Legal
This statement explains what data CaribooValley collects, how we handle it, and the rights you hold as a visitor to this free social entertainment platform. Last updated: May 2026.
CaribooValley does not operate a registration system. You do not create an account, enter an email address, supply a name, or provide payment information at any point. Because of that structural choice, the categories of data we handle are narrow.
When you visit this platform, your browser automatically transmits certain technical signals to our web server: your approximate IP address (used only for server-side rate limiting and geographic blocking where legally required), browser type and version, operating system, referring URL, and the pages you visit within this session. These signals are logged in standard server access logs. We do not enrich, sell, or combine these logs with any third-party data source.
If you contact us by email at [email protected], we receive and retain your email address and message content solely to respond to your enquiry. These records are held for no longer than 24 months and are not shared with third parties except as required by Canadian law.
We are explicit about what we do not collect because we believe that is as important as what we do. We do not collect: full name, date of birth, postal address, telephone number, payment card data, social insurance number, government-issued identification, biometric identifiers, device identifiers beyond what the browser exposes via standard HTTP headers, or any data from children. We do not run account-level session tracking, loyalty profiling, or behavioural advertising segments.
The age-verification gate uses sessionStorage — a browser-side mechanism that does not transmit any data to our servers and is cleared when you close the tab. It is not a cookie, not a tracking pixel, and not a server-side session record. The same applies to the cookie-consent preference stored in localStorage.
We use Google Analytics (GA4) to understand aggregate visitor behaviour — pages visited, session duration, broad geographic regions. Google Analytics is configured under our Google Consent Mode (GCM) implementation, which defaults all consent signals to denied until you explicitly accept analytics cookies via the cookie banner. If you decline analytics cookies, GA4 does not receive your data.
Google LLC processes analytics data on our behalf under a Data Processing Agreement (DPA) governed by the EU Standard Contractual Clauses (SCCs) for international transfers. Google's own privacy policy is available at policies.google.com/privacy. We do not use any other analytics, advertising, or marketing technology on this platform. We do not run retargeting pixels, conversion tracking, or social-network tracking scripts.
Our web hosting provider receives standard server access logs as a technical necessity of serving web pages. We have selected a hosting provider that contractually commits to not selling or sharing log data with third parties for commercial purposes.
We use a small number of browser storage mechanisms. Essential storage: sessionStorage['wx_age_ok'] records that you have confirmed you are 18 or older within the current browser tab — this prevents the age gate from appearing on every page load during a single session and is automatically cleared when the tab closes. localStorage['wx_ck_ok'] records your cookie consent preference — this persists across sessions so we do not ask for consent again on every visit.
Analytics cookies (consent-gated): if you accept analytics cookies, Google Analytics sets two first-party cookies — _ga (expires 2 years) and _ga_[ID] (expires 2 years) — to distinguish unique visitors and sessions. These are only set after you explicitly accept. If you choose "Essential Only", these cookies are not set and GA4 does not receive your data. Full details are in our Cookie Policy.
Server access logs are used to maintain platform security, diagnose errors, and detect abuse patterns (e.g. automated scanning). They are not analysed for individual user profiling and are rotated on a 30-day cycle.
Analytics data (when consented) is used in aggregate to understand which features of the platform are most used, which pages have the highest exit rates, and whether our responsible-play guidance is being found by visitors. No individual-level analysis is performed. We do not build any profile of any individual visitor.
Contact email data is used exclusively to respond to your message. We do not add contact email addresses to any mailing list, marketing database, or CRM system. If you ask us to delete your email from our records, we will do so within 14 days.
Server access logs: 30-day rolling cycle. Contact email records: up to 24 months from last correspondence, or upon request for deletion — whichever is earlier. Google Analytics aggregate data: up to 14 months in Google's systems (per our GA4 retention setting). Browser-side sessionStorage: cleared automatically when the browser tab is closed. Browser-side localStorage: persists until cleared by the user or by us (we currently have no mechanism to remotely clear it — you can clear it via your browser settings at any time).
Canadian visitors are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and by British Columbia's Personal Information Protection Act (PIPA) as a provincial overlay. Visitors from Quebec are additionally covered by Loi 25 (Act to Modernize Legislative Provisions respecting the Protection of Personal Information). Visitors from the European Economic Area or the United Kingdom are covered by the GDPR or UK GDPR respectively.
Under these frameworks, you have the right to: know what personal information we hold about you; access a copy of that information; correct inaccurate information; request deletion of your information; withdraw consent to data processing at any time (this does not affect the lawfulness of processing before withdrawal); and lodge a complaint with the applicable supervisory authority (the Office of the Privacy Commissioner of Canada, the BC Information and Privacy Commissioner, or the Commission d'accès à l'information du Québec, as applicable).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Because we collect minimal personal data and require no registration, most access requests will result in a confirmation that we hold only server log fragments tied to your IP address, if anything at all.
We apply industry-standard technical measures to protect the data we do hold. Our platform is served exclusively over HTTPS with TLS 1.2 or higher. Server access logs are stored in an environment not accessible via the public internet. Contact email records are held in an access-controlled system. We apply the principle of data minimisation: we collect only what we need and retain it only as long as we need it.
We conduct periodic internal reviews of our data handling practices. In the event of a data breach affecting personal information, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA's breach-reporting regulations, within 72 hours of becoming aware of the breach.
Google Analytics data is processed by Google LLC, which is headquartered in the United States. Transfer of analytics data from Canada to the United States is covered by Google's standard contractual commitments under the DPA referenced in Section 3. No other international transfers of personal data occur.
If you are a Quebec resident, please note that under Loi 25, transfers of personal information outside Quebec require a Privacy Impact Assessment (PIA). We have conducted a PIA for our GA4 implementation and determined that, given the consent-gated nature of the integration and the aggregate-only use of data, the transfer meets the required protection standard. A summary of that assessment is available upon written request.
We may update this Privacy Statement when we change our data practices or when legislation requires us to do so. We will post the updated version on this page with a revised "Last updated" date in the sub-hero section above. If we make a material change — one that significantly expands the categories of data we collect or the purposes for which we use it — we will display a notice on the platform for a period of 30 days after the change takes effect.
Continued use of CaribooValley after a policy update constitutes acceptance of the revised terms. If you disagree with the updated policy, please discontinue use of the platform and contact us if you wish to exercise any data-subject rights before leaving.
All privacy enquiries, data-subject access requests, and complaints should be directed to our team at the contact information below. We are committed to responding within 30 calendar days.
Email: [email protected]
Phone: +1 (604) 555-0182
Postal address: 980 Howe Street, Vancouver, BC V6Z 1N9, Canada
CaribooValley is a free social entertainment platform. It is not a gambling operator, a financial services provider, or a regulated gaming platform. We do not hold a gaming licence because we do not require one — no real money is exchanged at any point. Virtual tokens used within the platform have no monetary value and cannot be withdrawn, sold, or transferred.
This clarification is relevant to privacy because some visitors assume that a platform featuring variable-column mechanics must be collecting financial data. It does not. We have never held payment card information, bank account details, or any other financial identifiers. The platform is architecturally incapable of processing real-money transactions.