Privacy Policy
Effective Date: 31 March 2026
Board & Brewed ("we", "us", or "our") operates the board game café located at 75 York Road, Dún Laoghaire, Dublin, A96 FR99, Ireland, and the website at boardandbrewed.ie (the "Site"). We are committed to protecting your privacy and handling your personal data transparently in accordance with the General Data Protection Regulation (EU 2016/679) ("GDPR") and applicable Irish data-protection law.
This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data.
1. Data Controller
Board & Brewed
75 York Road, Dún Laoghaire, Dublin, A96 FR99, Ireland
If you have questions about this policy or your personal data, contact us at dave@boardandbrewed.ie.
2. Information We Collect
2.1 Information You Give Us
- Account registration. When you sign in through our customer account system (powered by Shopify), we receive your name, email address, and, where provided, your phone number and postal address.
- Table reservations. When you book a table through our embedded booking widget (powered by Toast Tables), you provide your name, email address, phone number, party size, preferred date, and time. This information is collected and processed directly by Toast Tables.
- Grading orders. When you purchase a PSA card-grading service, we collect the details of your order including the items submitted, service tier selected, and any notes you include with your submission. Payment details are handled by Shopify and are never stored on our systems.
- Communications. If you email or message us, we keep the content of those communications to respond to and resolve your enquiry.
2.2 Information Collected Automatically
- Cookies. We use a small number of strictly necessary cookies to operate our Site (see Section 6 below).
- Log data. Our hosting provider, Cloudflare, may collect standard server-log data such as your IP address, browser type, pages visited, and access timestamps. This data is processed under Cloudflare's own privacy policy.
- IP address. When you use our online shop, your IP address is forwarded to Shopify as part of the checkout process for fraud prevention and analytics.
2.3 Information from Third Parties
- Shopify. When you sign in, Shopify shares your profile information (name, email, phone, address) and order history with us so we can display your account dashboard.
- PSA (Professional Sports Authenticator). For grading orders, we receive progress updates from PSA's tracking system (current grading step, estimated completion, shipping details) and cache them to display on your account page.
3. How We Use Your Information
We process your personal data only where we have a lawful basis under the GDPR:
| Purpose | Lawful Basis |
|---|---|
| Fulfil orders and provide services you have requested (café visits, grading, reservations) | Performance of a contract |
| Display your account dashboard, order history, and grading progress | Performance of a contract |
| Communicate about your orders, bookings, or enquiries | Performance of a contract |
| Prevent fraud, enforce our terms, and protect the security of our Site | Legitimate interest |
| Comply with legal and regulatory obligations (e.g. tax records) | Legal obligation |
| Improve our Site and services | Legitimate interest |
We do not use your data for automated decision-making or profiling that produces legal effects.
4. Who We Share Your Data With
We share personal data only where necessary to deliver our services or meet a legal obligation:
| Recipient | Purpose | Location |
|---|---|---|
| Shopify | Customer authentication, order processing, and payment handling | Canada / USA (Standard Contractual Clauses in place) |
| Toast Tables | Table reservations | USA (Standard Contractual Clauses in place) |
| PSA (Professional Sports Authenticator) | Grading-order tracking and progress updates | USA |
| Cloudflare | Website hosting, security, and performance | Global (Standard Contractual Clauses in place) |
| Embedded map on our About Us page | USA (Standard Contractual Clauses in place) |
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
Where data is transferred outside the European Economic Area (EEA), we rely on adequacy decisions, Standard Contractual Clauses, or other approved safeguards to ensure an appropriate level of protection.
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described above:
- Account data — retained for as long as your account is active. If you request deletion, we will erase your data within 30 days unless we are required by law to retain it longer.
- Order and grading records — retained for up to 7 years to comply with Irish tax and accounting requirements.
- Booking data — managed and retained by Toast Tables according to their privacy policy.
- Server logs — retained by Cloudflare according to their standard retention periods (typically up to 72 hours for analytics logs).
- Communication records — retained for up to 2 years after your last communication, then deleted.
6. Cookies and Local Storage
6.1 Cookies We Set
All cookies set by our Site are strictly necessary for the Site to function. We do not use advertising or analytics cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
bb_access_token |
Authenticates you with our customer account system | 30 days | Secure, HttpOnly |
bb_refresh_token |
Refreshes your login session without asking you to sign in again | 30 days | Secure, HttpOnly |
bb_oauth_state |
Secures the sign-in flow against cross-site attacks | 10 minutes | Secure, HttpOnly |
Because these cookies are strictly necessary to provide a service you have explicitly requested (signing in), they are exempt from the requirement to obtain consent under the ePrivacy Directive.
6.2 Local Storage
We store a single item (b&b:human) in your browser's local storage to remember a human-verification check. No personal data is stored.
6.3 Third-Party Cookies
The Toast Tables booking widget and the embedded Google Map may set their own cookies when loaded. These are governed by the privacy policies of Toast and Google, respectively.
7. Your Rights Under the GDPR
You have the following rights over your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data where there is no compelling reason for us to continue processing it.
- Restriction — ask us to pause processing while we address a concern.
- Data portability — request your data in a structured, machine-readable format.
- Object — object to processing based on our legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at dave@boardandbrewed.ie. We will respond within 30 days. We may ask you to verify your identity before acting on a request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
dataprotection.ie
8. Security
We take appropriate technical and organisational measures to protect your personal data, including:
- All authentication cookies are encrypted, HTTP-only, and transmitted over HTTPS only.
- Our Site is hosted on Cloudflare with built-in DDoS protection, rate limiting, and TLS encryption.
- The OAuth sign-in flow uses PKCE (Proof Key for Code Exchange), state tokens, and nonce validation to prevent interception and replay attacks.
- We never store payment card details — all payments are processed directly by Shopify.
No system is entirely secure. If you believe your data has been compromised, please contact us immediately at dave@boardandbrewed.ie.
9. Children's Privacy
Our Site is not directed at children under 16 years of age, and we do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us and we will delete it promptly.
10. Links to Other Websites
Our Site may contain links to third-party websites (such as Shopify checkout pages, Toast Tables, PSA, and social media platforms). We are not responsible for the privacy practices of those sites and encourage you to read their own privacy policies.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top of this page. We encourage you to review this policy periodically. Continued use of the Site after changes are published constitutes acceptance of the updated policy.
12. Contact Us
Board & Brewed
75 York Road, Dún Laoghaire, Dublin, A96 FR99, Ireland
Email: dave@boardandbrewed.ie