Privacy policy

1. Data controller

The data controller for personal data collected through this portal is the entity operating the play centre or toy library where you register (hereinafter, "the operator" or "the play centre").

LudoSAFE is the technology platform used by the operator to manage families, minors, visits and regulatory compliance. FastCore develops and maintains the software on behalf of the operator.

The specific contact details of the controller (company name, tax ID, address and support channel) are provided at the play centre front desk and in your venue's registration form.

2. Data protection officer (DPO)

If the operator has appointed a data protection officer, you may contact them regarding privacy and rights matters.

While the formal appointment is being completed, you can contact the play centre operator or write to info@ludosafe.com indicating the venue and the subject "Data protection".

3. Data we process

Through the families portal and QR self-service registration we may process, among others, the following data:

• Identifying and contact details of the guardian (name, email, phone, identity document where applicable).
• Data of minors in your care: name, date of birth, health observations relevant to the visit (e.g. allergies), and photograph if you grant specific consent.
• Consent records (policy version, date, signing IP, accepted scopes).
• Portal usage data: authenticated session, visit history associated with your family at the corresponding venue.
• Minimum technical data (strictly necessary cookies; see cookie policy).

4. Processing of minors' data

LudoSAFE is designed for indoor play centres and toy libraries. Minors' data is only processed with the explicit consent of whoever holds parental authority or legal guardianship, in accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD.

Especially sensitive data (e.g. health observations or photographs) requires separate and explicit consents. We do not use automated facial recognition in the current version of the product.

Minors' identifying data (name, date of birth, health observations) is stored encrypted in the database. Photographs are stored in encrypted storage with access via time-limited links.

5. Purposes and legal basis

We process your data and that of minors in your care for the following purposes:

• Family registration management, access control to the play centre and operational communication (legal basis: performance of the service and consent).
• Billing and recording of visits, wristbands and pickup notifications (legal basis: performance of contract or pre-contractual relationship).
• Compliance with legal obligations (invoicing, retention of financial records according to legal time limits).
• Commercial or loyalty communications only if you have accepted the corresponding scope in consent (legal basis: consent, revocable at any time).
• Exercise and defence of claims, and system security (legal basis: legitimate interest, where applicable).

6. Recipients and processors

Data may be accessible to authorised play centre staff (front desk operators and venue administration) within the scope of their duties.

FastCore and infrastructure providers (hosting in the EU, storage, transactional email) act as data processors under contract, with security measures in accordance with the GDPR.

We do not sell personal data to third parties. We will only disclose information to public authorities when there is a legal obligation.

7. Retention periods

We retain data while you maintain an active relationship with the play centre and valid consent exists for service usage.

After exercising the right to erasure, we delete or pseudonymise identifying personal data. Financial records required by legal obligation may be retained for the applicable periods.

Backups are rotated with a maximum of 30 days; if a backup containing already deleted data were restored, deletion would be reapplied in accordance with our internal procedures.

8. Your rights (ARSULIPO)

You can exercise the rights of access, rectification, erasure, restriction of processing, portability and objection, as well as withdraw consent when processing is based on it.

From the authenticated portal you can view and update part of your data, and request erasure with double confirmation by email in the rights section.

You may also lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you believe we have not handled your request correctly.

9. Security measures

We apply appropriate technical and organisational measures: encryption of sensitive data, passwords with robust algorithms, encrypted communications (TLS), venue-based access control, audit of sensitive operations and training of authorised staff.

Audit logs do not include personal data in plain text; they use internal identifiers.

10. International transfers

The infrastructure planned for service deployment is located in the European Union. If a transfer outside the EEA were necessary in the future, the safeguards provided under the GDPR would apply and this policy would be updated accordingly.

11. Changes to this policy

We may update this policy to reflect legal or service changes. We will publish the current version on this page with the last update date.

If the change affects consents already granted, renewal will be requested at your next interaction with the play centre or portal.