Privacy Policy

1. Scope

PickSafely, Inc. (PickSafely, we, us) acts as the data controller for personal information that we collect through the Service, except when we handle giveaway participant data on behalf of our customers. In that latter context we operate as a processor under the EU General Data Protection Regulation (GDPR) or as a service provider under the California Consumer Privacy Act (CCPA / CPRA). This policy describes our practices in both roles.

2. Information We Collect

When you create an account you voluntarily give us information such as your name, e‑mail address, company details, and a password; if you add a profile photo or invite team members, those images and additional names are stored as well. When you subscribe to a paid plan our payment processor, Stripe, collects your cardholder name, partial card digits, and billing address and then passes back a tokenised reference so that we never see your full credit‑card number. When you organise a giveaway you upload or paste the e‑mail addresses (or other unique identifiers) of participants, specify prize details and draw rules, and may include messages to be forwarded to entrants; we store all of that content so the Service can select winners and publish a verifiable record. Any information you choose to include in support tickets, chat sessions, or marketing survey responses is also collected.

In addition to the data you provide, our servers automatically log information about your visit. Each request records the IP address, the browser and operating‑system type and version, the referring page, the pages you view, the time spent on each page, and the date and time of the request. We associate this telemetry with a pseudonymous identifier so we can detect abuse, debug issues, and compile usage statistics. We also place first‑party cookies that keep you signed in and protect against cross‑site request forgery. With your consent, we load Google Analytics 4 (GA4) which sets its own cookies and receives device information and in‑app events; GA4 reports help us understand feature adoption and guide product decisions, but we have disabled Google’s ad‑personalisation features and IP‑anonymise all analytics hits.

Occasionally we receive limited personal information from third parties. Stripe tells us whether a charge succeeded or failed and sends fraud‑assessment signals; Firebase Authentication returns a unique user ID so that you can sign in with single sign‑on; and Google Tag Manager informs us if you accepted or rejected optional cookies. We combine these inputs with the data you provide to deliver and improve the Service.

3. How We Use Information

We process your personal information first and foremost to operate the Service: that includes creating and securing user accounts, authenticating logins, enabling collaboration within team workspaces, running cryptographically fair giveaways, storing hashes of participant identifiers, and publishing public verification pages that anyone can inspect. We also use the data to process payments, generate invoices, and resolve chargebacks; to send mandatory service communications such as receipts, password‑reset links, and important product announcements; to answer your support requests and troubleshoot reported issues; to analyse aggregate usage patterns so we can prioritise features and spot performance bottlenecks; to monitor for fraud, abuse, or security threats; and to comply with our legal obligations, enforce our Terms of Service, and protect the rights and safety of PickSafely, our users, and the public. Where the law requires consent—for example, for marketing e‑mails or GA4 tracking in certain jurisdictions—we will request it separately and honour your choice.

4. Legal Bases for Processing (EEA / UK)

For visitors and customers in the European Economic Area or the United Kingdom, our processing activities rely on four lawful bases under the GDPR. First, we process data that is necessary to perform the contract we have with you, such as providing access to your account, hosting your giveaways, and fulfilling subscription benefits. Second, certain uses are justified by our legitimate interests, including maintaining platform security, preventing fraud, and communicating product updates to existing users; we balance those interests against your rights and always provide an opt‑out where appropriate. Third, we rely on your explicit consent for optional activities such as sending marketing newsletters or loading non‑essential analytics scripts; you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Finally, we process some data to comply with legal obligations —for example, retaining tax records or responding to valid law‑enforcement requests.

5. How We Share Information

We disclose personal information only to parties that help us run the Service or when the law otherwise permits or requires it. Our primary service providers are Stripe for payment processing, Firebase for authentication and real‑time databases, Vercel for hosting and content delivery, and Google Analytics 4 for usage analytics. Each of these companies receives only the information needed to perform its task and is contractually bound to protect it. When you complete a giveaway we publish a verification page that contains irreversible SHA‑256 hashes of participant identifiers, timestamps, prize details, and cryptographic proofs; those hashes allow anyone to confirm that the draw was fair without revealing the underlying e‑mail addresses. Beyond that public disclosure, we will release personal data only if required to do so by law, if necessary to protect the rights, property, or safety of PickSafely or others, or in the context of a corporate transaction such as a merger or asset sale. Under no circumstances do we sell or rent your personal information for monetary or other valuable consideration.

6. Cookies and Similar Technologies

Cookies are small text files that websites store on your device. PickSafely sets a first‑party session cookie that keeps you logged in and another that remembers your cookie‑consent preference; these are essential to the Service and cannot be disabled without breaking core functionality. If you agree, we also load GA4 which deposits its own cookies to collect event data such as button clicks, navigation paths, and browser attributes. We have configured GA4 to mask IP addresses and to disable Google signals so that the data is used solely for aggregated analytics and not for personalised advertising. You can manage or delete cookies at any time through your browser settings, and, where required by law, our cookie banner gives you a clear choice to accept or reject analytics cookies before they are set.

7. Your Rights and Choices

Depending on where you live, you may have legal rights to access, correct, delete, or export the personal information we hold about you; to object to or restrict certain processing; and to withdraw any consent you have given. Residents of California additionally have the right to know what categories of personal information we have collected in the preceding twelve months, to request that we delete or correct that information, and to opt out of any sale or “sharing” for cross‑context behavioural advertising (which we do not engage in). To exercise a right, please e‑mail privacy@picksafely.com, identify the request you are making, and provide enough detail for us to verify your identity. We will respond within the timeframe mandated by applicable law, and we will not discriminate against you for exercising a privacy right.

8. Data Security

We secure data in transit with TLS 1.3 and at rest with AES‑256 encryption. Access to production systems is limited to authorised employees who must use multi‑factor authentication and are bound by confidentiality agreements. All infrastructure is provisioned with the principle of least privilege, and logs are monitored for anomalous activity. We commission annual penetration tests and remediate findings promptly. While no online service can guarantee absolute security, we continuously improve our defences to minimise risk.

9. Data Retention

We keep account information for as long as your subscription remains active and for ninety days after you delete your account in case you change your mind or a payment dispute arises. Financial transaction records are retained for seven years to satisfy tax and accounting obligations. Public giveaway verification pages remain online indefinitely because their evidentiary value depends on permanent availability; they contain only irreversible hashes and therefore present minimal privacy risk. When retention periods expire, we delete or irreversibly anonymise the data.

10. International Data Transfers

PickSafely is headquartered in the United States, and our primary data centres are located there. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information will therefore be transferred to a country that may not provide an equivalent level of data protection. We rely on the EU‑U.S. Data Privacy Framework, the UK Extension to that framework, and, where appropriate, the European Commission’s Standard Contractual Clauses to safeguard those transfers.

11. Children’s Privacy

The Service is intended for use by adults. We do not knowingly collect personal information from children under thirteen in the United States or under the age of digital consent in other regions. If you believe a child has provided us with personal data, please contact us so that we can delete the information immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by e‑mail or by posting a prominent banner in the application at least thirty days before the new terms take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, you can reach our Data Protection Officer at PickSafely, e‑mailing privacy@picksafely.com.