Privacy Policy

Account data: When you register, we collect your name, email address, date of birth (for age verification), and optionally your city.

Entry data: When you enter a competition, we store your skill question answer, ticket numbers, and entry timestamp.

Payment data: Payment is processed by Stripe. We do not store your card details. We receive a transaction record including the amount, currency, and Stripe session ID.

Usage data: We may collect standard server logs including IP address, browser type, and pages visited. This helps us maintain security and improve our service.

Communications: If you contact us, we retain records of that correspondence.

We use your personal data to:

• Process your competition entries and manage your account
• Send you order confirmations and draw notifications
• Notify you if you win a prize and arrange delivery
• Prevent fraud and enforce our Terms & Conditions
• Comply with our legal obligations
• Send you marketing emails (only with your consent, which you can withdraw at any time)

We rely on the following legal bases under UK GDPR:

• Contract performance — processing your entry, managing your account, and delivering prizes
• Legal obligation — age verification, fraud prevention, and tax records
• Legitimate interests — fraud detection, security monitoring, and improving our service
• Consent — marketing communications (you can withdraw consent at any time)

We retain your account data for as long as your account is active. If you close your account, we delete personal data within 90 days, except where we are required to retain it for legal reasons (e.g., financial records, which are kept for 7 years under UK tax law).

Draw audit data (seed, hash, winner ID) is retained indefinitely as it forms part of the verifiable public record of our competitions.

We share your personal data only where necessary:

• Stripe — payment processing. Their privacy policy applies to payment data.
• Supabase — our database and authentication provider, hosted in the EU.
• Courier/logistics providers — when shipping prizes, we share your name and delivery address.
• Law enforcement — if required by law or court order.

We never sell your personal data to third parties.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention requirements)
• Restriction — ask us to restrict processing in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests or direct marketing
• Withdraw consent — for any processing based on consent, at any time

To exercise any of these rights, contact us. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use essential cookies to maintain your session and authentication state. These are strictly necessary and cannot be disabled. We do not use tracking cookies or third-party advertising cookies.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), access controls, and regular security reviews. No system is completely secure, but we take our obligations seriously.

We may update this privacy policy from time to time. We will notify you of significant changes by email. The date at the top of this page shows when the policy was last updated.