.
📋 2. Scope of This Policy
This policy applies to:
- Visitors to www.competitionlabs.com and related subdomains
- Individuals who submit enquiries, book demos, or sign up for marketing communications
- Contacts at prospective or existing B2B client organisations
- Job applicants (see Section 3.4)
It does not govern personal data of end-players processed through the CompetitionLabs gamification platform on behalf of our operator clients. Such processing is governed by the relevant operator's own privacy policy and our Data Processing Agreement (DPA).
📥 3. Data We Collect
3.1 Website Enquiries & Demo Requests
When you submit a form on our website we collect:
- First and last name
- Work email address
- Company name
- Phone number (optional)
- The topic or message you provide
3.2 Website Analytics
We collect anonymised or pseudonymised data about how visitors use the site, including pages visited, time on page, referral source, browser type, and device type. Where cookies are used, your consent is obtained via our cookie banner. See Section 6 for full details.
3.3 B2B Commercial Contacts
If you represent a business and we engage commercially, we may hold: name, job title, work email, work phone, company name and address, and records of our communications and commercial relationship. This data is processed under our legitimate interests to manage business relationships.
3.4 Job Applicants
If you apply for a role at CompetitionLabs we collect: name, contact details, CV/résumé, cover letter, work history, qualifications, and any other information you provide. We retain application data for 12 months after the conclusion of a recruitment process unless you consent to longer retention.
3.5 Data We Do Not Collect
We do not knowingly collect:
- Special category data (health, religion, biometrics, etc.) through this website
- Payment card data (all payments are handled by certified third-party processors)
- Personal data of children under 18 (see Section 11)
⚙️ 4. How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Responding to enquiries and booking demos | Contact form data | Pre-contractual steps / Legitimate interests |
| Sending marketing communications (newsletters, product updates) | Email, name | Consent (opt-in) |
| Managing the B2B commercial relationship | B2B contact data, communications | Legitimate interests / Contract performance |
| Improving the website and understanding usage | Anonymised analytics | Legitimate interests / Consent (where cookies required) |
| Recruitment and hiring | Applicant data | Pre-contractual steps / Legitimate interests |
| Complying with legal obligations | As required | Legal obligation |
| Fraud prevention and security | Technical / access logs | Legitimate interests / Legal obligation |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects.
⚖️ 5. Legal Bases for Processing
We rely on the following legal bases under GDPR Article 6:
- Consent (Art. 6(1)(a)): Where you have opted in to marketing communications or non-essential cookies.
- Contract / Pre-contractual steps (Art. 6(1)(b)): Where processing is necessary to take steps at your request before entering a contract, or to perform a contract with you.
- Legal obligation (Art. 6(1)(c)): Where we are required to process data to comply with applicable law.
- Legitimate interests (Art. 6(1)(f)): Where our interests (managing B2B relationships, website security, fraud prevention, business analytics) are not overridden by your rights. You may object to processing under this basis — see Section 10.
🍪 6. Cookies & Tracking Technologies
We use the following categories of cookies on our website:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Session management, security, load balancing. Cannot be disabled. | No |
| Analytics & performance | Understanding page usage, traffic sources, bounce rates (e.g. Google Analytics). | Yes |
| Marketing & retargeting | Displaying relevant ads on third-party platforms (e.g. LinkedIn Insight Tag). | Yes |
| Functional / preferences | Remembering your language, region, or cookie preferences. | Yes (where not strictly necessary) |
You can manage or withdraw your cookie consent at any time via our cookie preference centre (available in the site footer). Withdrawing consent does not affect the lawfulness of prior processing.
For full details of each cookie including name, provider, duration and purpose, see our Cookie Policy.
🤝 7. Sharing Your Data
We do not sell, rent, or trade your personal data. We may share data with:
7.1 Service Providers (Data Processors)
We use carefully selected third-party processors who act on our instructions under written data processing agreements. Categories include:
- CRM & marketing automation — e.g. HubSpot (contact management, email)
- Cloud infrastructure — e.g. Amazon Web Services (EU regions)
- Analytics — e.g. Google Analytics (anonymised)
- Video conferencing — e.g. Zoom, Google Meet (for demo calls)
- Recruitment platforms — e.g. LinkedIn (for job postings and applicant management)
7.2 Legal & Regulatory Disclosure
We may disclose personal data to courts, regulators, or law enforcement agencies where required by law or to protect our legal rights, provided we notify you where legally permitted to do so.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected individuals before data is subject to a different privacy policy.
7.4 Professional Advisers
Our lawyers, accountants, auditors, and insurers may access personal data on a need-to-know basis and are bound by professional confidentiality obligations.
🌍 8. International Data Transfers
We are based in Malta (EU) and primarily process data within the European Economic Area (EEA). Where we transfer data outside the EEA (for example, to a US-based processor), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where the destination country has been recognised as providing adequate protection
- Binding Corporate Rules where applicable
You may request details of the specific safeguards applicable to any international transfer of your data by contacting info@competitionlabs.com.
🗄️ 9. Data Retention
| Data type | Retention period |
|---|---|
| Website enquiries / demo requests | 3 years from last contact, or until deletion requested |
| Marketing opt-in contacts | Until you unsubscribe or request deletion |
| Active B2B client contacts | Duration of commercial relationship + 7 years (legal / tax obligation) |
| Unsuccessful job applicants | 12 months from end of recruitment process |
| Website analytics (anonymised) | 26 months (Google Analytics default, then auto-deleted) |
| Server / access logs | 90 days |
We review retained data periodically and delete or anonymise it when it is no longer needed for the purpose for which it was collected, unless a longer period is required by law.
🛡️ 10. Your Rights
Under GDPR and applicable data protection law, you have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access Art. 15 | Request a copy of the personal data we hold about you. |
| Rectification Art. 16 | Ask us to correct inaccurate or incomplete data. |
| Erasure Art. 17 | Request deletion of your data ("right to be forgotten") where no lawful basis for retention remains. |
| Restriction Art. 18 | Ask us to restrict processing while a complaint or correction is being resolved. |
| Portability Art. 20 | Receive your data in a structured, machine-readable format for transfer to another controller. |
| Objection Art. 21 | Object to processing based on legitimate interests or for direct marketing (absolute right for marketing). |
| Withdraw consent | Withdraw consent at any time where processing is based on consent, without affecting prior processing. |
To exercise any right, contact us at info@competitionlabs.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice). There is no charge for reasonable requests.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC): idpc.org.mt. If you are located in another EU/EEA member state you may also complain to your local supervisory authority.
👶 11. Children
Our website and services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact info@competitionlabs.com and we will delete it promptly.
🔒 12. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security assessments and penetration testing
- ISO 27001-aligned information security practices
- Staff data protection training
- Incident response procedures
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
🔗 13. Third-Party Links
Our website may contain links to third-party websites, partner announcements, and press releases. These sites operate under their own privacy policies, for which we have no responsibility. We encourage you to review the privacy policy of any third-party site you visit.
🔄 14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users or marketing subscribers by email where the change materially affects their rights
- Display a prominent notice on our website for a reasonable period
Your continued use of our website after changes become effective constitutes acceptance of the revised policy. We recommend you review this page periodically.
📬 15. Contact & Data Protection Officer
For any privacy-related queries, to exercise your rights, or to raise a concern, please contact us:
| Channel | Details |
|---|---|
| Email (preferred) | info@competitionlabs.com |
| Post | Data Privacy, Gamification Consultancy Ltd, Sammut Offices, Triq Ta' L-Ibrag, Is-Swieqi, SWQ 2037, Malta |
| General enquiries | info@competitionlabs.com |
Supervisory Authority: Malta Information and Data Protection Commissioner (IDPC) · idpc.org.mt