Privacy Policy

This Privacy Policy explains how OnlyWins UK ("we", "our", "us") collects, uses and protects your personal data when you use our website at www.onlywins.uk ("Platform").

We are committed to protecting your privacy and handling your data in an open and transparent manner. By using the Platform, you agree to the practices described in this policy.

1. Data Controller

The data controller responsible for your personal data is OnlyWins UK.

Contact: info@onlywins.uk

2. Data We Collect

We collect the following types of data:

Information you provide

• Name, email address and other details provided when creating an account (via Clerk authentication)
• Payment information processed securely through Square (we do not store your card details)
• Competition entry details and transaction history
• Any information you provide when contacting us

Information collected automatically

• Usage data such as pages visited, time spent on pages, and interactions with the Platform
• Device information including browser type, operating system and screen size
• IP address and approximate geographic location (city/region level)
• Referral source (how you arrived at the Platform)

3. How We Use Your Data

We use the data we collect for the following purposes:

• To create and manage your account
• To process competition entries and payments
• To contact Prize Winners and arrange delivery of prizes
• To improve the Platform and user experience through analytics
• To comply with legal obligations
• To prevent fraud and ensure the security of the Platform
• To send you updates about competitions you have entered (with your consent)

4. Analytics & Tracking

We use PostHog for analytics to understand how visitors use the Platform. PostHog collects anonymous usage data including page views, device type, approximate location (based on IP address) and session information.

PostHog processes data on EU servers. For logged-in users, we associate analytics data with your account to provide a better experience. For anonymous visitors, data is collected without personally identifying you.

We do not use Google Analytics, Hotjar, or any other third-party analytics or heat-mapping tools.

Cookies & Trackers

The Platform uses essential cookies required for its operation (authentication, session management). PostHog may also set cookies to distinguish unique visitors and track sessions. You can control cookies through your browser settings.

5. Third-Party Services

We share your data with the following trusted third-party services, solely for the purposes described:

• Clerk — Authentication and account management. Clerk processes your email address and login credentials. Clerk Privacy Policy
• Square — Payment processing. Square handles your payment details securely. We never see or store your full card number. Square Privacy Policy
• Supabase — Database hosting. Your account and competition data is stored securely on Supabase infrastructure. Supabase Privacy Policy
• PostHog — Analytics. Anonymous usage data is processed to help us improve the Platform. PostHog Privacy Policy
• Vercel — Website hosting. The Platform is hosted on Vercel's infrastructure. Vercel Privacy Policy

We do not sell your personal data to any third party.

6. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract — Processing necessary to perform our agreement with you (e.g. managing your account, processing entries and payments).
• Consent — Where you have given consent for specific processing (e.g. marketing communications). You may withdraw consent at any time.
• Legitimate interests — Processing necessary for our legitimate interests (e.g. analytics to improve the Platform, fraud prevention), provided these do not override your rights.
• Legal obligation — Processing necessary to comply with legal requirements.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

• Account data is retained for as long as your account is active and for a reasonable period after closure.
• Transaction and competition entry records are retained for at least 6 years to comply with financial and legal obligations.
• Analytics data is retained in anonymised form and may be kept indefinitely.

8. Data Transfers

Your data may be processed outside the United Kingdom by our third-party service providers. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), to protect your data.

9. Your Rights (GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure — Request deletion of your personal data ("right to be forgotten").
• Restriction — Request that we limit how we use your data.
• Portability — Request your data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at info@onlywins.uk. We will respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. This includes encryption of data in transit (HTTPS), secure authentication via Clerk, and PCI-compliant payment processing via Square.

11. Children

The Platform is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The most current version will always be available on the Platform. We encourage you to review this page periodically. Continued use of the Platform after changes constitutes acceptance of the updated policy.