Privacy Policy

52Shuffled — A Scientific Research Experiment

Effective Date: 27 February 2026 | Last Updated: 27 February 2026

Version 1.0

Legal & Research Documents

IMPORTANT: This Privacy Policy explains how We collect, use, store, share, and protect Your personal data when You use the 52Shuffled service. We are committed to protecting Your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Please read this Policy carefully.

1. Data Controller

1.1. The data controller responsible for Your personal data is:

Name: 52Shuffled Ltd
Registered Address: Highdown House, 11 Highdown Road, Leamington Spa, England, CV31 1XT
Company Number: (registered in England and Wales)
Email: contact@52shuffled.com
Data Protection Contact: contact@52shuffled.com

1.2. References to "We," "Us," "Our," or "the Company" in this Privacy Policy refer to the data controller identified above.

2. Data We Collect

2.1. We collect and process the following categories of personal data:

2.1.1. Account and Identity Data

Data	Source	Purpose
Full name	Registration / OAuth provider	Account identification, display on leaderboards
Email address	Registration / OAuth provider	Account management, communications
Profile photograph / avatar	OAuth provider	Display on profile and leaderboards
OAuth provider and provider ID	Google / Apple Sign-In	Authentication, preventing duplicate accounts

2.1.2. Submission Data (User Content)

Data	Source	Purpose
Video recordings of card shuffles	User's device camera	Card detection, verification, anti-cheat
Snapshot images of card layouts	Extracted from video	Card detection reference, display
Card order data (52 integers)	Computer vision detection + user confirmation	Core research data, comparisons
Detection confidence scores	YOLOv8 processing	Quality assessment
Submission timestamps	Automatic	Research metadata, streak tracking

2.1.3. Technical and Device Data

Data	Source	Purpose
IP address	Automatic	Rate limiting, anti-cheat, security, geographic advertising
Device fingerprint	Browser / device	Anti-cheat, fraud prevention
Browser type and version	Automatic	Compatibility, debugging, advertising
Operating system	Automatic	Compatibility, debugging, advertising
Screen resolution	Automatic	UI optimisation
Referral source	Automatic	Analytics
Cookies and tracking technologies	Browser / third-party ad networks	Advertising delivery, frequency capping, analytics

2.1.4. Usage and Behavioural Data

Data	Source	Purpose
Pages visited and features used	Automatic	Service improvement, analytics
Submission history and frequency	Automatic	Streak tracking, badges, research
Leaderboard interactions	Automatic	Feature analytics
Session duration	Automatic	Service improvement

2.1.5. Derived and Computed Data

Data	Source	Purpose
Shuffle scores and statistics	Computed from card order	Results, leaderboards, research
Match results and closest pairs	Computed from comparisons	Core feature, research
Percentile rankings	Computed from all submissions	Results display, gamification
Quality tier (Gold/Silver/Bronze)	Computed from multiple signals	Dataset quality management
Badges and achievements	Computed from activity	Gamification, engagement
Streak data	Computed from submission dates	Gamification

2.2. Special Category Data. We do not intentionally collect any special category data (as defined in Article 9 UK GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data. If any such data is incidentally captured in video recordings (e.g., a User's visible appearance), it is processed solely for the purpose of card recognition and is not extracted, categorised, or used for any other purpose.

2.3. Video Content Requirements. Your video recordings must show only your hands and the playing cards. You must not include any other persons, faces, identifiable features, or personal items in the video. Do not film in locations where sensitive, private, or identifiable information is visible in the background (e.g., documents, screens, photographs, address details). Videos that contain identifiable persons other than the participant's hands may be removed without notice. You are solely responsible for ensuring your video does not contain identifiable content.

2.4. Data We Do Not Collect. We do not collect: financial or payment information; precise geolocation data; contacts or address books; microphone audio (beyond video recordings); or data from other applications on Your device.

3. Legal Basis for Processing

3.1. We process Your personal data on the following legal bases under Article 6(1) UK GDPR:

Processing Activity	Legal Basis	Detail
Account creation and management	Contract (Art. 6(1)(b))	Necessary for the performance of our contract with You (these Terms)
Processing submissions and providing results	Contract (Art. 6(1)(b))	Core service delivery
AI card recognition of Your video	Contract (Art. 6(1)(b))	Necessary to provide the Service You have requested
Scientific research (anonymised data)	Legitimate Interest (Art. 6(1)(f))	Advancing scientific knowledge in combinatorics and human randomness; balanced against minimal privacy impact due to anonymisation
Commercialisation of anonymised dataset	Legitimate Interest (Art. 6(1)(f))	Funding continued research and service operation; data is fully anonymised before any commercial use
Anti-cheat and fraud prevention	Legitimate Interest (Art. 6(1)(f))	Protecting data integrity and preventing abuse; balanced against User expectations of fair play
IP address and device fingerprinting	Legitimate Interest (Art. 6(1)(f))	Rate limiting, security, and fraud prevention
Service analytics and improvement	Legitimate Interest (Art. 6(1)(f))	Understanding usage patterns to improve the Service
Sending essential service communications	Contract (Art. 6(1)(b))	Account-related notifications, security alerts
Marketing communications (if opted in)	Consent (Art. 6(1)(a))	Only with Your explicit opt-in consent; withdrawable at any time
Compliance with legal obligations	Legal Obligation (Art. 6(1)(c))	Where required by applicable law

3.2. Legitimate Interest Assessments. Where We rely on legitimate interest as a legal basis, We have conducted Legitimate Interest Assessments (LIAs) to ensure that Our interests do not override Your fundamental rights and freedoms. Records of these assessments are available upon request.

3.3. Consent. Where We rely on consent, You have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

4.1. We use Your personal data for the following purposes:

4.1.1. Service Provision

Creating and managing Your account;
Authenticating Your identity;
Processing Your video submissions through AI card recognition;
Storing and displaying Your verified card orders;
Comparing Your submissions against other submissions in the Dataset;
Calculating and displaying shuffle scores, statistics, and leaderboard positions;
Awarding badges and tracking streaks;
Generating shareable result cards.

4.1.2. Research and Analysis

Conducting statistical analyses on shuffle permutations;
Studying human shuffle randomness patterns;
Comparing empirical results against theoretical probability distributions;
Publishing anonymised research findings;
Improving AI card recognition accuracy using User corrections as training data.

4.1.3. Safety and Security

Detecting and preventing fraud, cheating, and abuse;
Enforcing rate limits;
Identifying duplicate or suspicious submissions;
Protecting the scientific integrity of the Dataset;
Maintaining the security of the Service and Our systems.

4.1.4. Communication

Sending essential service notifications (account, security, policy changes);
Responding to Your enquiries and support requests;
Sending marketing communications (only with Your consent).

5. Anonymisation and Pseudonymisation

5.1. Anonymisation Process. Before any data is included in the research Dataset or shared with third parties for commercial purposes, We apply the following anonymisation measures:

(a) Removal of direct identifiers: names, email addresses, OAuth provider IDs, profile images, and any other directly identifying information are permanently stripped;
(b) Replacement of User IDs: internal User IDs are replaced with random, non-reversible identifiers that cannot be linked back to Your account;
(c) IP address removal: IP addresses are permanently deleted from the anonymised dataset;
(d) Device fingerprint removal: device fingerprints are permanently deleted from the anonymised dataset;
(e) Timestamp generalisation: precise timestamps may be generalised (e.g., to date only, or to month) where necessary to prevent re-identification;
(f) Video anonymisation for research: video recordings may be anonymised (faces, identifiable features, and personal items removed or obscured, if any are present) and supplied to third-party researchers for additional research purposes, including but not limited to computer vision research, card recognition AI training, and shuffle technique analysis. Where videos are shared, they are shared in anonymised form only — stripped of all metadata linking them to Your identity. Only the numerical card order and derived statistics are included in the primary anonymised research Dataset;
(g) K-anonymity assessment: We assess whether any combination of remaining data points could enable re-identification and apply further suppression or generalisation as needed.

5.2. Anonymised Data Status. Once data has been irreversibly anonymised such that the data subject is no longer identifiable (directly or indirectly, by any means reasonably likely to be used), it ceases to constitute personal data under UK GDPR. Anonymised data is not subject to data subject rights, including the right to erasure.

5.3. Pseudonymisation. During active service operation (before anonymisation for research), some data may be pseudonymised (e.g., internal database IDs rather than names used in processing). Pseudonymised data remains personal data under UK GDPR and is subject to all applicable data protection requirements.

5.4. Re-identification Prohibition. We prohibit any attempt to re-identify individuals from the anonymised Dataset. All licences and data sharing agreements include contractual prohibitions on re-identification.

6. Data Retention

6.1. We retain different categories of data for different periods, based on the purpose of processing and legal requirements:

Data Category	Retention Period	Justification
Account data (name, email, avatar)	Duration of account + 12 months after deletion	Service provision; 12-month post-deletion period for legal compliance and dispute resolution
Video recordings	Full duration of the experiment (which may be several years)	Videos are retained as verification evidence for the entire experiment. If two shuffles produce a close or exact match, video review is essential to confirm authenticity and rule out cheating. Videos are securely stored and never published or shared publicly.
Snapshot images	Duration of account + 12 months	Displayed on results page; deleted with account
Card order data (linked to account)	Duration of account	Service provision — showing Your results
Card order data (anonymised)	Indefinitely (perpetuity)	Scientific research record; anonymised data is not personal data
Derived statistics (anonymised)	Indefinitely (perpetuity)	Scientific research record; anonymised data is not personal data
IP addresses	Duration of the research + up to 5 years after completion	Rate limiting, security, and research integrity
Device fingerprints	Duration of the research + up to 5 years after completion	Anti-cheat and research integrity
Session and authentication data	Duration of session + 30 days	Security and authentication
Cookie consent records	5 years	Regulatory compliance (demonstrating consent)
Terms acceptance records	Duration of account + 6 years	Contractual evidence (Limitation Act 1980)

6.2. Perpetual Retention of Anonymised Data. You acknowledge and consent to the fact that anonymised Shuffle Data and derived statistical analyses will be retained indefinitely as part of the scientific research record. This is essential to the integrity, reproducibility, and ongoing value of the research. As this data is anonymised (and therefore no longer personal data), it is not subject to erasure requests.

6.3. Upon expiry of any retention period, data will be securely deleted or anonymised within a reasonable timeframe (not exceeding 30 days, except where technical constraints require a longer period).

7. Data Sharing and Disclosure

7.1. We may share Your personal data with the following categories of recipients:

7.1.1. Service Providers (Data Processors)

Provider Type	Purpose	Data Shared
Cloud hosting (DigitalOcean)	Infrastructure, storage	All data (encrypted at rest and in transit)
AI processing (Anthropic / Claude API)	Card recognition from video	Video recordings, snapshot images
Authentication (Google, Apple)	User sign-in	OAuth tokens, basic profile info
Analytics provider (if applicable)	Usage analytics	Anonymised usage data

All service providers are bound by Data Processing Agreements (DPAs) that comply with Article 28 UK GDPR requirements.

7.1.2. Research Partners

We may share anonymised data with academic institutions and researchers for the purposes of scientific research. Only anonymised data (as described in Section 5) is shared. No personal data is disclosed to research partners.

Additionally, video recordings may be anonymised (faces and identifiable features removed or obscured, if any) and supplied to third-party researchers for additional research purposes, such as computer vision research, card recognition AI training, and shuffle technique analysis. Such sharing is conducted under data sharing agreements that prohibit re-identification.

7.1.3. Dataset Licensees

We may licence the anonymised Dataset to commercial entities. See Section 8 (Data Commercialisation) for details. Only anonymised data is included.

7.1.4. Legal and Regulatory

We may disclose personal data where required by law, regulation, legal process, or enforceable governmental request, including to:

Law enforcement agencies;
Courts and tribunals;
Regulatory authorities (including the ICO);
Other parties in legal proceedings.

7.1.5. Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or part of Our assets, Your personal data may be transferred as part of that transaction. We will notify You of any such transfer and any choices You may have regarding Your data.

7.2. We Do Not Sell Personal Data. We do not sell, rent, or trade Your personal data (as distinct from anonymised data) to third parties for their own marketing purposes.

8. Data Commercialisation

8.1. What We Commercialise. We may commercialise the anonymised Dataset — that is, the aggregate collection of anonymised card order permutations, statistical analyses, and derived research data. This Dataset does not contain any personal data.

8.2. What We Do Not Commercialise. We do not commercialise:

Your personal data (name, email, IP, device fingerprint);
Your unanonymised video recordings or snapshot images;
Any data that could identify You directly or indirectly.

8.2.1. Anonymised Video Use. Video recordings may be anonymised (faces and identifiable features removed or obscured, if any) and supplied to third-party researchers or commercial partners for additional research purposes, including computer vision research, card recognition AI training, and shuffle technique analysis. Anonymised videos are stripped of all metadata linking them to Your identity.

8.3. Commercial Uses. The anonymised Dataset may be used for:

(a) Academic research licensing;
(b) AI and machine learning model training (card recognition, randomness analysis);
(c) Commercial API access for researchers and developers;
(d) Benchmark datasets for random number generator validation;
(e) Published research papers and reports;
(f) Educational tools and materials;
(g) Gaming industry applications (shuffle fairness benchmarking);
(h) Any other lawful commercial purpose for which anonymised data may be used.

8.4. Licensing Terms. All third-party licensees of the Dataset are contractually required to:

Use the data only for specified purposes;
Not attempt to re-identify any individual from the anonymised data;
Maintain appropriate security measures;
Comply with all applicable data protection laws;
Report any suspected re-identification or data breach.

8.5. Consent and Transparency. By accepting Our Terms and Conditions and this Privacy Policy, You consent to the anonymisation of Your data and its inclusion in the Dataset for commercial purposes. This is clearly stated here and in Our Terms so that You can make an informed decision about whether to use the Service.

9. International Data Transfers

9.1. Your personal data may be transferred to, stored in, and processed in countries outside the United Kingdom, including but not limited to the United States (where Our cloud hosting and AI processing providers are located).

9.2. Where We transfer personal data outside the UK, We ensure that appropriate safeguards are in place, including:

(a) Transfers to countries with an adequacy decision from the UK Secretary of State;
(b) Standard Contractual Clauses (SCCs) approved by the ICO;
(c) Binding Corporate Rules (where applicable);
(d) Other appropriate safeguards as permitted under Article 46 UK GDPR.

9.3. You may request a copy of the safeguards in place for international transfers by contacting Us at contact@52shuffled.com.

10. Your Rights Under GDPR

10.1. Under UK GDPR, You have the following rights with respect to Your personal data:

10.1.1. Right of Access (Article 15)

You have the right to request a copy of the personal data We hold about You. We will respond within one month of receiving Your request (extendable by two months for complex requests). The first copy is provided free of charge; further copies may be subject to a reasonable fee.

10.1.2. Right to Rectification (Article 16)

You have the right to request that We correct any inaccurate personal data and complete any incomplete personal data concerning You.

10.1.3. Right to Erasure (Article 17)

You have the right to request the deletion of Your personal data in certain circumstances. See Section 11 for important provisions regarding the scope and limitations of this right in the context of Our Service.

10.1.4. Right to Restriction of Processing (Article 18)

You have the right to request that We restrict the processing of Your personal data in certain circumstances, including where You contest the accuracy of the data or object to Our processing.

10.1.5. Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, You have the right to receive Your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

10.1.6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless We can demonstrate compelling legitimate grounds that override Your interests, rights, and freedoms, or where processing is necessary for legal claims.

10.1.7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects You. Our anti-cheat flagging system uses automated processing, but all flagged submissions are subject to human review before any adverse action is taken.

10.1.8. Right to Withdraw Consent

Where processing is based on consent, You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.2. How to Exercise Your Rights. To exercise any of these rights, please contact Us at contact@52shuffled.com with the subject line "Data Subject Request." We may need to verify Your identity before processing Your request. We will respond within one calendar month.

10.3. No Fee Usually Required. You will not have to pay a fee to exercise Your rights. However, We may charge a reasonable fee if Your request is clearly unfounded, repetitive, or excessive. Alternatively, We may refuse to comply with Your request in these circumstances.

11. Right to Erasure — Special Provisions

11.1. Due to the nature of Our Service as a scientific research tool, the right to erasure (right to be forgotten) is subject to the following provisions:

11.1.1. What We Will Delete

Upon a valid erasure request, We will delete:

Your account and all associated identity data (name, email, avatar, OAuth IDs);
Your video recordings and snapshot images;
IP addresses and device fingerprints associated with Your submissions;
Your badge and streak records;
The link between Your identity and Your submissions.

11.1.2. What We Will Not Delete

Upon a valid erasure request, the following data will be retained:

Anonymised card order data: The numerical permutation (52 integers) from Your submissions, stripped of all identifying information, will be retained as part of the scientific research Dataset. This data has been irreversibly anonymised and can no longer be linked to You;
Anonymised statistical derivatives: Any scores, match results, or analyses derived from Your submissions and already incorporated into the aggregate Dataset in anonymised form;
Aggregate counts: Your submissions will continue to be reflected in aggregate statistics (e.g., total submission count) but cannot be individually identified.

11.1.3. Legal Basis for Retention

The retention of anonymised data after an erasure request is lawful because:

(a) Anonymised data is not personal data under UK GDPR (Recital 26) and therefore falls outside the scope of data subject rights;
(b) Even if considered personal data, the right to erasure does not apply where processing is necessary for scientific research purposes and erasure would render impossible or seriously impair the achievement of the research objectives (Article 17(3)(d) UK GDPR);
(c) The UK Data Protection Act 2018, Schedule 2, Part 6, Paragraph 27 provides an exemption from the right to erasure for scientific research processing, provided appropriate safeguards are in place.

11.2. You are informed of this before submitting any data to the Service. By submitting a shuffle, You acknowledge that anonymised data derived from Your submission will be retained in perpetuity regardless of any subsequent erasure request.

12. Cookies and Tracking Technologies

12.1. We use cookies and similar technologies on the Service. A cookie is a small text file placed on Your device that enables Us to recognise Your browser and remember certain information.

12.1.1. Essential Cookies

These are strictly necessary for the operation of the Service and do not require consent:

Cookie	Purpose	Duration
Session cookie	Authentication, maintaining logged-in state	Session / 30 days
CSRF token	Security — preventing cross-site request forgery	Session
Cookie consent	Recording Your cookie preferences	12 months

12.1.2. Analytics Cookies (if applicable)

These help Us understand how visitors interact with the Service. They are only set with Your consent:

Cookie	Purpose	Duration
Analytics identifier	Anonymous usage statistics	12 months

12.1.3. Advertising Cookies

We use Google AdSense to display advertisements on the Service. Google AdSense may set the following cookies on Your device to serve personalised or contextual advertisements:

Cookie	Provider	Purpose	Duration
__gads	Google AdSense (Google LLC)	Measures ad interactions and prevents the same ads from being shown repeatedly	13 months
__gpi	Google AdSense (Google LLC)	Collects information on visitor behaviour for ad relevance	13 months
NID	Google (Google LLC)	Stores visitor preferences and customises ads on Google properties	6 months
IDE	Google DoubleClick (Google LLC)	Used to serve targeted advertisements based on browsing activity across websites	13 months

These cookies are set by Google and are subject to Google's Privacy Policy. You may opt out of personalised advertising by visiting Google Ads Settings.

12.2. Managing Cookies. You can manage cookie preferences through the cookie consent banner displayed on first visit, or through Your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

12.3. Do Not Track. We respect the Do Not Track (DNT) browser signal. If Your browser sends a DNT signal, We will not set analytics cookies.

13. Data Security

13.1. We implement appropriate technical and organisational measures to protect Your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, including:

(a) Encryption of data in transit (TLS/HTTPS);
(b) Encryption of data at rest (database and storage encryption);
(c) Access controls and authentication for all systems;
(d) Regular security updates and patching;
(e) Secure credential management;
(f) Regular backups with encryption;
(g) Monitoring and logging of access to systems;
(h) Staff training on data protection (where applicable).

13.2. While We implement reasonable security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of Your data.

13.3. You are responsible for maintaining the security of Your account credentials and for any activity that occurs under Your account.

14. Children's Privacy

14.1. The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16.

14.2. If You are aged 16 or 17, You may use the Service only with the consent of a parent or legal guardian.

14.3. If We become aware that We have collected personal data from a child under 16 without appropriate parental consent, We will take steps to delete that data as soon as practicable.

14.4. If You believe that a child under 16 has provided Us with personal data, please contact Us at contact@52shuffled.com.

15. Third-Party Services

15.1. The Service integrates with or relies upon the following third-party services:

Service	Provider	Purpose	Privacy Policy
Cloud hosting and storage	DigitalOcean, Inc.	Server infrastructure, object storage	Link
Computer vision detection	Self-hosted (YOLOv8)	Card detection from video	N/A (processed locally)
Google Sign-In	Google LLC	Authentication	Link
Apple Sign-In	Apple Inc.	Authentication	Link
Google AdSense	Google LLC	Display advertisements on the Service	Link

15.2. We are not responsible for the privacy practices of third-party services. We encourage You to review their privacy policies.

Advertising Disclosure

15.3. When Ads Are Shown: Non-intrusive display advertisements may be shown during processing and waiting screens only. Advertisements are never displayed during active experiment phases (fan display, shuffle, or card reveal). Premium members receive an ad-free experience.

15.4. How Advertising Works: We use Google AdSense, provided by Google LLC, as our primary advertising partner. Google AdSense may use cookies, web beacons, or similar technologies to serve advertisements based on Your browsing activity. Google may collect:

Device type and browser information
IP address (for geographic targeting)
Pages visited within the Service
Ad interaction data (views, clicks)

15.5. What Advertisers Do NOT Receive: Advertising partners do not receive access to Your:

Personal identifying information (name, email)
Video recordings or card order data
Research submission data or match results
Any non-public participant data

15.6. Opt-Out Options: You may:

Subscribe to Premium membership for an ad-free experience
Use browser settings to block third-party cookies
Use browser extensions that block advertisements
Visit industry opt-out pages such as Your Online Choices or NAI Opt-Out

15.7. Research Independence: Advertising revenue supports infrastructure costs only. Advertising partners have no role in research design, data collection, analysis, or publication decisions.

16. Computer Vision and Automated Processing

16.1. Card Detection. Your video recordings are processed by computer vision systems (YOLOv8 object detection) to identify playing cards. This processing occurs on Our own infrastructure (not shared with third parties). The detected card order is presented to You for confirmation.

16.2. Anti-Cheat. We use automated systems to detect suspicious submissions, including statistical anomaly detection and pattern matching. Submissions flagged by automated systems are subject to human review before any account action is taken. You will not be subjected to a significant decision based solely on automated processing without human oversight.

16.3. Post-Submission Validation. Automated validation checks detect impossible deck configurations (duplicate cards, missing cards). Submissions failing validation are automatically rejected with an explanation, allowing You to re-submit with better video quality.

17. Data Breaches

17.1. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, We will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR.

17.2. Where the breach is likely to result in a high risk to Your rights and freedoms, We will also notify You directly without undue delay, in accordance with Article 34 UK GDPR, providing:

A description of the nature of the breach;
The likely consequences;
The measures taken or proposed to address the breach;
Contact details for further information.

17.3. We maintain a data breach register and incident response procedures.

18. Changes to This Policy

18.1. We may update this Privacy Policy from time to time. We will notify You of material changes by posting the updated Policy on the Service with a new "Last Updated" date and, where practicable, by email.

18.2. We encourage You to review this Policy periodically. Your continued use of the Service after the posting of changes constitutes Your acceptance of those changes.

18.3. Previous versions of this Privacy Policy are available upon request.

19. Contact and DPO

19.1. For any questions, concerns, or requests regarding this Privacy Policy or Our data processing practices, please contact:

Email: contact@52shuffled.com
Post: Data Protection, 52Shuffled Ltd, Highdown House, 11 Highdown Road, Leamington Spa, England, CV31 1XT

19.2. Data Protection Officer. We have not appointed a Data Protection Officer as We do not meet the threshold requirements under Article 37 UK GDPR. Data protection enquiries should be directed to the contact details above.

20. Complaints to the ICO

20.1. If You are not satisfied with Our response to a data protection concern, You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

20.2. If You are resident in the European Economic Area, You may also lodge a complaint with Your local supervisory authority.

20.3. We would appreciate the opportunity to address Your concerns before You contact the ICO. Please contact Us first at contact@52shuffled.com.