top of page
Musical Bingo Background

PRIVACY POLICY

MEGA Musical Bingo takes your privacy very seriously. For an understanding of our Privacy Policy; please see below.

This Privacy Policy explains how Mega Musical Bingo Ltd ("we", "us", "our") collects, uses, stores, shares and deletes personal data when you interact with our services, website, events and products. It describes your rights under UK data protection law (including the UK GDPR and Data Protection Act 2018) and how you can exercise them. This Policy applies to personal data processed by Mega Musical Bingo Ltd in the United Kingdom and by our authorised service providers acting on our behalf.

1. Who we are:
- Company name: Mega Musical Bingo Ltd
- Registered in: United Kingdom
- Registered address: [insert registered address]
- Company number: [insert company number]
- Data Protection Officer / Privacy contact: [insert name or role]
- Privacy contact email: privacy@megamusicalbingo.co.uk
- Privacy contact postal address: [insert postal address]

2. Scope and purpose of this Policy
This Policy covers personal data we collect from:
- Visitors to our website and social media pages;
- People who buy tickets or register for our events;
- People who sign up for newsletters, marketing or loyalty programs;
- Performers, suppliers, contractors and business contacts;
- Job applicants and employees (where applicable);
- Enquiries, complaints and other communications.
We explain what personal data we collect, why we collect it, lawful bases for processing, how long we keep it, with whom we share it, how we secure it, and how you can exercise your rights.

3. Categories of personal data we collect
We collect only what is necessary for the purposes described below. Typical categories include:
- Identity and contact data: name, title, postal address, email, telephone number, social media handle.
- Account and transaction data: purchase history, ticket bookings, payment references, invoices, refunds.
- Financial data: payment card details processed by our payment processors (we do not store full card numbers unless required for business banking; see Security).
- Event attendance and participation data: ticket type, arrival time, seat or registration details, prize winners, images or recordings taken at events where you have given consent or it is otherwise lawful to do so.
- Marketing and preference data: newsletter subscription, communication preferences, feedback, marketing consent status.
- Technical data: IP address, device identifiers, browser and operating system, cookies and usage logs.
- Employment and contractor data: CVs, references, right to work documents, payroll information (where applicable).
- Special categories (sensitive) data: only collected where strictly necessary and with explicit consent (for example, accessibility needs, dietary requirements, or other health information needed to support participation).

4. How and why we use personal data (purposes) and lawful bases
We process personal data for the following purposes and rely on these lawful bases under the UK GDPR:
- Delivering services and events (performance of a contract; legitimate interests) — to fulfil bookings and provide tickets, to run events, process payments and refunds, and administer prizes.
- Communications and customer service (contract; legitimate interests; consent for marketing) — to respond to enquiries, send essential event updates and customer service communications.
- Marketing and promotions (consent; legitimate interests where appropriate) — to send newsletters, offers and event invitations where you have consented or where our legitimate interest in marketing is balanced against your rights. You can opt out at any time.
- Website operation and analytics (legitimate interests) — to maintain website functionality, to perform analytics and improve our services.
- Legal and regulatory compliance (legal obligation) — to comply with tax, accounting, safety and regulatory obligations and to respond to lawful requests from authorities.
- Health & safety and safeguarding at events (vital interests; legal obligation) — to manage incidents, support access needs, and ensure the safety of staff and attendees.
- Recruitment and HR administration (contract; legal obligation) — to process job applications, payroll and statutory HR records.
- Fraud prevention and security (legitimate interests; legal obligation) — to detect and prevent fraud, abuse and security incidents.
If we require to rely on consent for a processing activity (for example marketing or photographing attendees), we will make that clear and you can withdraw consent at any time without affecting processing carried out before withdrawal.

5. Cookies and similar technologies
We and our partners use cookies and similar technologies to operate the website, remember user preferences, provide analytics and enable advertising. You can control cookies through your browser settings and via any cookie banner controls shown on our website. For details about the categories of cookies we use and how long they are retained, see our Cookie Notice [link/appendix] or the cookie banner on the website.

6. Disclosure and sharing of personal data
We share personal data only as necessary and under appropriate safeguards:
- Service providers and processors: payment processors, ticketing platforms, email and marketing platforms, cloud hosting and analytics providers, payroll and HR providers. These third parties act on our instruction and we require them to provide appropriate technical and organisational measures.
- Event partners and venues: where necessary to run an event (access control, security, catering).
- Legal and regulatory bodies: if required by law, court order or to establish or defend legal claims.
- Sale or transfer: if we reorganise, sell or transfer all or part of our business, personal data may be transferred as part of that transaction, subject to contractual and legal safeguards.
- Public communications: where you have expressly consented to be included in event photos, promotional materials, or attendee lists.


We do not sell personal data to third parties.

7. International transfers


Personal data is normally stored and processed within the UK and the European Economic Area. Where data is transferred outside the UK/EEA (for example to cloud providers or analytics services), we put in place appropriate safeguards such as UK-approved Standard Contractual Clauses, adequacy decisions, or other legally valid transfer mechanisms to ensure your data remains protected.

8. Data retention


We retain personal data only for as long as necessary for the purposes for which it was collected, including:
- Transaction and booking records: typically 7 years for accounting, tax and audit purposes or as required by law.
- Marketing and newsletter data: until you unsubscribe or we no longer have a lawful basis to communicate with you.
- Recruitment data: retained for a reasonable period after the recruitment process (usually up to 12 months) unless you become an employee or we need to keep records for longer for legal reasons.
- CCTV and event imagery: retention periods vary by use; event images used for marketing are retained until consent is withdrawn or for up to [specify period, e.g., 5 years], unless a shorter period is required.
We periodically review retention periods and securely delete or anonymise data when it is no longer needed.

9. Your rights


Under the UK GDPR you have the following rights, which you can exercise by contacting our Privacy contact (details at the top):
- Right to be informed: to receive clear information about how we use your personal data.
- Right of access: to obtain a copy of personal data we hold about you (subject access request).
- Right to rectification: to have inaccurate or incomplete personal data corrected.
- Right to erasure (right to be forgotten): to request deletion of your personal data where lawful.
- Right to restrict processing: to request limitation of how we use your data in certain circumstances.
- Right to data portability: to receive data you provided in a structured, commonly used format and transmit it to another controller where applicable.
- Right to object: to processing based on legitimate interests or direct marketing; if you object, we will stop unless we have compelling legitimate grounds.
- Rights in relation to automated decision-making and profiling: to challenge decisions made solely on automated processing where applicable.
We will respond to requests without undue delay and normally within one month. Complex or numerous requests may be extended by a further two months; we will notify you if an extension is needed.

10. Data Deletion


This section explains how you can request deletion of your personal data and how we handle deletion requests.
How to request deletion
- Email our Privacy contact at privacy@megamusicalbingo.co.uk with the subject line "Data Deletion Request" or write to our postal address (details at the top).
- Provide: your full name, the email address or phone number you used with us, any relevant booking or account reference, and a clear statement that you ask us to delete your personal data. If you are acting on behalf of someone else, include proof of your authority to act.
- If you prefer, you can also use our online privacy portal or form if available on the website (check the Privacy or Account settings pages).
What we will delete
- We will delete personal data that we are no longer legally required or legitimately entitled to retain, including marketing profiles, event attendance metadata, contact details and other direct identifiers.
- We will anonymise or remove personal identifiers from analytics and aggregated records where deletion of the personal data itself is not possible.
What we may retain and why
- We may refuse to delete certain data where retention is necessary for: legal obligations (e.g., tax records), defence of legal claims, fraud prevention, public safety, or other statutory reasons. In such cases we will restrict processing to the extent required and inform you of the legal basis for retention.
- If deletion would prevent us from complying with contractual obligations (for example to provide an ongoing service or to complete a refund), we will retain only the data necessary to fulfil that obligation and delete other data where possible.


Timeframe and confirmation


- We will acknowledge receipt of your deletion request within 5 business days.
- We will complete the deletion or provide a response explaining any retention within one month. If the request is complex or we receive many requests, we may extend by up to two further months and will notify you.
- When deletion is completed we will confirm by email (or by post if requested).
Third-party processors
- We will instruct our processors (ticketing, email, analytics, payment providers) to delete your data where they control the relevant data and where contractually and technically possible. We will inform you if full deletion cannot be completed because a third party is unable to remove the data, and we will work with them to resolve the issue.

11. Security measures


We use appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) for data sent to and from our website;
- Access controls and role-based permissions for systems containing personal data;
- Regular backups, secure cloud hosting, secure password policies and multi-factor authentication for administrative access;
- Contractual, vetting and security requirements for processors;
- Regular staff training on data protection and incident response procedures.
Despite our efforts no system is completely secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms we will notify the ICO and affected individuals where required by law.

12. Children


Our services are intended for adults. We do not knowingly collect or process personal data from children under 13 without parental consent. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it. For events where children attend, we will obtain appropriate parental consent for photography or special processing where required.

13. Automated decision-making and profiling


We may use automated systems (such as analytics or marketing automation) to personalise communications and improve user experience. We do not use automated decision-making that produces legal effects or similarly significant effects about individuals without human oversight. If we intend to use any automated decision-making with significant effects we will notify you, explain the logic involved and provide a means to request human review.

14. Complaints


If you have concerns about our processing of your personal data, please contact our Privacy contact first so we can try to resolve your complaint. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

15. Changes to this Policy


We may update this Policy from time to time. We will publish the updated Policy on our website with a revised effective date. Significant changes that materially affect your rights will be communicated more prominently, for example by email to subscribers.

16. Contact and further information


For questions, requests, or to exercise any of your rights described in this Policy, please contact:
- Email: hello@megamusicalbingo.co.uk
- Postal: Mega Musical Bingo Ltd, [insert postal address]
- Data Protection Officer / Privacy contact: Paul Beckett


For more information about data protection rights in the UK, you may also consult the Information Commissioner's Office.

Effective date: 15th December 2024
Last reviewed: 15th November 2025

bottom of page