Privacy Policy
Last updated: 17 April 2026
1. Data controller
The data controller for your personal data is Stephen Taylor, trading as Prizelee (company registration in progress).
Contact: help@prizelee.com
We are based in the United Kingdom and operate under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What we collect and why
We collect different categories of data depending on how you use the service:
Account data
- Name, email address, date of birth — to create and manage your account and verify you meet the age requirement (18+)
- Password and authentication tokens — managed by Clerk, our authentication provider; we do not store passwords directly
Competition and entry data
- Competition entries, entry timestamps, and entry source (free login, ad view, survey, invite) — to operate draws and audit fairness
- Win records and draw results — to administer prizes and maintain a verifiable record
Payment data
- PayPal email address — to send prize payments. We do not collect bank account details, card numbers, or other financial information
- Payout amounts and transaction references — for accounting and HMRC compliance
Invite data
- Invite codes, invite relationships (who invited whom), and invite status — to credit referral entries and prevent abuse
Survey profile data (optional)
- Gender, date of birth, postcode, and country — shared with survey partners (CPX Research, AdGem) only if you choose to participate in surveys
- You can update or remove this data from Prizelee at any time via your My Details page. However, data already transmitted to survey partners is subject to their own privacy policies and retention practices — Prizelee cannot delete data held by third-party survey providers.
Technical and usage data
- IP address, browser type, device type, operating system — collected automatically for security, fraud prevention, and analytics
- Pages visited, actions taken, timestamps — to understand how the service is used and improve it
- Error and crash data — collected by Sentry to diagnose and fix technical problems
We do not collect special category data (e.g. health, ethnicity, political opinions, biometric data).
3. Legal basis for processing
Under UK GDPR Article 6, we process your data on the following bases:
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Contract (performance of our Terms of Service) |
| Competition entry and prize administration | Contract |
| Prize payments and financial records | Contract and legal obligation (HMRC record-keeping) |
| Fraud prevention and security | Legitimate interest |
| Analytics (Google Analytics) | Legitimate interest |
| Error monitoring (Sentry) | Legitimate interest |
| Sharing profile data with survey partners | Consent (you choose to participate) |
| Advertising (video ads via third-party ad networks) | Consent (via Cookiebot cookie banner) |
| Necessary cookies (authentication, security) | Legitimate interest |
Where we rely on legitimate interest, we do so only for processing that is necessary to operate the service and where we believe the impact on your privacy is minimal. You may object to processing based on legitimate interest at any time — see the Your Rights section below.
4. Third-party processors
We share your data with the following third-party service providers, each acting as a data processor on our behalf. We do not sell your personal data to any third party.
| Provider | Purpose | Data shared |
|---|---|---|
| Clerk | Authentication and user accounts | Email, name, date of birth, authentication tokens |
| Supabase | Database hosting (EU region, eu-west-3) | All application data stored in database |
| Vercel | Website hosting and edge network | IP address, request data, server logs |
| Resend | Transactional email delivery | Email address, email content |
| PayPal | Prize payments | PayPal email address, payment amount |
| Google Analytics | Website analytics | IP address (anonymised), pages visited, device info, usage patterns |
| Cookiebot | Cookie consent management | Cookie consent preferences, anonymised IP |
| Cloudflare | CDN, WAF, DDoS protection, Turnstile bot verification | IP address, request headers, security challenge data |
| CPX Research | Survey provider (user-initiated) | User ID, date of birth, gender, postcode, country |
| AdGem | Offer wall and survey provider (user-initiated) | User ID, IP address |
| Sentry | Error monitoring and crash reporting | IP address, browser info, error stack traces, user ID (anonymised) |
Each provider is contractually bound to process your data only for the purposes described above and in accordance with applicable data protection law.
5. Cookies and tracking
We use cookies and similar technologies on our website. When you first visit, our cookie consent banner (powered by Cookiebot) lets you choose which categories to accept.
Necessary cookies
Required for the site to function. These include authentication session cookies (Clerk), security cookies (Cloudflare Turnstile), and cookie consent preferences (Cookiebot). These cannot be disabled.
Analytics cookies
Google Analytics cookies help us understand how visitors use the site. Data is anonymised at the IP level. You can opt out via the cookie banner or by installing the Google Analytics Opt-out Browser Add-on.
Advertising cookies
When you choose to watch video ads for extra entries, advertising cookies may be set by our ad partners to serve relevant ads and measure ad performance. These are only active when you interact with ad content and can be managed via the cookie banner.
Survey cookies
CPX Research and AdGem may set cookies when you choose to complete surveys or interact with the offer wall. These are only active during survey participation.
You can change your cookie preferences at any time by clicking the cookie settings link in our website footer.
6. International data transfers
Some of our third-party processors are based in the United States, including Clerk, Vercel, Resend, PayPal, Google, Cloudflare, CPX Research, AdGem, and Sentry. When your data is transferred outside the UK, we ensure appropriate safeguards are in place.
Our US-based processors operate under one or more of the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) — approved by the European Commission and recognised by the ICO
- UK International Data Transfer Agreement (IDTA) — the UK-specific addendum to SCCs
- EU-US Data Privacy Framework — where the processor is certified under the framework
Our database is hosted by Supabase in the EU (region eu-west-3, Paris), which is covered by a UK adequacy decision.
7. Data retention
We retain your data only as long as necessary for the purposes described in this policy. Specific retention periods are:
| Data category | Retention period |
|---|---|
| Account data (name, email, date of birth) | Duration of your account + 30 days after deletion |
| Competition and entry records | 2 years from the competition end date |
| Payout and financial records | 6 years (HMRC record-keeping requirement) |
| Survey profile data | 1 year, or until you remove it, whichever is sooner |
| Error and crash logs (Sentry) | 90 days |
| Analytics data (Google Analytics) | 26 months (Google Analytics default) |
| Cookie consent records | 12 months (then re-consent is requested) |
When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer identify you.
8. Data security
We take reasonable and proportionate measures to protect your data:
- Encryption in transit — all data sent between your browser and our servers is encrypted using TLS (HTTPS)
- Authentication security — user authentication is handled by Clerk, which provides secure password hashing, session management, and optional multi-factor authentication
- Database encryption — Supabase encrypts data at rest using AES-256
- Network protection — Cloudflare provides WAF (Web Application Firewall), DDoS protection, and bot detection via Turnstile
- Access controls — administrative access to systems is restricted and protected by strong authentication
No system is perfectly secure. If you become aware of any security issue affecting Prizelee, please report it to help@prizelee.com immediately.
9. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you
- Right to rectification — you can ask us to correct inaccurate or incomplete data
- Right to erasure — you can ask us to delete your data where there is no compelling reason to continue processing it
- Right to restrict processing — you can ask us to temporarily stop processing your data in certain circumstances
- Right to data portability — you can request your data in a structured, commonly used, machine-readable format
- Right to object — you can object to processing based on legitimate interest, and we must stop unless we can demonstrate compelling grounds
- Rights related to automated decision-making — we do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Competition winners are selected at random, which is not profiling
- Right to withdraw consent — where processing is based on your consent (e.g. survey data sharing, advertising cookies), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, email us at help@prizelee.com. We will respond within one month. In complex cases, we may extend this by a further two months, but we will let you know within the first month if that is needed.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
10. Children's data
Prizelee is for users aged 18 and over only. We do not knowingly collect personal data from anyone under 18. During account setup, users are asked to confirm their date of birth. Users who are under 18 are not permitted to proceed.
If we discover that we have collected data from a person under 18, we will delete their account and associated data without delay. If you believe a minor has created an account, please contact us at help@prizelee.com.
11. Data breach procedures
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34
- Document the breach, its effects, and the remedial actions taken
If you believe your data has been compromised, contact us immediately at help@prizelee.com.
12. Changes to this policy
We may update this Privacy Policy from time to time. For minor clarifications, we will update the "Last updated" date at the top of this page. For material changes that affect how we process your data, we will notify you by email and display a notice in the app before the changes take effect.
We encourage you to review this policy periodically. Continued use of the service after changes are posted constitutes your acknowledgement of the updated policy.
13. Contact and complaints
If you have any questions about this Privacy Policy, want to exercise your data rights, or wish to make a complaint about how we handle your data, contact us at:
- Email: help@prizelee.com
- Contact form: prizelee.com/contact
We aim to respond to all enquiries within 5 working days. For formal data rights requests, we will respond within one month as required by UK GDPR.
If you are not satisfied with our response, you can escalate your complaint to the Information Commissioner's Office (ICO).