Privacy Policy

Last updated: 21st January 2026

This Privacy Policy explains how RuleRush ("we", "us", "our") collects, uses and shares personal data when you visit our website, create an account or use our data processing platform.

This Policy is designed to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, and may also be relevant to the EU GDPR where we handle personal data of individuals in the EEA.

1. Who we are and how to contact us

Controller:
The Wagon Company
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Email: [email protected]

We act as:

a controller for personal data about our customers, users, prospects and website visitors; and

If you have any questions about this Policy or how we use your personal data, contact us at [email protected].

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

2. Scope of this Policy

This Policy applies to:

users of our mobile apps;
visitors to our website;
users who create or are invited to an account on our Platform; and
employees and representatives of our business customers.

3. Personal data we collect

3.1 Data you provide to us

Device data: a random identifier for the device you use to access the platform.
Support and communications: information you provide in emails, support requests and other communications with us.

3.2 Data we collect automatically

When you visit our website or use the Platform, we automatically collect:

Usage data: pages visited, features used, actions taken, timestamps, and similar information about how you interact with our website and Platform.
Log data: IP address, browser type and version, operating system and device information, referral URLs, and error logs.
Cookies and similar technologies: small files placed on your device to enable core functionality (e.g. login sessions), analytics and (where applicable) marketing. See section 6 (Cookies and analytics).

We use tools including PostHog to help us understand how users interact with the Platform.

3.3 Customer Data processed through the Platform

Our Platform provides a chat interface that lets users ask questions about board game rulebooks and receive responses from AI providers we use to power the Service.

Depending on how you use the Platform, we may process personal data about:

users of the Platform (e.g. account holders);
individuals referenced in chat messages.

User Content and related data may include:

random identifier for your device;
chat communications (your messages/prompts, and the AI’s responses);
customer support communications and related metadata;
usage, device, and log data (e.g. IP address, device identifiers, timestamps, interaction and performance analytics).

To provide the Service, we process this data as necessary to operate the chat experience, maintain and secure the Platform, respond to support requests, and improve reliability and performance. When you submit messages or rulebook content, we may transmit that content to the AI providers that generate responses on our behalf, solely to provide the Service and subject to applicable contractual and technical safeguards.

The exact data we process depends on the features you use, the information you choose to provide, and your settings.

Please do not include sensitive information in your chats (e.g. health information, biometric identifiers, political opinions, precise location, or information about children). We do not intend to collect special categories of personal data through the Service. If you choose to include such information, you are responsible for ensuring this is lawful and appropriate.

4. How we use personal data and legal bases

Where we act as a controller, we use personal data for the purposes and on the legal bases summarised below.

Purpose	Examples of data used	Legal basis (UK/EU)
Provide and operate the Service	Account, profile, usage, and log data	Contract – to perform our contract with you or the organisation you represent
Security, monitoring and abuse prevention	Log data, usage data, device and IP info	Legitimate interests – to maintain security and prevent misuse
Product improvement and analytics	Usage data, feature usage, aggregated metrics	Legitimate interests – to understand and improve the Service
Customer support and communications	Contact details, support communications	Contract and legitimate interests
Legal and regulatory compliance	All relevant categories	Legal obligation and legitimate interests (establishing or defending legal claims)

Where we rely on legitimate interests, we balance our interests against your rights and freedoms and implement safeguards where appropriate.

For Customer Data where we act as a processor, our legal basis is determined by our customer (the controller). Typically, they rely on contract, legitimate interests and/or consent, depending on their use case.

5. AI-related processing

The Service uses AI models to generate responses in the chat interface and help users understand and apply board game rulebooks (for example, explaining rules, providing examples, or summarising passages you provide).

Where we use third-party AI providers to power the Service, we share only the information necessary to generate a response and provide the Service and related support, in accordance with our agreements with those providers and their applicable data-use policies.

AI outputs may be incorrect or incomplete. Users should verify responses against the official rulebook and, where relevant, agree interpretations with other players.

6. Cookies and analytics

We use cookies and similar technologies to:

enable core site and Platform functionality (e.g. login, session management, security);
understand how visitors and users interact with our website and Platform (analytics);
support marketing and advertising activities, including via third-party platforms such as Meta, TikTok, Google Ads, LinkedIn and RB2B.

Under the Privacy and Electronic Communications Regulations (PECR) and UK GDPR, non-essential cookies (such as analytics and advertising cookies) typically require consent, while strictly necessary cookies for providing an online service you request do not.

In practice this means:

Essential cookies are set to provide the website/Platform (for example, to keep you logged in and keep requests secure).
Analytics and advertising tags should only operate with your consent, which we obtain via appropriate mechanisms (for example, a banner or similar control) where required by law.
You can also control cookies through your browser or device settings and, where applicable, through our cookie settings interface.

More detailed information about the specific cookies and tools we use may be provided in a separate cookie notice.

7. When we share personal data

We share personal data with:

Infrastructure and hosting providers: e.g. cloud providers such as AWS, used to host and run the Platform.
Product and analytics tools: e.g. PostHog (product analytics).
Email and communication tools: e.g. Postmark and Google Workspace for sending and receiving emails and notifications.
Professional advisers: such as lawyers, accountants and auditors, where necessary for our legitimate interests and legal obligations.
Authorities and regulators: where required by law, regulation or court order, or to protect our rights or those of others (for example, to prevent fraud or security incidents).

We require our service providers to handle personal data only in accordance with our instructions, under appropriate contracts, and to implement suitable security measures.

We do not sell personal data.

8. International transfers

We aim to store and process personal data primarily in the UK (and where appropriate, the EEA).

If we need to transfer personal data outside the UK/EEA (for example, where a service provider operates or stores data in another country), we will ensure that appropriate safeguards are in place, such as:

an adequacy regulation; or
standard contractual clauses or equivalent mechanisms approved under UK data protection law.

You can contact us for more information about such transfers.

9. Data retention

We retain personal data for as long as necessary for the purposes described in this Policy, including to comply with legal, accounting and reporting requirements. In general:

User account data: retained for as long as the user’s account is active. If an account is closed, we may retain limited information (such as email address, role and activity logs) for a reasonable period (for example, up to 3 years) for security, record-keeping and dispute resolution.
Logs and security data: retained for a period appropriate for security and troubleshooting purposes (for example, typically up to 12–24 months, unless longer is needed for an investigation).

We may retain anonymised or aggregated data that does not identify individuals indefinitely.

10. Security

We take appropriate technical and organisational measures to protect personal data, including:

Encryption in transit (e.g. HTTPS/TLS) and at rest, where applicable;
access controls and authentication for staff and systems;
role-based access, restricting access to personal data to personnel who need it for their role;
secure development and deployment practices, including regular patching and updates;
monitoring for unusual activity and abuse;
contractual obligations of confidentiality with staff and service providers.

No system is perfectly secure, but we work to reduce risks and respond promptly to incidents. If we become aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected customers and, where required, the ICO and/or other authorities.

11. Your data protection rights

Subject to applicable law, and typically where we act as a controller, you have the following rights in relation to your personal data:

Right of access – to obtain confirmation as to whether we process your personal data and to request a copy.
Right to rectification – to request that inaccurate or incomplete data be corrected.
Right to erasure – to request deletion of your personal data, in certain circumstances.
Right to restriction – to request that we restrict processing in certain circumstances.
Right to data portability – to receive personal data you provided to us in a structured, commonly used format and to ask us to transfer it to another controller, where technically feasible.
Right to object – to object to processing based on legitimate interests and to direct marketing, at any time.
Right to withdraw consent – where we rely on consent, you may withdraw it at any time (this will not affect the lawfulness of processing before withdrawal).

You can exercise these rights by emailing [email protected]. We may ask for information to verify your identity before responding.

Where we process Customer Data as a processor, we may need to refer your request to the relevant customer (the controller), who is responsible for responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Details of how to do so are available on the ICO's website.

12. Children

Our Service is intended for business use by adults and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided us with personal data, please contact us and we will take steps to delete it.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes to how we use personal data, we will take reasonable steps to notify you (for example, by email or via the Platform) and will update the "Last updated" date at the top of this Policy.

We encourage you to review this Policy periodically to stay informed about how we use personal data.