✦ Legal ✦
Legal
Privacy, terms, cookies, and your data rights
Privacy Policy
Last updated: May 2026What We Collect — and What We Do Not
We only collect what each form requires. Newsletter sign-up: email address and your GDPR consent. Certificate claim: your name (as it should appear on the certificate) and email address. Contact form: name, email address, and your message. We do not collect quest completion codes — they are validated on our server and immediately discarded. We do not collect payment information, IP addresses, device data, or any browsing behaviour. We do not use cookies or analytics.
What We Store
Certificate records: your chosen display name and a unique download link ID are stored in our database (Neon, a serverless Postgres service). This record exists so your certificate download link works permanently — you can re-download at any time. Email addresses for newsletters: stored in Mailchimp, our email marketing platform, after you confirm via a double opt-in email. Contact form submissions: not stored in any database. Your message is forwarded to us by email and then exists only in our inbox.
How We Use It
Certificate name and ID: to generate your personalised PDF and power the permanent download link. Certificate email: to send you the download link (one transactional email — no further emails unless you opted in). Newsletter email: to send updates about new book releases and magical adventures. You will only receive these emails after clicking the confirmation link in a double opt-in email sent by Mailchimp. Contact form data: to read and reply to your message. We never sell, rent, or share your data with third parties for their own marketing purposes.
Third-Party Data Processors
We use the following services to operate the site. Each acts as a data processor under our instruction: Mailchimp (The Rocket Science Group LLC, USA) — email marketing and audience management, covered by Standard Contractual Clauses. Resend (Resend Inc.) — transactional email delivery (certificate links, contact notifications). Neon (Neon Inc.) — serverless Postgres database for certificate records. Cloudflare — bot protection (Turnstile widget) and CDN infrastructure. Vercel — hosting platform and serverless function runtime. Google LLC (USA) — website analytics via Google Analytics 4, only when you have accepted cookies. Covered by the EU–US Data Privacy Framework. None of these processors are authorised to use your data for their own purposes beyond what is necessary to provide their services to us.
Cookies & Analytics
If you accept cookies, we use Google Analytics 4 to collect anonymous usage data — including pages visited, time on site, country, device type, and traffic source (e.g. which social platform referred you). This data is used solely to understand how the site is used and improve it. No personal data is sold or shared. If you decline cookies, no analytics cookies are set and no data is sent to Google. You can change your preference at any time by clearing your browser's local storage for this site. The only other third-party script loaded on forms is the Cloudflare Turnstile bot-detection widget, which operates without setting persistent cookies.
Data Retention
Certificate records (name + download ID): retained indefinitely so your download link continues to work. If you request deletion, your record will be removed and the download link will stop working. Newsletter subscribers: retained in Mailchimp until you unsubscribe (every marketing email includes an unsubscribe link) or request erasure. Contact form messages: retained in our email inbox for as long as normal email retention applies, typically up to two years.
Your Rights
You have the right to access, correct, or erase the personal data we hold about you, to restrict or object to its processing, and to receive a copy in a portable format. To exercise any of these rights, email privacy@riddleandbrew.com. We will respond within 30 days.
Contact
Questions about this policy? Email privacy@riddleandbrew.com and our team will get back to you.
Terms of Use
Last updated: May 2026Acceptance of Terms
By accessing or using the Riddle & Brew website you agree to be bound by these Terms of Use. If you do not agree, please do not use the site.
Use of the Site
You may use this site for personal, non-commercial purposes only. You must not misuse the site, attempt to gain unauthorised access, or use it in any way that is unlawful or harmful.
Intellectual Property
All content on this site — including text, illustrations, puzzles, recipes, and the Riddle & Brew name — is owned by or licensed to us. You may not reproduce, distribute, or create derivative works without our written permission.
Certificates
Printable certificates generated through our site are for personal use only. They may not be resold, altered, or used for commercial purposes.
Disclaimer
The site and its content are provided "as is" without warranties of any kind. We do not guarantee that the site will be uninterrupted or error-free. Use of any recipes or activities is at your own risk — adult supervision is recommended for children.
Changes to Terms
We may update these terms from time to time. Continued use of the site after changes are posted constitutes acceptance of the revised terms.
Contact
Questions about these terms? Send an owl to legal@riddleandbrew.com and our team will respond within 30 days.
GDPR
Last updated: May 2026Who We Are
Riddle & Brew is the data controller for personal data collected through this website. We are committed to protecting your privacy in accordance with the UK and EU General Data Protection Regulation (GDPR).
Lawful Basis — Newsletter Sign-Up
Lawful basis: explicit consent. When you enter your email and tick the consent checkbox, we add your address to our Mailchimp audience with a "pending" status. Mailchimp then sends you a double opt-in confirmation email. Your address is only moved to "subscribed" — and you only begin receiving marketing emails — after you click the confirmation link. You may withdraw consent at any time by clicking Unsubscribe in any email, or by contacting us.
Lawful Basis — Certificate Claim
Lawful basis: performance of a contract / legitimate interest. Your name and email are used solely to generate your certificate and deliver the download link. This is a transactional service you requested — no consent is required and no consent is assumed. If you also ticked "Keep me informed", a separate Mailchimp double opt-in email is sent; marketing emails only follow if you confirm that separately.
Lawful Basis — Contact Form
Lawful basis: legitimate interest. When you send us a message, your name and email are processed so we can read and respond to your enquiry. Your email address is recorded in Mailchimp with a "transactional" status — this means it exists for suppression and record-keeping purposes only. You will not receive any marketing emails as a result of contacting us.
Lawful Basis — Analytics Cookies
Lawful basis: explicit consent. We only activate Google Analytics after you click Accept in the cookie consent banner. If you decline, no analytics data is collected and no cookies are set. You may withdraw consent at any time by clearing your browser's local storage for this site. Data collected through analytics is processed by Google LLC under a Data Processing Agreement and the EU–US Data Privacy Framework.
Double Opt-In
All marketing email subscriptions — whether from the newsletter form or the certificate opt-in — use Mailchimp's double opt-in process. This means: (1) you submit the form, (2) Mailchimp sends a confirmation email to the address you provided, (3) you click the link in that email. Only after step 3 does your subscription become active. This ensures your consent is confirmed, protects against typos and third-party sign-ups, and satisfies the GDPR requirement for freely given, specific, informed, and unambiguous consent.
Your Rights
Under GDPR you have the right to: access the personal data we hold about you; have inaccurate data corrected; have your data erased ("right to be forgotten"); restrict how we process your data; receive your data in a portable format; and object to processing based on legitimate interests. You also have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Erasure
To have all personal data deleted — including your certificate record, any Mailchimp subscription, and any contact history — email gdpr@riddleandbrew.com with the subject "Erasure Request". We will confirm deletion within 30 days. Note: erasing your certificate record will permanently disable your download link.
International Data Transfers
Some of our processors (Mailchimp, Resend, Neon, Vercel) are based in the United States. Transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent UK transfer mechanisms, ensuring your data receives an equivalent level of protection.
Right to Complain
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk (UK), or with the supervisory authority in your EU member state.
Contact Our Data Team
To exercise any GDPR right, email gdpr@riddleandbrew.com. We will acknowledge your request within 72 hours and respond in full within 30 days.