Privacy Policy
Last updated: 19 January 2026
At WINNERPAY, we are dedicated to safeguarding your privacy and protecting your personal data. We comply with applicable data protection and privacy laws, implement appropriate technical and organizational measures, and follow industry best practices to protect your data from unauthorized access, use, alteration, loss, or disclosure.
Scope of this Privacy Policy
We created this page to help you navigate key aspects of our privacy program and better understand your privacy rights.
What personal data does WINNERPAY collect and process?
"Personal data" means information that relates to an identified or identifiable individual. This includes information you provide to us, information collected automatically when you use our services or website, and information we obtain from third parties (where permitted by law).
Why does WINNERPAY process personal data? What legal bases do we rely on?
We process personal data only where we have a lawful basis to do so under applicable data protection laws, including where processing is necessary to perform a contract, comply with legal obligations, protect legitimate interests (such as preventing fraud and securing our services), or where you have provided consent.
Processing activities, retention, and legal basis
| Purpose of processing | Data subjects & categories of data | Retention period | Legal basis |
|---|---|---|---|
| To enter into an agreement with you and verify your identity/eligibility before entering into the agreement | Customers and their representatives: name and surname, email address, phone number, passport/ID card details | 5 years from the end of the business relationship (or longer if required by law); where processing is based on consent (if applicable), until consent is withdrawn | Legal obligation (e.g., AML/CFT and tax/accounting requirements); steps prior to entering into a contract where applicable |
| To create and administer your account | Prospective customers and their representatives: name and surname, email address, phone number | Until account deletion or contract termination, and then as required by applicable retention laws | Contract / steps prior to entering into a contract (we cannot provide an account without these details) |
| To provide our services and perform customer due diligence (KYC), onboarding and ongoing monitoring | Customers and their representatives: name and surname, email address, phone number, date of birth, document number, issue/expiry date, place of residence; we may also request home address where required | Until account deletion or contract termination, and then for the period required by law (often including AML/KYC retention) | Contract (service provision) and legal obligation (KYC/AML/CFT requirements); in some cases legitimate interests (fraud prevention, service security) |
| To receive and process payments, refunds and chargebacks | Customers and their representatives: payment identifier; payment details such as card number, payment scheme, expiry month/year, CVC/CVV (typically handled directly by payment providers) | For the duration of the transaction and thereafter as required for accounting, dispute handling, chargebacks, fraud prevention and legal compliance | Contract (processing transactions), legal obligation (accounting/record keeping), and legitimate interests (fraud prevention, dispute management) |
| To improve the website experience, analytics, and measure advertising effectiveness (cookies/trackers where used) | Website visitors: IP address, approximate GEO (country/city), OS type/version, browser type/version, device type and screen resolution, traffic source, OS/browser language, page interactions | Information collected via cookies, web page counters and other analytics tools is kept for a period of up to one year from the date of the collection of the cookie of the relevant cookie or in line with applicable guidance from data protection authorities | Consent (for non-essential cookies/trackers). You can withdraw consent at any time via your browser settings and/or the controls described in our Cookie Statement |
Who we share your data with
We share personal data only when necessary to operate our services, comply with legal obligations, protect users, or support our business functions. Where we use third parties to process personal data on our behalf, we require them to protect it, keep it confidential, and use it only for the purposes we specify.
Categories of recipients
We may share personal data with:
- Service providers (processors) that support our operations (for example: payment processing, hosting, customer support tools, analytics, communications, identity verification and fraud prevention).
- Professional advisors (such as auditors, lawyers, and accountants) where necessary for compliance and risk management.
- Competent authorities, regulators, and law enforcement where disclosure is required by applicable law, or where necessary to prevent, detect, or investigate fraud, financial crime, or security incidents, or to protect our rights and property.
Restrictions we impose on service providers
We require our service providers to:
- access and process only the data necessary to provide their services,
- act under our documented instructions,
- implement appropriate technical and organizational security measures, and
- not sell personal data received from us or processed on our behalf.
Where required, we also implement contractual safeguards and other measures to protect personal data when it is processed outside your country of residence.
Processors, location, and purpose of transfer
| Processor | Purpose of transfer |
|---|---|
| Online payment providers | To process payments, refunds, chargebacks, and billing collection; to support fraud prevention and transaction security |
| Identity verification / KYC providers | To verify identity and conduct checks required for onboarding and ongoing compliance |
| Marketing / advertising partners (where applicable) | To deliver and measure marketing campaigns and show relevant advertisements. Where email matching is used, we may apply privacy-enhancing techniques (e.g., hashing) and partners may use the data only for the agreed campaign purposes |
| Hosting / infrastructure providers | To host and operate the website and service infrastructure; to ensure availability and security |
| Customer support tools | To provide customer support communications and ticket handling |
| Competent authorities | Where disclosure is required by law or necessary for the prevention, detection, or prosecution of unlawful activity and fraud, or to protect rights, property, or safety |
How we destroy personal data
When personal data is no longer required for the purposes described in this Privacy Policy and we are not legally required to retain it, we take commercially reasonable and technically feasible steps to securely destroy it or render it irreversibly anonymized.
- Electronic records are permanently deleted or securely overwritten using methods designed to prevent recovery or retrieval, taking into account the nature of the system and storage media.
- Paper records are securely destroyed (for example, by shredding or other secure disposal methods).
If certain records must be retained beyond the stated retention periods under applicable law, we will, where technically feasible, store them separately and restrict access to authorized personnel only.
Automated decisions
We do not make decisions about you based solely on automated processing that produces legal effects or similarly significant effects.
Your rights
Subject to applicable data protection laws and certain legal limitations, you may have the right to:
- request access to your personal data,
- request correction of inaccurate or incomplete personal data,
- request deletion of your personal data,
- request restriction of processing,
- request data portability,
- object to processing based on our legitimate interests (including direct marketing), and
- withdraw consent at any time where processing is based on consent.
To exercise your rights, contact us at privacy@winnerpay.com
You also have the right to lodge a complaint with a competent data protection supervisory authority in your place of habitual residence, place of work, or where you believe an infringement has occurred.
Changes to this Privacy Policy
WINNERPAY reserves the right to reasonably amend this Privacy Notice from time to time. We will update the "Last Updated" date accordingly at the beginning of this Privacy Notice. We will announce any material changes to this Privacy Notice on our website / platform or by sending an email to the email address that you have provided under your account. Your continued use of WINNERPAY after the changes to this Privacy Notice means that you understand such changes.
We encourage you to review this page periodically.