Privacy Policy
Effective 1 February 2026·Last updated 1 June 2026
The Prize Market – Privacy Policy
1. Introduction
Welcome to The Prize Market. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and look after your personal data when you visit our website (https://theprizemarket.co.uk), register an account, and participate in our promotions. It also outlines your privacy rights and how the law protects you.
The Prize Market is a trading name of The Prize Market Group Limited (Company No. 16399750), registered at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the "Data Controller" of your personal data.
2. The Data We Collect About You
Personal data means any information about an individual from which that person can be identified. We may collect, use, store, and transfer different kinds of personal data about you, grouped as follows:
- Identity Data: First name, last name, date of birth, username, and identity verification data (which may include photographic ID and proof of address, reviewed by our team or by our trusted KYC verification partners).
- Contact Data: Email address, billing address, telephone number, and delivery address.
- Financial Data: Payment card tokens and partial payment details, and bank-account details where you have requested a cash-withdrawal payout. (Note: we do not store full credit/debit card numbers. All payment-card transactions are processed securely by our designated third-party payment processor.)
- Wallet & Transaction Data: Wallet balances (cash, top-up, and bonus), entry purchases, free-postal entries submitted, referral bonuses, achievement-badge awards, VIP-tier evaluations, and prizes won.
- Draw Audit Data: Anonymised entry numbers tied to each draw, draw references, and the Random.org cryptographic signatures associated with each completed draw (for public verification on our Winners page).
- Technical & Usage Data: Internet protocol (IP) address, browser type, location, operating system, device identifiers, and information about how you interact with our Website (pages viewed, time on site, referral source).
- Marketing and Communications Data: Your preferences in receiving marketing from us, your email-notification preferences, and your responses to broadcast communications we have sent.
3. How We Collect Your Data
We use different methods to collect data from and about you, including:
- Direct Interactions: You provide us with your Identity, Contact, and Financial Data by creating an account, topping up your wallet, entering a promotion (online or via post), completing KYC verification, claiming a prize, requesting a withdrawal, or contacting customer support.
- Automated Technologies: As you interact with our Website, we automatically collect Technical and Usage Data using cookies, server logs, and similar technologies. For details, see our Cookie Policy.
- Third Parties: We may receive data about you from third parties, such as payment status and fraud-prevention data from our payment processor, verification status from our KYC software partners, error reports from our crash-monitoring provider, and email-deliverability data from our transactional-email provider.
4. How We Use Your Data & Our Lawful Basis
Under UK GDPR, we must have a valid legal basis to process your personal data. We will only use your data under the following circumstances:
| Purpose | Data Categories | Lawful Basis |
|---|---|---|
| Register you as a new user | Identity, Contact | Performance of a contract |
| Process entries, postal entries, and wallet top-ups | Identity, Contact, Financial, Wallet & Transaction | Performance of a contract |
| Conduct KYC identity & age verification before prize fulfilment or cash withdrawal | Identity, Contact | Legal obligation (preventing underage use, fraud, and AML compliance) |
| Notify winners, deliver prizes, and pay cash withdrawals | Identity, Contact, Financial | Performance of a contract |
| Comply with ASA regulations regarding winner verification | Identity, Contact, Draw Audit | Legal obligation and Legitimate interests |
| Publish anonymised winner data + Random.org verification links on our Winners page | Draw Audit | Legitimate interests (proving fairness of draws) |
| Send you transactional emails (verification, password reset, winner notifications, withdrawal updates) | Identity, Contact, Wallet & Transaction | Performance of a contract |
| Send you marketing emails and promotional offers | Identity, Contact, Marketing | Consent (you can unsubscribe at any time) |
| Operate the achievement-badge and VIP-tier programmes | Wallet & Transaction | Performance of a contract |
| Detect, prevent, and investigate fraud, abuse, or breaches of our Terms | All data categories | Legitimate interests (protecting the platform and lawful users) |
5. Disclosures of Your Personal Data
We do not sell your personal data. We may share your data with trusted third parties strictly for the purposes set out above:
- Payment Processors (e.g. Trust Payments) — to process your wallet top-ups and cash withdrawals and to prevent fraudulent chargebacks securely.
- Transactional Email Provider (currently Resend) — to deliver verification, password-reset, winner-notification, and withdrawal-status emails to you. Resend acts as our processor; emails are sent from
mail.theprizemarket.co.uk. - Randomness Verification Provider (currently Random.org) — to generate cryptographically-signed random numbers used to determine winners. Random.org receives only anonymised draw references and entry counts (it does not receive any personal data).
- Verification Partners — third-party software providers who securely process ID documents to verify your age and identity for prize fulfilment and large withdrawals.
- Delivery Partners — couriers, delivery networks, and prize-fulfilment suppliers. They are only provided with the information strictly necessary to deliver the prize (Name, Delivery Address, Phone Number / Email for tracking).
- IT and System Providers — cloud hosting, database management, error-monitoring (e.g. Sentry, if/when enabled), and email-marketing platforms.
- Regulatory Authorities — the Advertising Standards Authority (ASA), HM Revenue & Customs, the Police, the Information Commissioner's Office (ICO), or other authorities if legally required for fraud investigations, tax, or to prove the fairness of our competitions.
All third-party processors are bound by data-processing agreements that require them to handle your data in accordance with UK GDPR.
6. Data Security
We have put in place appropriate, industry-standard security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. These include:
- Encrypted connections (HTTPS / TLS) for all data in transit between you and the Website;
- Hashed-and-salted passwords (bcrypt) — we never store your password in plaintext and never have access to it;
- JWT-based session tokens with rotation and revocation on logout, suspicious activity, or password change;
- Role-based access control — only authorised admin accounts can access user records, and every administrative action is recorded in our immutable audit log;
- Rate limiting on sign-in, registration, and sensitive endpoints to slow brute-force attempts;
- Secure handling of identity documents — KYC uploads are transmitted over encrypted channels and stored separately from user-account data.
Access to your personal data is strictly limited to those employees, agents, and contractors who have a business need to know.
7. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including satisfying any legal, regulatory, tax, accounting, or reporting requirements.
- Account & Transaction Data: By law, we must keep basic information about our customers for six years after they cease being customers, for tax and legal-dispute purposes.
- KYC Verification Documents: Photographic ID and proof of address documents are retained only for as long as necessary to confirm identity, satisfy fraud-prevention checks, and complete internal prize audits. Once this period concludes, the documents are securely and permanently deleted from our active servers.
- Draw Audit Data (anonymised): Draw references, snapshot hashes, and Random.org signatures are retained indefinitely so that anyone may independently verify historical draws on our Winners page.
- Marketing Consent History: Records of your marketing-consent decisions are retained for as long as the consent is active, plus three years following withdrawal, to evidence compliance.
8. Winner Information (ASA Compliance)
To comply with the Advertising Standards Authority (ASA) CAP Code, we are required to demonstrate that a valid award took place. To protect your privacy, we do not publicly publish full winner details. Instead, we publish on our public Winners page:
- The competition name and prize value;
- The winner's first name and last initial (e.g. "Sam W.");
- The draw reference number; and
- Where available, a Random.org verification link that anyone can use to independently verify the draw on Random.org's servers.
We will make the surname and county of major prize winners available upon request to anyone who contacts us within 30 days of a draw closing. You have the right to object to your information being made available in this way; however, we must still provide your full details to the ASA if challenged by them to prove the draw was conducted fairly.
9. Your Legal Rights
Under UK data protection laws, you have the right to:
- Request Access: Get a copy of the personal data we hold about you.
- Request Rectification: Correct incomplete or inaccurate data.
- Request Erasure: Ask us to delete your data (subject to our legal retention requirements under Section 7).
- Object to Processing: Object to direct marketing or processing based on legitimate interests.
- Request Restriction: Ask us to suspend the processing of your data while a complaint or correction is investigated.
- Withdraw Consent: Where we are processing your data on the basis of consent (e.g. marketing emails), you may withdraw that consent at any time without affecting the lawfulness of processing already carried out.
- Data Portability: Request a copy of the data you provided to us in a structured, commonly-used machine-readable format.
To exercise any of these rights, please contact us using the details in Section 10. We will respond within one month of receiving a valid request.
10. Contact Us & Complaints
If you have any questions about this Privacy Policy, wish to exercise your legal rights, or wish to manage your data preferences, please contact us at:
- Privacy / data-subject requests: privacy@theprizemarket.co.uk
- General enquiries: hello@theprizemarket.co.uk
- Customer support: support@theprizemarket.co.uk
- Registered Office: The Prize Market Group Limited, 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.