Privacy Policy
This Privacy Policy explains how Magna Ludum Creatives Ltd ("MLC", "we", "us") collects, uses, and stores personal data when you use the Key Art Booker at keyart.mlc.studio.
MLC is the data controller for all personal data collected through this site. We are committed to handling your data responsibly and in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) where applicable, and the Data Protection Act 2018.
This site is a B2B service intended for use by game studios and professional developers. It is not intended for use by individuals under the age of 18. By making a booking, you confirm that you are 18 or over and are acting on behalf of a business or organisation.
1. What Data We Collect and Why
We only collect data that is necessary to process your booking and deliver your key art. We do not collect special category data, children's data, or any data that is not directly required for the service.
1.1 Booking form
When you fill in the booking form, we collect: your game name, studio name, contact name, genre, service tier, platform targets, add-on selections, preferred start date, currency preference, and whether a rush timeline applies. This information is used to set up your production project and allocate a slot.
1.2 Payment
Payment is processed by Stripe. MLC does not see or store your card details. After payment, Stripe sends us your email address and a session reference, which we use to manage your booking. See section 4 for more on Stripe as a sub-processor.
1.3 Creative brief
After payment, you submit a creative brief. This includes your visual direction, commercial goals, style references, additional notes, and any files you upload (PDFs, images, Word documents, or Markdown files, up to 3 files at 20 MB each). This data is used solely to produce your key art.
The free-text fields in the brief can in theory contain information about third parties. Please avoid including unnecessary personal data about other individuals or organisations in your brief.
1.4 Automatically collected data
When you use the site, our hosting provider (Vercel) logs standard server data including IP addresses and browser information. We also use Vercel Web Analytics, which records page views and anonymised booking flow events. No personally identifiable information is intentionally included in analytics events. See section 5 for more detail.
2. Legal Basis for Processing
We rely on the following legal bases to process your data:
| Processing activity | Legal basis | Detail |
|---|---|---|
| Booking and brief data | Contract performance | UK/EU GDPR Art. 6(1)(b) — necessary to fulfil your booking |
| Payment processing | Contract performance | UK/EU GDPR Art. 6(1)(b) |
| Transactional emails | Contract performance | UK/EU GDPR Art. 6(1)(b) — emails required to deliver the service |
| Financial record-keeping | Legal obligation | UK/EU GDPR Art. 6(1)(c) — statutory record-keeping requirements |
| Web analytics | Legitimate interest | UK/EU GDPR Art. 6(1)(f) — understanding how the product is used |
| Fraud prevention and IP logging | Legitimate interest | UK/EU GDPR Art. 6(1)(f) |
We do not send marketing emails. If we ever want to contact you about new services or updates, we will ask for your separate consent first.
3. How Long We Keep Your Data
We keep your data only for as long as necessary:
- Payment and financial records (including your email address and Stripe session reference) are kept for 7 years to meet our legal obligations under HMRC requirements.
- Brief content and uploaded files are kept for 2 years after your project is completed, then deleted.
- Analytics data is retained in accordance with Vercel's standard retention policies and does not include personally identifiable information.
If you request erasure of your data, we will delete everything we are not legally required to retain. Where we must keep financial records, we will anonymise all other fields where possible.
4. Who We Share Your Data With
We use the following third-party services to operate the Key Art Booker. Each is a data processor acting on our instructions. We have data processing agreements in place with each one.
| Processor | Role | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment data, email, booking reference | US (EU-US Data Privacy Framework) |
| Supabase | Database and file storage | All booking and brief data, uploaded files | EU |
| SendGrid | Transactional email | Name, email, game name, tier, dates | US (EU-US Data Privacy Framework / SCCs) |
| Vercel | Hosting and analytics | Page views, anonymised events, server logs | US (EU-US Data Privacy Framework / SCCs) |
| Google Fonts | Web font delivery | IP address (incidental) | US (Google standard terms) |
| jsDelivr | JS library delivery | IP address (incidental) | Global CDN |
We do not sell your data to third parties. We do not share your data with anyone other than the processors listed above, except where required by law.
5. Cookies and Analytics
The Key Art Booker uses minimal client-side storage:
- Your currency preference (GBP, EUR, or USD) is stored in your browser's local storage so the site remembers it between visits.
- Your in-progress booking form is temporarily stored in local storage until you complete checkout. It contains no payment data or email address.
MLC does not set any application cookies. Stripe and Vercel may set their own cookies during checkout and hosting operations. Please refer to Stripe's and Vercel's privacy policies for details of their cookie use.
We use Vercel Web Analytics to understand how the site is used. This records page views and anonymised booking flow events. Vercel Web Analytics is designed to be privacy-friendly and does not use cookies for analytics purposes. No personally identifiable information is intentionally included in any analytics event.
6. Emails We Send You
We send the following transactional emails to the address you provide at checkout. These emails are a necessary part of delivering your booking and are sent on the basis of contract performance:
- Application received — sent immediately after payment, with your booking summary and brief submission link.
- Brief received — sent when you submit your creative brief.
- Booking confirmed — sent by MLC when your brief has been reviewed and the slot is confirmed.
- Creative review ready — sent when your first deliverable is ready to review.
- Delivery — sent when your final files are ready.
- Refund notification — sent if your booking is cancelled and your deposit is refunded.
We do not send marketing emails. Your email address will not be used for any purpose other than managing your booking.
7. International Data Transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:
- Stripe, SendGrid, and Vercel are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).
- Supabase stores your data on EU-hosted infrastructure, so no international transfer occurs for your booking and brief data.
- Google Fonts and jsDelivr may process IP addresses incidentally as part of delivering web assets. These transfers are covered by standard CDN terms.
8. Your Rights
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:
- Right of access — you can ask for a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data. There is no self-service mechanism; please contact us directly.
- Right to erasure — you can ask us to delete your data. We will delete everything we are not legally required to retain. Financial records may need to be kept for up to 7 years, but we will anonymise all other fields where possible.
- Right to data portability — you can ask for your booking and brief data in a machine-readable format (JSON or CSV).
- Right to object — you can object to processing based on legitimate interest, including analytics.
- Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.
To exercise any of these rights, please contact us at hello@mlc.studio. We will respond within one month.
9. Data Security
Your booking and brief data is stored in a Supabase-hosted PostgreSQL database on EU infrastructure. Uploaded files are stored in Supabase Storage. Access is controlled and restricted to MLC team members who need it to carry out your project.
If we become aware of a data breach that is likely to affect your rights, we will notify the relevant supervisory authority within 72 hours and contact you directly if required. You can report a data security concern to us at hello@mlc.studio.
10. Supervisory Authority
MLC is based in the UK and operates under UK GDPR. Our supervisory authority is the Information Commissioner's Office (ICO).
If you are based in the EEA and believe your EU GDPR rights have been affected, you also have the right to lodge a complaint with your local data protection authority.
We would always prefer to resolve concerns directly before any formal complaint is made. Please contact us first at hello@mlc.studio.
11. Changes to This Policy
If we make significant changes to this policy, we will update the date at the top of this page. Where changes materially affect how we handle your data, we will notify you by email if you have an active booking at the time.
12. Contact
For any privacy-related queries, requests, or concerns:
Email: hello@mlc.studio
Post: Magna Ludum Creatives Ltd, Birchin Court, 20 Birchin Lane, London, EC3V 9DU