Privacy Policy

Last Updated: 12 April 2026

This Privacy Policy explains how Hero Quest CA ("we", "us", or "our") collects, uses, stores, and shares your personal information when you visit or interact with heroquestca.com (the "Site") or any of its services. It applies to all visitors regardless of location, and is designed to meet the requirements of the General Data Protection Regulation (GDPR), the UK GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and all other applicable privacy legislation.

1. Data Controller

The data controller responsible for your personal information collected through this Site is:

Hero Quest CA
Website: heroquestca.com
Email: privacy@heroquestca.com

If you have any questions about how your data is handled, or wish to exercise any of your privacy rights, please contact us at the email address above. We aim to respond to all privacy-related requests within 30 days.

2. Information We Collect

We may collect the following categories of personal information:

  • Information you provide directly: Your name, email address, phone number, or any other details you voluntarily submit via a contact form, enquiry, or registration process.
  • Device and technical information: IP address, browser type, operating system, device type, screen resolution, and referring URLs collected automatically when you access the Site.
  • Usage and interaction data: Pages visited, links clicked, time spent on the Site, scroll depth, and navigation paths.
  • Geolocation data: Approximate location derived from your IP address, used to confirm compliance with provincial gambling laws and to serve region-appropriate content.
  • Cookie and tracking data: As described in full in our Cookie Policy.
  • Information from third-party partners: Limited referral and analytics data shared by affiliate and advertising partners for fraud prevention and campaign measurement purposes.

3. Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies to your use of this Site, we process your personal data on the following legal bases:

  • Consent (Article 6(1)(a)): We rely on your freely given, specific, informed, and unambiguous consent for placing non-essential cookies (analytics and advertising), sending direct marketing communications, and processing data collected via optional contact forms. You may withdraw consent at any time without affecting the lawfulness of any processing carried out beforehand.
  • Legitimate interests (Article 6(1)(f)): We process certain data — such as server logs, IP addresses, and basic usage analytics — to maintain the security and performance of the Site, prevent fraud and abuse, and improve our services. We have assessed that these interests are not overridden by your rights and freedoms. You may object to this processing at any time.
  • Legal obligation (Article 6(1)(c)): We may process your data where necessary to comply with a legal obligation, such as responding to a lawful request from a regulatory authority or court.
  • Contractual necessity (Article 6(1)(b)): Where you engage with a service requiring account creation or a transaction, we process the data necessary to fulfil that contractual relationship.

For Canadian residents, we rely on implied or express consent under PIPEDA, with the appropriate form of consent determined by the sensitivity of the information and the reasonable expectations of the individual.

4. Contact Form Data

When you submit an enquiry via our contact form or by emailing us directly, we collect your name, email address, and the content of your message.

Legal basis: Consent (GDPR Article 6(1)(a)) and, where applicable, contractual necessity (Article 6(1)(b)).

Purpose: To respond to your enquiry, address feedback, and improve our services.

Retention period: Contact form submissions and email correspondence are retained for a maximum of 24 months from the date of receipt, after which they are securely deleted, unless a longer retention period is required by law or ongoing correspondence makes it necessary.

Sharing: Contact form data is never sold or shared with third parties for marketing purposes. It may be accessed by our hosting or email service providers under strict data processing agreements.

5. Purposes of Processing and Data Retention Periods

The table below summarises how long we retain different categories of personal data:

Data Category Purpose Retention Period
Contact form / email enquiries Respond to enquiries and feedback 24 months from date of receipt
Server logs (IP address, browser) Security, fraud prevention, performance 90 days (rolling)
Analytics data (aggregated) Site performance measurement and improvement 26 months from collection
Advertising / cookie identifiers Ad delivery, retargeting, campaign measurement Up to 13 months from last interaction
Geolocation (IP-derived) Regulatory compliance, region-appropriate content Session-based; not stored beyond the visit
Click-to-call phone numbers Call attribution and partner reconciliation Maximum 3 months from call date

When data is no longer required for its stated purpose and no legal obligation requires retention, we securely delete or anonymise it.

6. Advertising Cookies and Third-Party Recipients

We use third-party advertising and analytics technologies on this Site that may involve the collection and processing of your personal data by those third parties for the purposes of delivering targeted advertising, measuring campaign performance, and building audience profiles. These activities only occur where you have provided consent via our cookie consent banner.

The following third-party recipients may receive your data when you interact with this Site and consent to advertising cookies:

  • Google LLC (Google Analytics, Google Ads, DoubleClick/Floodlight, Google Tag Manager)
    Purpose: Analytics, ad delivery, conversion measurement, retargeting.
    Data transferred: IP address (anonymised where possible), device identifiers, browsing behaviour, click data.
    Privacy policy: policies.google.com/privacy
  • Meta Platforms Ireland Ltd. (Facebook Pixel, Custom Audiences, Conversions API)
    Purpose: Ad delivery, retargeting, conversion tracking.
    Data transferred: Hashed identifiers, pixel events, browsing actions.
    Privacy policy: facebook.com/privacy/policy
  • Microsoft Corporation (Microsoft Advertising, Clarity)
    Purpose: Ad delivery, session recording (anonymised), conversion measurement.
    Data transferred: Device identifiers, click data, session data.
    Privacy policy: privacy.microsoft.com
  • Functional Software Inc. (Sentry)
    Purpose: Application error and performance monitoring (operational/essential).
    Data transferred: Anonymised error logs, device/browser metadata.
    Privacy policy: sentry.io/privacy
  • OneSignal Inc. (web push notifications, if opted in)
    Purpose: Delivering push notifications where you have explicitly opted in.
    Data transferred: Browser/device push token, notification interaction data.
    Privacy policy: onesignal.com/privacy_policy

You can withdraw consent for advertising cookies at any time via our [Manage Cookie Preferences] control. Doing so will prevent future advertising data from being collected, though it will not retroactively delete data already processed by third parties prior to withdrawal.

7. International Data Transfers and Safeguards

Some of the third-party recipients listed above are based in countries outside the European Economic Area (EEA), the United Kingdom, or Canada — most notably the United States. Where your personal data is transferred to a third country, we ensure that appropriate safeguards are in place in accordance with applicable law:

  • Standard Contractual Clauses (SCCs): For transfers from the EEA or UK to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021) or the UK International Data Transfer Agreement (IDTA), incorporated into our agreements with relevant third-party processors.
  • Adequacy decisions: Where the European Commission or UK ICO has issued an adequacy decision for a recipient country, we rely on that decision as the transfer mechanism.
  • Canada (PIPEDA): We implement contractual and organisational measures to ensure that personal information transferred outside Canada receives comparable protection to that required under PIPEDA.
  • US-based providers: Google LLC, Meta Platforms Inc., Microsoft Corporation, Functional Software Inc. (Sentry), and OneSignal Inc. are all based in the United States. Transfers to these entities are covered by SCCs, their participation in applicable data transfer frameworks, and/or supplementary technical measures.

You may request a copy of the transfer safeguards we rely on by contacting us at privacy@heroquestca.com.

8. Sharing Your Information

We do not sell your personal information. We may share it only in the following circumstances:

  • Service providers and processors: Hosting providers, email services, analytics platforms, and similar vendors who process data strictly on our behalf under written data processing agreements.
  • Advertising and affiliate partners: As described in Section 6, where you have consented to advertising cookies.
  • Legal and regulatory authorities: Where we are required to disclose data by law, court order, or regulatory request.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity subject to equivalent privacy protections.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

  • Right of access (GDPR Art. 15 / PIPEDA): Request a copy of the personal data we hold about you.
  • Right to rectification (GDPR Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (GDPR Art. 17): Request deletion of your personal data where it is no longer necessary, or where you withdraw consent and no other legal basis applies.
  • Right to restrict processing (GDPR Art. 18): Request that we limit the processing of your data in certain circumstances.
  • Right to data portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
  • Right to object (GDPR Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: Lodge a complaint with your local supervisory authority. For EEA residents, this is your national Data Protection Authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For Canadian residents, this is the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

To exercise any of these rights, contact us at privacy@heroquestca.com. We will respond within 30 days and may need to verify your identity before processing your request.

10. Responsible Gambling

Our services are only available to individuals of legal gambling age in their jurisdiction: 19+ in Ontario, British Columbia, and most Canadian provinces; 18+ in Alberta and Quebec. We use geolocation tools to assist with compliance and provide links to responsible gambling resources including ConnexOntario and GameSense. We support self-exclusion, deposit limits, and time limit tools where available through partner platforms.

11. Children's Privacy

This Site is not directed at individuals below the legal gambling age in their jurisdiction, and we do not knowingly collect personal information from minors. If we become aware that personal data has been collected from an underage individual, we will delete it without delay.

12. Information Security

We implement SSL/TLS encryption, access controls, and industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. While no system can be made entirely risk-free, we continuously review and strengthen our security practices to keep your data safe.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this page reflects the most recent revision. Where changes are material, we will provide more prominent notice. Continued use of the Site after changes take effect constitutes acceptance of the updated Policy.

14. Contact and Data Subject Requests

For any privacy-related questions, requests to exercise your rights, or complaints, please contact:

Hero Quest CA — Privacy Team
Email: privacy@heroquestca.com
Website: heroquestca.com

We aim to acknowledge all requests within 5 business days and resolve them within 30 calendar days. Where a request is particularly complex or numerous, we may extend this period by up to a further two months and will notify you accordingly.

Canadian Addendum (PIPEDA)

This addendum supplements the Privacy Policy above and applies specifically to residents of Canada.

Applicable Laws

Hero Quest CA complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation including Alberta PIPA, British Columbia PIPA, and Quebec's Law 25 (Act Respecting the Protection of Personal Information in the Private Sector).

Consent Under PIPEDA

We rely on your express or implied consent for the collection, use, and disclosure of personal information, depending on the sensitivity of the data involved. For sensitive information — such as financial data or geolocation used for gambling compliance — we seek express consent. You may withdraw consent at any time by contacting us, subject to any legal or contractual restrictions that may apply.

Breach Notification

In accordance with PIPEDA's mandatory breach reporting requirements, if a breach of security safeguards creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible.

Canadian Contact

Canadian residents may direct privacy enquiries to: privacy@heroquestca.com

Privacy Highlights for Canadian Players

🎲 Age & Eligibility: You must be of legal gambling age in your province (19+ in most provinces; 18+ in Alberta and Quebec).

📍 Geolocation: We may use your approximate location (derived from your IP address) to confirm that you are accessing our services lawfully within your jurisdiction.

🔐 Your Rights: You can access, correct, or withdraw consent to your personal data at any time by emailing privacy@heroquestca.com.

🚨 Breach Notification: If a breach creates a real risk of significant harm, we will notify you and the OPC without undue delay.

🤝 Responsible Gambling: We provide links to ConnexOntario, GameSense, and other provincial support resources.

🌍 Data Transfers: Your information may be stored outside Canada but is protected by contractual safeguards equivalent to PIPEDA standards.

📧 Contact: privacy@heroquestca.com