Privacy policy

Who we are

Win A Bundle Ltd is the controller responsible for your personal data (“we”, “us”, “our”). We are registered in England and Wales under company number 15636787, with registered office at Office 417, 37 St. Andrews Street, Norwich, England, NR2 4TP. We are registered with the Information Commissioner’s Office under registration reference ZB757549. We have appointed a data privacy manager responsible for this policy.

If you have any questions, or wish to exercise your legal rights, contact our data privacy manager by email at info@winabundle.co.uk or by post at Win A Bundle, Office 417, 37 St. Andrews Street, Norwich, England, NR2 4TP. You also have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk, though we would appreciate the chance to address your concerns first. This website is not intended for children and we do not knowingly collect data relating to children.

The data we collect about you

Personal data means any information from which a person can be identified. We may collect, use, store and transfer the following kinds of personal data:

• Identity Data - first name, last name, username or similar identifier, title and date of birth.
• Contact Data - billing address, delivery address, email address and telephone numbers.
• Financial Data - bank account and payment card details (card details are handled by our payment provider; we do not store them).
• Transaction Data - details about payments to and from you and other details of products and services you have purchased.
• Technical Data - IP address, login data, browser type and version, time zone and location, operating system and platform.
• Profile Data - your username and password, purchases or orders, interests, preferences, feedback and survey responses.
• Usage Data - information about how you use our website, products and services.
• Marketing and Communications Data - your marketing and communication preferences.

We also collect Aggregated Data (statistical or demographic data) which is not personal data in law. We do not collect any Special Categories of Personal Data (such as race, religion, health, sexual orientation or biometric data), nor information about criminal convictions. Where you fail to provide personal data we need by law or under a contract, we may be unable to perform that contract (for example, to enter you into a competition).

How your personal data is collected

We collect data through: direct interactions (when you create an account, request marketing, enter a competition or survey, or contact us); automated technologies (cookies, server logs and similar technologies that collect Technical Data as you interact with our site); and third parties or publicly available sources (analytics and advertising providers, payment and delivery providers, and publicly available sources such as Companies House).

How we use your personal data

We will only use your personal data when the law allows us to, most commonly: where we need to perform a contract with you (for example, when you purchase entries or enter a competition); where it is necessary for our legitimate interests (and your interests do not override those); and where we need to comply with a legal obligation. We use your data to register you as a customer, process and deliver your orders, manage our relationship with you, run our competitions and prize draws, administer and protect our business and website, deliver relevant content, and (where permitted) make suggestions and recommendations.

We rely on your consent for email and SMS marketing - you opt in when you register or check out, and you can withdraw that consent at any time from your account settings or via the unsubscribe link in any message. For most other processing we rely on performing our contract with you, our legitimate interests, or a legal obligation rather than consent.

Marketing

You will receive marketing from us only where you have opted in (for example when you registered, purchased, or entered a competition). You can opt out at any time using the unsubscribe link in any message, from your account settings, or by contacting us; opting out will not affect personal data provided as a result of a purchase or other transaction. We will get your express opt-in consent before sharing your personal data with any third party for their own marketing.

Cookies

You can set your browser to refuse all or some cookies, or to alert you when sites set cookies. If you disable or refuse cookies, some parts of this website may become inaccessible or not function properly. Non-essential cookies are only set with your consent. For more information, see our cookie policy.

Disclosures of your personal data

We may share your personal data with external third parties acting as processors (such as IT and system administration providers and professional advisers), with HM Revenue & Customs, regulators and other authorities (such as the Advertising Standards Authority) where required, and with third parties to whom we may sell, transfer or merge parts of our business. We require all third parties to respect the security of your personal data, to treat it in accordance with the law, and to process it only for specified purposes and on our instructions.

To run and measure our service we also use specific providers: payments are processed by Trust Payments and PayPal; we use email and SMS delivery providers to send service messages and, where you have opted in, marketing; and to measure and improve our advertising we share limited data with advertising and analytics partners - currently Meta (Facebook and Instagram), TikTok and Google (Google Analytics 4). Where data is shared for ad measurement, identifiers such as your email, phone or name are cryptographically hashed before they are sent, and we only use these non-essential analytics and advertising tools where you have accepted them (see our cookie policy).

International transfers

Some of our providers are based outside the UK - including in the United States (for example Meta, TikTok and Google) - so their processing may involve transferring your data outside the UK. Whenever we do this, we ensure a similar degree of protection by relying on a UK adequacy decision where one exists, or otherwise on appropriate safeguards such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses).

Data security and retention

We have put in place appropriate security measures to prevent your personal data being accidentally lost, used or accessed in an unauthorised way, altered or disclosed, and we limit access to those who have a business need. We have procedures to deal with any suspected breach and will notify you and any applicable regulator where legally required.

We retain your personal data only for as long as reasonably necessary to fulfil the purposes we collected it for, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. Some financial and draw-integrity records are retained for as long as the law requires, stripped of personal identifiers. In some circumstances you can ask us to delete your data, and in some circumstances we will anonymise it for research or statistical purposes.

Your legal rights

Under data protection laws you have the right to: request access to your personal data; request correction of inaccurate data; request erasure; object to processing based on our legitimate interests, and to direct marketing; request restriction of processing; request transfer of your data; and withdraw consent at any time where we rely on it. You can access, export, correct or manage much of your data directly from your account settings. You will not usually have to pay a fee, and we try to respond to all legitimate requests within one month. To exercise any of these rights, please contact us at info@winabundle.co.uk.