Castillo Games, Inc. Privacy Policy

Effective Date: July 13, 2026

This Privacy Policy may be updated from time to time. We will post the updated policy on this page with a new effective date.

1. Introduction: Who We Are

This Privacy Policy describes how Castillo Games Inc. ("Castillo Games", "we", "us", or "our") collects, uses, and shares personal data. Castillo Games is a board game publisher and consultancy based in the United States.

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, Castillo Games Inc. is the data controller of your personal data.

Our Contact Details:

  • Company Name:Castillo Games Inc.
  • Address:4726 Ames St., Madison, WI 53711, USA
  • EIN:85-0539120
  • Email for data protection inquiries:privacy@castillogames.com

2. License to Use This Policy as a Template & Disclaimer

Castillo Games Inc. hereby grants its clients a non-exclusive, royalty-free right to copy, modify, and use this Privacy Policy as a template for their own business purposes.

Legal Disclaimer: This document is provided for informational purposes only and does not constitute legal advice. It is a template reflecting the data processing activities of Castillo Games Inc. and may not be suitable for your specific circumstances. Data protection laws are complex and vary by jurisdiction. Any person or entity using this Privacy Policy as a template acknowledges that they do so at their own risk. Castillo Games Inc. assumes no liability for any reliance on this template, and users are strongly advised to seek independent legal counsel to ensure their own privacy policy is compliant with all applicable laws and accurately reflects their data processing practices.

3. Scope and Applicability

This Privacy Policy applies to all personal data we process, which is collected through various channels, including but not limited to:

  • Our official website (castillogames.com) and any associated subdomains.
  • Email communications and contact forms.
  • Crowdfunding platforms (e.g., Kickstarter, Gamefound) where we run campaigns.
  • Direct sales channels and e-commerce stores (e.g., via WooCommerce).
  • Consulting engagements and B2B interactions.
  • Event sign-ups, contests, and promotional activities.
  • Social media channels where you interact directly with us.

4. What Personal Data We Collect

We collect different types of personal data depending on your relationship with us. We are committed to the principle of data minimization and only collect data that is necessary for the purposes outlined in this policy.

For our Gamers and Customers (B2C):

  • Contact & Identification Data:First and last name, email address.
  • Shipping Data:Physical mailing address, city, state, postal code, country.
  • Transaction Data:Purchase history, products ordered, pledge levels on crowdfunding campaigns.
  • Payment Data:Please note that we use third-party payment processors (e.g., Stripe, PayPal). We do not directly collect, store, or have access to your full credit card numbers or financial account details. The processor provides us with a token or confirmation that a payment has been made.
  • Communication Data:Feedback, survey responses, and correspondence from customer support inquiries.

For our Consulting Clients and Business Contacts (B2B):

  • Professional Contact Data:First and last name, business email address, business phone number.
  • Professional Affiliation Data:Company or studio name, job title/role/position.
  • Project Data:Details about game projects, campaign plans, and other information relevant to our consulting services.
  • Publicly Available Data:Links to public professional profiles (e.g., LinkedIn) or company websites.
  • Notes and Observations recorded in the ordinary course of business relationships to assist us in understanding your preferences, goals and working style, and to improve the quality of our partnership and services to you.

For our Website Visitors:

  • Technical Data:IP address, browser type and version, device information, operating system.
  • Usage Data:Information about how you navigate our website, collected through cookies and similar technologies via tools like Google Analytics.

Special Categories of Data: Castillo Games does not intentionally collect or request you share, any "special categories of personal data" as defined under Article 9 of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.) or any data relating to criminal convictions and offenses (Article 10 GDPR).

5. How We Collect Personal Data

We collect personal data in the following ways:

  • Directly from You:When you place an order on our website, sign up for our email newsletter, back one of our crowdfunding campaigns, fill out a contact form, or communicate with us directly.
  • Indirectly from Other Sources:
    • For B2B marketing and outreach, we may collect professional contact details from publicly available sources such as company websites or professional networking platforms.
    • We may obtain business contact information from reputable third-party data providers and publicly available professional sources. We require that such data has been collected and is provided to us in compliance with applicable data protection laws, and that the provider has a lawful basis to share it for direct marketing purposes. Where required by law, we will inform you of the source of your data at the time of first contact.
    • We may receive your details through referrals from mutual contacts who believe you would be interested in our services.
  • Automatically:When you browse our website, we use cookies and similar analytics tools to collect technical and usage data to help us understand visitor behavior and improve our services.

6. Our Lawful Basis for Processing Personal Data

Under the GDPR, we must have a valid lawful basis for each of our processing activities. Our lawful bases are:

  • Performance of a Contract (Article 6(1)(b) GDPR):We process your data when it is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract. This includes:
    • Fulfilling and shipping your game orders.
    • Providing the consulting services you have engaged us for.
    • Managing your account and processing payments.
  • Legitimate Interests (Article 6(1)(f) GDPR):We process certain data because it is in our legitimate interest as a business to do so. We always balance our interests against your fundamental rights and freedoms. This includes:
    • Direct Marketing to Existing Customers:For individuals who have previously purchased one of our games, we have a legitimate interest in sending communications about our future games, expansions, or related crowdfunding campaigns.
      • Legitimate Interest Assessment Summary:We have assessed that individuals who have purchased or signed up for the mailing list of our games have a reasonable expectation of hearing about new releases from us, and this communication is limited to similar products. We balance this against your rights by providing a clear and easy opt-out link in every marketing message.
    • B2B Prospecting and Networking:Identifying and contacting potential business clients and partners who may be interested in our consulting services.
    • Website Analytics:Analyzing website traffic to improve user experience and our marketing efforts.
    • Security:Protecting our website and systems from fraud and unauthorized access.
    • Defense of Legal Claims:Retaining records necessary for the establishment, exercise, or defense of legal claims.
    • Opt Out List: After you request your data be deleted or to opt out of the marketing list we retain a copy of your email in order to honor your preferences of opting out of any marketing. At your request we will also delete your email, but then cannot guarantee you will not late be added to the email lists as a result of lead identification through a later process.
  • Consent (Article 6(1)(a) GDPR):In specific situations, we rely on your freely given, specific, informed, and unambiguous consent. This primarily applies to:
    • Subscribing to our marketing newsletter if you have not previously purchased a product from us. You have the right to withdraw your consent at any time by clicking the "unsubscribe" link in our emails or by contacting us directly.
  • Legal Obligation (Article 6(1)(c) GDPR):We may need to process your personal data to comply with our legal and regulatory obligations. This includes:
    • Maintaining financial and tax records as required by law.
    • Responding to lawful requests from public authorities.

7. How We Use Your Personal Data

We use your personal data for the following purposes, linked to the lawful bases described above:

  • Order Fulfilment and Shipping:To process, pack, and deliver the products you purchase.
  • Customer Support:To respond to your questions, provide support, and resolve any issues.
  • Marketing and Promotional Communications:To send you updates, news about new games, and information about crowdfunding campaigns, where we have a lawful basis to do so.
  • Business Operations:To manage our consulting services, B2B relationships, and partnerships, including qualifying leads and referring creators to partners like Gamefound.
  • Analytics and Website Improvement:To understand how our website is used, which allows us to improve its design, content, and functionality.
  • Legal and Financial Compliance:For bookkeeping, tax reporting, and to establish, exercise, or defend our legal rights.

8. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our website to enhance functionality and to analyze traffic. We use Google Analytics to understand how visitors engage with our site. We have configured Google Analytics to anonymize IP addresses where this feature is available. For more detailed information, please refer to our Cookie Policy or the cookie consent banner on our website.

9. Third-Party Processors and Software We Use

As part of our consulting services, we may share your professional contact information (such as your name, business email, and company affiliation) with trusted business partners, manufacturers, freight forwarders, and other industry contacts where we believe there is a mutual legitimate business interest in connecting the parties. We may receive referral fees from such partners. If you do not wish your professional contact information to be shared for referral purposes, you may object at any time by contacting us at [email].

Our key processors and software tools include:

Service Provider

Purpose / Function

Data Location & Safeguards

Google Suite (Gmail, Drive, Forms)

Internal and external email communication, cloud document storage, and conducting surveys.

Data may be stored in Google's global data centers (US/EU). Transfers are governed by Google's Data Processing Addendum, which includes Standard Contractual Clauses (SCCs) and participation in the EU-U.S. Data Privacy Framework.

Mailchimp

Email marketing automation, newsletter distribution, and management of mailing lists.

Data is primarily processed in the US. Transfers are governed by Mailchimp's Data Processing Addendum, which incorporates SCCs and their participation in the EU-U.S. Data Privacy Framework.

Calendly

Online appointment and meeting scheduling for consulting clients.

Data is primarily processed in the US. Transfers are governed by Calendly's Data Processing Addendum and SCCs.

Zoho

Customer Relationship Management (CRM) and business management tools for B2B contacts.

Data may be stored in Zoho's US or EU data centers, depending on configuration. Transfers are governed by Zoho's privacy and data processing terms, which include SCCs.

Google Analytics

Website traffic and usage analytics to understand user behavior and improve our services.

Data is processed by Google globally. We have enabled IP anonymization where possible. Governed by Google's Ads Data Processing Terms.

WooCommerce & Payment Processors (e.g., Stripe, PayPal)

E-commerce platform for our online store. Payment processing is handled by third-party gateways.

WooCommerce is part of our website infrastructure. Payment processors are independent controllers governed by their own robust privacy and security policies. We do not store full payment card details.

10. International Data Transfers

Castillo Games Inc. is based in the United States. If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your personal data will be transferred to and processed in the USA.

The USA is not considered by European authorities to provide an equivalent level of data protection. Therefore, we ensure that any such transfer is subject to appropriate safeguards as required by the GDPR.

Where our service providers process personal data outside the European Economic Area, we ensure appropriate transfer safeguards are in place, which may include the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other lawful mechanisms required by applicable law.

11. Your Data Subject Rights

Under the GDPR, you have several rights concerning your personal data. Subject to any legal exemptions, you have the right to:

  • Right of Access (Article 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): Request that we correct any inaccurate or incomplete data.
  • Right to Erasure ('Right to be Forgotten') (Article 17): Request the deletion of your personal data where there is no compelling reason for its continued processing.
  • Right to Restrict Processing (Article 18): Request that we suspend the processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): Request a copy of your data in a structured, machine-readable format to transfer to another controller.
  • Right to Object (Article 21): Object to our processing of your data where we are relying on legitimate interests as our lawful basis. You have an absolute right to object to direct marketing at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data infringes applicable law.

How to Exercise Your Rights: To exercise any of these rights, please contact us at privacy@castillogames.com

Note on Opt-Outs: If you opt out of marketing communications, we will stop sending you marketing emails. However, to honor your request, we must retain a minimal identifier (e.g., your email address) on a "suppression list" to ensure you are not contacted again. This does not result in the erasure of all your data, particularly if we have other lawful bases to retain it (e.g., for order fulfillment or legal compliance).

12. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting requirements. Our retention periods are:

  • Customer & Purchase Data:Retained for the duration of our relationship and for a period thereafter to comply with tax and accounting laws (e.g., typically 7 years) and for the statute of limitations for defending legal claims.
  • Marketing Subscribers: Retained until you withdraw your consent (unsubscribe) or successfully object to processing based on legitimate interest. We regularly review our lists for inactive subscribers.
  • B2B Leads: Retained as long as necessary legitimate interest. B2B leads are periodically reviewed every 48 month and if there is no ongoing business justification, it is securely deleted.
  • Suppression Lists: Retained indefinitely to ensure we respect your opt-out choices.
  • Website Analytics Data: Retained according to Google Analytics' default policies (e.g., up to 26 months) or for a shorter period if we configure it. This data is typically aggregated and anonymized.

13. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organizational measures to protect it against accidental or unlawful destruction, loss, alteration, or unauthorized access. These measures include:

  • Using encrypted email and cloud storage services (AES-256 at rest, TLS in transit).
  • Restricting access to personal data to personnel on a "need-to-know" basis.
  • Using unique user accounts and strong passwords, and prohibiting shared credentials.
  • Partnering with vendors who maintain appropriate technical and organizational security measures, including industry-recognized certifications where applicable.
  • Promptly revoking access rights for personnel upon termination or role change.

While we take all reasonable steps to secure your data, please be aware that no system is 100% secure, and we cannot guarantee the absolute security of your information.

14. Children's Privacy

Our products and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child without parental consent, we will take steps to delete that information as soon as possible.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will post the revised policy on our website and update the "Effective Date" at the top. For any material changes, we may provide additional notice, such as by sending an email.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our designated data protection contact:

  • Name: Bryce Brown
  • Title: President
  • Email: privacy@castillogames.com
  • Mailing Address: Castillo Games Inc., 4726 Ames St., Madison, WI 53711, USA

While our processing activities do not require us to appoint a formal Data Protection Officer (DPO) under Article 37 of the GDPR, we have designated the contact above to handle all data protection inquiries.

17. Addendum for US State Privacy Laws

Residents of certain US states, such as California (under the California Consumer Privacy Act/California Privacy Rights Act - CCPA/CPRA), may have additional rights. Castillo Games does not "sell" personal information in the traditional sense of exchanging it for monetary value. We may share your professional contact information with trusted partners, manufacturers, freight forwarders, game designers, and industry contacts for referral and business networking purposes where we believe there is a mutual legitimate business interest. These introductions are made in our professional capacity as consultants, and we may receive referral fees from such partners. If you do not wish your information to be shared for referral purposes, you may object at any time by contacting us at privacy@castillogames.com.