Privacy Policy

OhMyBaggz Ltd ("OhMyBaggz", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website, mobile application, and related services (collectively, the "Platform").

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This means we are responsible for deciding how and why your personal data is processed.

This policy applies to all users of the Platform, including those who browse without an account, registered members, competition entrants, and VIP subscribers. Please read this policy carefully. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy should be read alongside our Terms & Conditions.

We collect and process the following categories of personal data:

Information you provide directly

• Account information: your name, email address, and any profile details you choose to add.
• Competition entries: your ticket purchases, answers to skill-based questions, and entry history.
• Communication data: messages you send us through customer support, email, or contact forms.
• Delivery information: postal address and telephone number provided when claiming a prize.

Information collected automatically

• Technical data: IP address, browser type and version, operating system, device type, screen resolution, and time zone setting.
• Usage data: pages visited, links clicked, time spent on pages, referring URL, and general browsing patterns on the Platform.
• Cookie data: information collected through cookies and similar tracking technologies (see Section 4 below).

Information from third parties

• Payment provider: Stripe provides us with confirmation of successful transactions, partial card details (last four digits only), and billing address. We never receive or store your full card number.

We process your personal data for the following purposes and on the following legal bases under UK GDPR:

Performance of a contract (Article 6(1)(b))

• To create and manage your account.
• To process your competition entries and ticket purchases.
• To manage VIP subscriptions and associated benefits.
• To notify winners and arrange prize delivery.
• To process refunds where applicable.
• To provide customer support and respond to enquiries.

Legitimate interests (Article 6(1)(f))

• To improve and optimise the Platform, its performance, and user experience.
• To detect, prevent, and address fraud, abuse, security issues, and technical problems.
• To analyse usage patterns and trends to improve our services.
• To administer and protect our business and the Platform.

Consent (Article 6(1)(a))

• To send you marketing communications about new competitions, promotions, and special offers. You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email or updating your preferences in your account settings.
• To place non-essential cookies on your device (see Section 4).

Legal obligation (Article 6(1)(c))

• To comply with applicable legal and regulatory requirements, including tax obligations and record-keeping duties.
• To respond to lawful requests from public authorities.

Cookies are small text files placed on your device when you visit the Platform. We use the following types of cookies:

Strictly necessary cookies

These cookies are essential for the Platform to function correctly. They enable core features such as authentication, session management, and security. These cookies do not require your consent as the Platform cannot operate without them.

Analytics cookies

We may use analytics cookies to understand how visitors interact with the Platform. This data helps us improve the user experience. These cookies collect information in an aggregated, anonymised form. They are only placed with your consent.

Managing cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or set preferences for certain websites. Please note that disabling strictly necessary cookies may affect the functionality of the Platform.

All payment transactions on the Platform are processed by Stripe Payments Europe, Ltd. When you make a purchase, your payment information is transmitted directly to Stripe via their secure, PCI DSS Level 1 certified infrastructure.

We do not receive, process, or store your full payment card details. Stripe provides us with limited information necessary to manage your orders, including: the last four digits of your card number, the card type, the billing address, and the transaction outcome.

Stripe processes your payment data in accordance with its own privacy policy, which is available at stripe.com/privacy. By making a purchase on the Platform, you also agree to Stripe's terms of service.

We do not sell your personal data to third parties. We may share your data with the following categories of recipients:

• Service providers: third-party companies that provide services on our behalf, such as payment processing (Stripe), email delivery (Resend), cloud hosting (Amazon Web Services), and courier services for prize delivery. These providers are contractually bound to process your data only as instructed by us and in accordance with applicable data protection law.
• Legal and regulatory bodies: where we are required to do so by law, regulation, or legal process, or where disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.
• Business transfers: in the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with UK GDPR, such as Standard Contractual Clauses approved by the Information Commissioner's Office (ICO) or transfers to countries deemed adequate by the UK government.

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights regarding your personal data:

• Right of access: you have the right to request a copy of the personal data we hold about you (a "subject access request").
• Right to rectification: you have the right to request that we correct any inaccurate or incomplete personal data.
• Right to erasure: you have the right to request that we delete your personal data in certain circumstances (the "right to be forgotten").
• Right to restrict processing: you have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object: you have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.
• Right to withdraw consent: where we rely on your consent to process your data, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@ohmybaggz.com. We will respond to your request within one month, as required by law. In certain circumstances, we may extend this period by up to two additional months, but we will inform you if this is the case.

There is no fee for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive, or we may refuse to comply with your request in such circumstances.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

• Account data: retained for the duration of your account and for up to 12 months after account closure, unless longer retention is required by law.
• Transaction records: retained for a minimum of 6 years to comply with UK tax and accounting obligations.
• Competition entry data: retained for 12 months after the relevant competition draw for audit and verification purposes.
• Marketing preferences: retained until you withdraw your consent or unsubscribe.
• Technical and usage logs: retained for up to 12 months for security and performance monitoring.

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS (Transport Layer Security).
• Encryption of sensitive data at rest.
• Secure authentication mechanisms, including token-based access with short-lived credentials.
• Regular security reviews and vulnerability assessments.
• Access controls to limit who within our organisation can access personal data, on a need-to-know basis.
• Use of reputable, certified third-party infrastructure providers (Amazon Web Services, Stripe).

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining a high standard of data protection.

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as soon as reasonably practicable.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@ohmybaggz.com so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Platform after any changes to this policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@ohmybaggz.com
• General enquiries: support@ohmybaggz.com
• Company: OhMyBaggz Ltd
• Registered in: England and Wales

Information Commissioner's Office (ICO)

If you are not satisfied with our response to any data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.