Privacy Policy

Privacy Policy

Last updated: June 5, 2026.

Escapions ("we", "us", "our") operates the website escapions.com, the booking flow at quests.isolly.com, and the mobile web-app at app.quests.isolly.com (together, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and the choices you have over your data when using the Service.

1. Who is the data controller

The data controller for the Service is Escapions, a private undertaking registered in the Netherlands. If you have questions about this policy or your data, you can reach us at privacy@escapions.com.

2. Data we collect

We collect data you give us directly and data that is generated when you use the Service.

  • Account data: name, email address, and a password hash (we never store passwords in clear text).
  • Booking and purchase data: the route you bought, the city, the price, payment method, gift codes redeemed, and an order receipt identifier.
  • Game data: the game code, your team name, the answers and photos you submit at each point, hint requests, time stamps, and the GPS coordinates the device reports while a game is active.
  • Device and session data: browser type, operating system, IP address, language, and a session identifier used to keep you logged in. We store these alongside session timestamps so we can detect suspicious activity.
  • Support data: the contents of any contact-form message or email you send us.

3. How we use your data

We use the data above to run the Service. In particular we use it to:

  • create and authenticate your account, and let you book a route;
  • show you the right point on the map, accept your answers, and award you a score at the end of a game;
  • send transactional emails such as booking confirmations with your game code, password resets, and answers to contact-form submissions;
  • display public leaderboards and route reviews — your team name is shown publicly there if your run was completed; your email address is never shown;
  • improve the Service by analysing anonymised usage patterns, fixing bugs, and tuning the difficulty of puzzles;
  • meet legal obligations and prevent fraud or abuse.

4. Legal basis

Under the GDPR we rely on the following legal bases for processing:

  • Contract — to fulfill the booking you made (Article 6(1)(b)).
  • Legitimate interests — to keep the Service safe, secure and working well (Article 6(1)(f)).
  • Consent — for optional location access in the web-app, for marketing emails when you opt in, and for non-essential cookies (Article 6(1)(a)). You can withdraw consent at any time.
  • Legal obligation — when we are required to keep records by tax or consumer-protection law (Article 6(1)(c)).

5. Location data and the GPS-driven geofence

The game asks for your device location while a route is active so that the "auto check-in" can fire when you arrive at a point. The browser prompts you the first time, and you can withdraw permission from the address-bar settings of your browser. If you decline, the game stays fully playable — you just tap the "I am already here" button manually at each point.

Location readings are kept only while the game is in progress and discarded after the game ends. We never use location data outside the active game session, and we never share it with third parties.

6. Sharing data with third parties

We share personal data only with the processors we need to run the Service:

  • Payment processors — to charge your card or process gift-code redemption. We never store full card numbers; only a payment-token identifier provided by the processor.
  • Email delivery — to send the transactional emails listed above (booking confirmations, password resets, contact replies).
  • Mapping providers — to render the map in the web-app. The map provider receives only the coordinates needed to render the tiles in view, never your account details.
  • Hosting and infrastructure — the providers that host our servers and back up our database.

We do not sell or rent your personal data to anyone. We do not share data with advertisers. We do not use third-party tracking cookies for marketing.

7. How long we keep data

We keep account data for as long as your account is active. If you ask us to delete your account we remove the personal identifiers within 30 days; aggregated, anonymised statistics may persist for analytics. Booking and payment records are kept for the period required by tax law (usually 7 years in the Netherlands). Game-progress data older than 365 days is anonymised automatically.

8. Your rights

You have the right to:

  • see what personal data we hold about you (right of access);
  • correct data that is wrong or incomplete (right of rectification);
  • ask us to erase data that is no longer needed (right to erasure);
  • restrict or object to processing in certain situations;
  • receive a portable copy of the data you provided (right to data portability);
  • lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have not handled your data correctly.

To exercise any of these rights, email privacy@escapions.com. We respond within 30 days.

9. Children

The Service is not directed at children under 12. Routes marked "12+" may be played by anyone aged 12 or above, with an adult on hand for younger players. Routes marked "18+" require the player to be at least 18. We do not knowingly collect data from anyone under 12; if you believe we have, contact us and we will delete it.

10. Cookies

We use a small number of essential cookies to keep you logged in, remember your language preference, and protect against cross-site request forgery. We do not use third-party tracking cookies for advertising. A cookie banner is shown on your first visit; you can adjust your cookie choices any time from the footer of the site.

11. Security

We protect your data with industry-standard measures: TLS in transit, encrypted database backups at rest, password hashing with Argon2id, isolation between production and development environments, and continuous monitoring for unusual login behaviour. No system is perfectly secure — if you spot a vulnerability please disclose it responsibly to security@escapions.com.

12. Changes to this policy

We may update this Privacy Policy when we add features or when the law requires us to. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be announced by email or by a banner on the site.

13. Contact

Questions or requests? Email privacy@escapions.com or use the contact form on the site. We are happy to help.

Privacy Policy | Escapions