Privacy at WinSweeps is simple: we collect the minimum needed to run a fair rewards platform, we never sell your data, and everything sensitive is protected by row-level security. This policy explains the details.
1. What we collect
We collect only what the platform needs to operate well:
- Account data — email address, username, password (stored as a salted hash by our authentication provider), and optional profile details such as display name, country, avatar and bio.
- Activity data — reward claims, XP and coin ledger entries, achievements, referrals, leaderboard entries, support tickets and notification preferences.
- Technical data — device and browser type, and a salted, irreversible hash of your IP address at signup used solely for referral-fraud screening. We do not store raw IP addresses with your profile.
- Analytics events — product usage events processed through PostHog to understand and improve the platform.
2. How we use your data
We use your data to operate the rewards engine, maintain leaderboards, deliver notifications you have opted into, provide support, prevent fraud and abuse, and improve the product. We do not sell personal data, and we do not use it for third-party advertising.
3. Email communications
Transactional email (verification, password resets, support replies) is always on — it is required to operate your account. Promotional and reward email is opt-in and controllable per category from your notification settings, and every promotional email contains an unsubscribe link.
4. Where your data lives
Account and platform data is stored in our Supabase-hosted PostgreSQL database, protected by row-level security so each member can only access their own records. Analytics events are processed by PostHog. Transactional email is delivered by Resend. Each provider processes data under its own data-processing agreement.
5. Public information
Leaderboards display your username, display name, avatar, country flag, level and score to other members and visitors. Your email, ledger details and settings are never public. You can change your display name and avatar at any time.
6. Retention
We retain account data while your account is active. When you delete your account, profile data is removed and remaining records (such as aggregate ledger history required for fraud prevention and audit) are anonymised within 30 days, except where law requires longer retention.
7. Your rights
Depending on your location, you may have rights to access, correct, export, restrict or delete your personal data. You can exercise most of these directly from your dashboard settings; for anything else, contact us and we will respond within 30 days.
8. Cookies
We use strictly necessary cookies for authentication sessions and security. Analytics runs without third-party advertising cookies.
9. Children
WinSweeps is not directed at anyone under 18, and we do not knowingly collect data from minors. If we learn that a minor has registered, the account will be closed and its data deleted.
10. Changes and contact
We will announce material changes to this policy in-app and by email before they take effect. Privacy questions can be sent through the contact page — subject line “Privacy”.