Privacy Policy

Herofest LARP

Effective from: 05/05/2026

Last reviewed: 05/05/2026

1. Who we are

Herofest LARP is operated by Herofest Ltd, a company limited by guarantee registered in England and Wales (Company No. [INSERT]). We run live-action role-play events at Huntley Wood Campsite and operate the website at www.live-roleplaying.co.uk.

Herofest Ltd is the data controller for personal data collected in connection with our events and website. As a not-for-profit organisation, Herofest Ltd is exempt from the requirement to register with the Information Commissioner’s Office (ICO). We are nonetheless committed to full compliance with UK GDPR and the Data Protection Act 2018.

If you have any questions about how we use your personal data, you can contact us at: larp@live-roleplaying.co.uk

2. What Data We Collect and Why

The table below summarises the categories of personal data we collect, the purpose for which we collect it, and the legal basis under UK GDPR that we rely on.

Privacy Policy Data Collected

Category of Data What it includes and why we collect it
Identity and contact data First name, last name, email address, and phone number. Collected at booking to administer your attendance, communicate event information, and contact you in an emergency.
Dietary information Whether you are vegan, vegetarian, gluten free, dairy free, or have other dietary requirements or preferences. Collected to ensure appropriate catering arrangements at events. Where this reveals health information it is treated as special category data.
Children's data First and last name, rough age group, and the name of the Responsible Adult at Herofest (RAH) for under-18 attendees. Collected to meet our safeguarding obligations.
Emergency contact data Name, relationship, and phone number of your nominated emergency contact. Collected at event check-in via the Herofest Management System (HMS) and used only in the event of a medical emergency or safeguarding concern.
Medical information Voluntarily provided health information relevant to your attendance (e.g. conditions affected by smoke effects, epilepsy, mobility requirements). Collected at check-in via HMS. This is special category data and is handled with additional care.
In-character data Character name and faction. Collected as part of the booking process for game administration purposes.
Event attendance history A record of which Herofest events you have attended. Stored in HMS for administrative and safeguarding purposes.
Payment data Payment transactions are processed by Stripe (online bookings). Herofest does not store card numbers or full payment credentials. SumUp is used for card-present transactions at the event bar; no personal data is retained from these transactions.
Website usage data Anonymised browsing and interaction data collected via Google Analytics. Used to understand how the website is used and improve it. See section 6 for details.

3. Legal Bases for Processing

We rely on the following legal bases under UK GDPR to process your personal data:

  • Contract performance — processing your booking data, payment, and event communications is necessary to fulfil our contract with you as a ticket holder.
  • Legitimate interests — we send occasional event announcement emails to past attendees on the basis of our legitimate interest in communicating with our existing community. We have assessed that this interest is not overridden by your rights, given the direct relevance of the communications to your past participation. You can opt out at any time (see section 8).
  • Legal obligation — we process and retain certain data (including safeguarding records) to comply with our legal obligations, including obligations under the Children Act 1989 and 2004.
  • Vital interests — in a medical emergency, we may use your emergency contact and medical information to protect your vital interests or those of another person.
  • Explicit consent — where we collect special category data (dietary information that reveals health conditions, volunteered medical information) we rely on your explicit consent, which you provide by voluntarily submitting this information.

You may withdraw this consent at any time, though this may affect our ability to accommodate your needs at events.

4. Special Category Data

Some of the data we collect — specifically dietary information that may indicate a health condition, and voluntarily provided medical information — is classified as special category data under UK GDPR. This type of data attracts additional legal protections.

We process special category data only where it is necessary for the provision of our services to you and where you have voluntarily provided it. It is not shared with third parties except where required to protect your vital interests (for example, informing emergency services of a relevant medical condition). It is stored securely and accessed only by Herofest staff with a legitimate need.

5. How We Store Your Data

Personal data collected via the booking form is stored within our Herofest Management System (HMS), which is hosted on privately owned and managed infrastructure located in the United Kingdom. This means your data does not leave the UK as a result of HMS storage.

Email communications are managed via Brevo (formerly Sendinblue), a cloud-based email marketing platform. Brevo stores data on servers within the European Economic Area (EEA). Data transfers to the EEA from the UK are covered by the UK’s adequacy regulations.

Payment data is processed by Stripe, Inc. Stripe’s privacy policy is available at stripe.com/gb/privacy. Herofest does not store card details.

Website analytics data is processed by Google Analytics. Google may transfer data outside the UK. See section 6 for more detail and how to opt out.

6. Cookies and Website Analytics

Our website uses Google Analytics to collect anonymised data about how visitors use the site, including pages visited, time spent, and general location (at country level). This data does not identify you personally.

Google Analytics uses cookies — small text files stored on your device — to collect this information. By using our website, you consent to the use of these cookies unless you have configured your browser to refuse them.

You can opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout.

Google’s privacy policy is available at policies.google.com/privacy.

7. Who We Share Your Data With

Herofest does not sell personal data to third parties. We share data only in the following limited circumstances:

  • Stripe — to process online payments. Stripe acts as a data processor on our behalf.
  • Brevo — to send event-related and marketing emails. Brevo acts as a data processor on our behalf.
  • Google — anonymised analytics data via Google Analytics.
  • Emergency services or statutory authorities — where we are legally required to do so, or where it is necessary to protect your vital interests or those of a child. This includes referrals under our Child Safeguarding Policy.
  • The ICO or other regulatory bodies — where required by law.

We require all third-party processors to handle your data securely and in accordance with applicable data protection law.

8. Marketing Communications

We occasionally send emails to past attendees about upcoming Herofest events. We do this on the basis of legitimate interests — you have previously purchased a ticket to a Herofest event and we consider event announcements directly relevant to your relationship with us.

We only send these emails to people who have previously paid for a Herofest event ticket. We do not purchase mailing lists or contact people who have not directly engaged with Herofest.

You can opt out of marketing emails at any time by clicking the unsubscribe link in any email we send, or by contacting us at larp@live-roleplaying.co.uk. Opting out will not affect transactional communications related to a booking you have made.

9. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:

  • Booking and contact data — retained for 3 years following your last event attendance, after which it is deleted or anonymised.
  • Payment records — retained for 7 years in accordance with HMRC requirements.
  • Safeguarding records — retained in accordance with statutory guidance. Records relating to children may be retained until the child reaches adulthood plus a defined period, or longer where an active safeguarding concern exists.
  • Medical and emergency contact data — retained for the duration of your active attendance at Herofest events and deleted upon request or after a defined period of inactivity.
  • Website analytics data — retained by Google in accordance with their data retention settings, typically 14 months.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data.
  • Right to erasure — you can ask us to delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose it was collected. Note that this right does not apply where we are required to retain data by law (e.g. payment records or safeguarding records).
  • Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
  • Right to data portability — you can request your data in a structured, machine-readable format where processing is based on consent or contract.
  • Right to object — you can object to processing based on legitimate interests, including marketing emails. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent — where we process data on the basis of your consent (including special category data), you can withdraw that consent at any time.

To exercise any of these rights, please contact us at larp@live-roleplaying.co.uk. We will respond within one calendar month. You will not be charged for making a request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.

11. Children's Privacy

Where we collect personal data relating to children under the age of 16, we require this to be provided by or with the consent of a parent or legal guardian. We do not knowingly collect data directly from children under 16 without parental consent. Personal data relating to minors is handled in accordance with our Child Safeguarding Policy and subject to additional access restrictions within HMS.

12. Third-Party Links

Our website and communications may contain links to third-party websites, including our Discord server, Facebook Group, and payment providers. This privacy policy does not cover those third-party sites. We encourage you to read the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will publish the updated policy on our website and, where appropriate, notify attendees by email. The date at the top of this document indicates when it was last reviewed.