PrizeHeist — Privacy Policy
Effective date: September 15, 2025
Last revised: September 15, 2025
1. Introduction & scope
PrizeHeist Pvt. Ltd. (“PrizeHeist”, “we”, “us”, “our”, or “Promoter”) operates www.prizeheist.com and related mobile applications and services (collectively, the “Sites”). This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data and describes your rights under applicable law, including India’s Digital Personal Data Protection Act 2023 (“DPDP”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).
Data Controller: DJRE Media Pvt. Ltd., Ochanthuruth P.O., Kerala 682508, India.
Privacy / DPO contact: privacy@prizeheist.com (or dpo@prizeheist.com for DPO enquiries). For general enquiries: info@prizeheist.com.
2. Key principles
We process personal data lawfully, fairly, and transparently; limit collection to necessary data; retain data only as necessary; and implement technical and organizational measures to protect personal data.
3. Personal data we collect
We collect data you provide and data collected automatically:
User-provided (examples): name, contact details (email, phone, postal address), account credentials, Government ID (for age/identity verification), payment instrument identifiers (card token, UPI ID — full card numbers are not stored by us), social login profile data (name, email, profile picture), survey/testimonial content, and support communications.
Automatically collected (examples): IP address, device and browser characteristics, usage and log data, cookies and tracking identifiers, geolocation (if you grant permission), crash and performance data.
Third-party sources: public databases, marketing partners, social platforms and analytics providers (only where permitted).
4. Purposes of processing & lawful bases
We process personal data for the purposes listed below. Each purpose is supported by a lawful basis under applicable law.
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Registering and managing your account; contest entry | Name, email, contact, payment tokens, ID for age verification | Performance of contract / Legitimate interest (contest administration) |
| Payment processing & delivery of prizes | Payment data (via payment processors), delivery address | Performance of contract / Legal obligation |
| Marketing (email/SMS/push) | Contact details, preferences | Consent (where required) / Legitimate interest (existing customers — where permitted) |
| Fraud prevention, security, analytics | IP, device, logs, transaction history | Legitimate interest (fraud prevention, platform security) |
| Public entry lists & winner publicity | Name and contest entry details | Consent (explicit checkbox at entry) |
| Legal compliance, dispute resolution | Any relevant personal data | Legal obligation / Legitimate interest |
We will indicate the specific lawful basis alongside processing activities at the point of collection where feasible.
5. Publication of entrants’ names
We may publish entrants’ names on a public entry list for up to seven (7) days following contest close. We will obtain explicit consent at the time of entry (a clear, unticked checkbox and concise notice). You may withdraw consent or request earlier removal by contacting privacy@prizeheist.com; we will action requests promptly and in any case within 7 days.
6. Consent & withdrawing consent
Where processing is based on consent, you may withdraw consent at any time. Withdrawal will not affect the lawfulness of processing prior to withdrawal. To withdraw consent, update your account preferences or contact privacy@prizeheist.com.
7. Age verification & minors
Our Services are for persons aged 18+. We will verify age by requesting government ID where necessary. We do not knowingly collect personal data from persons under 18. If we learn that we have collected data from a minor, we will delete it as soon as practicable and disable the account.
8. Cookies, tracking & analytics
We use cookies and similar technologies. A summary is provided in our Cookie Policy and below in the Cookie Table. For non-essential cookies, we obtain consent via a cookie banner and provide granular choices.
9. Disclosure to third parties
We may disclose personal data to:
Service providers and processors (payment processors, hosting providers, email delivery, analytics, CRM). Processors act only on our instructions and are contractually obliged to protect data.
Legal and regulatory authorities where required by law.
Successors in case of merger, acquisition, or sale (see Section 11).
We do not sell personal data to third parties for their independent marketing purposes.
10. International transfers & safeguards
Personal data may be processed or stored outside India. Where transfers occur to jurisdictions without adequacy decisions, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), binding contractual terms, or equivalent measures required by law. For transfers within our corporate group, we rely on binding corporate rules or contractual safeguards.
11. Business transfers & “no sale” statement
We currently do not sell personal data to third parties for their own marketing purposes. In the event of any merger, acquisition, reorganization, sale of assets, or similar transaction involving PrizeHeist, personal data may be transferred to the acquiring entity; such transfers will be subject to this Policy and applicable law, and affected data subjects will be notified where required.
12. Retention
We retain personal data only as long as necessary for the purposes set out, subject to legal and regulatory obligations. Representative retention periods:
Account profile data: retained for 2 years after account closure, unless a longer retention is required for legal compliance.
Transaction & payment records: retained for 7 years for tax, accounting and fraud-prevention purposes.
Contest entry records (including public entrant lists): public listing retained for 7 days, archived contest records retained for 2 years.
Marketing consents and preferences: retained until withdrawn.
Logs, analytics, system backups: retained for up to 12 months, or longer where required for security/investigations.
Heist Coins / account credits: retained for 3 years following last activity.
We will securely delete or anonymize data when no longer required.
13. Security
We implement reasonable technical and organizational measures to protect personal data, including encryption in transit, access controls, and vendor security assessments. However, no internet transmission is 100% secure; you should use the Sites in a secure environment.
14. Data breach response & notification
In the event of a personal data breach, we will promptly investigate and, where required by applicable law, notify the relevant supervisory authority and affected individuals without undue delay and within applicable statutory timeframes (e.g., within 72 hours for GDPR where applicable).
15. Data subject rights & request procedure
You may exercise rights where applicable under DPDP, GDPR or other local law: access, correction, deletion (erasure), restriction of processing, objection, portability, and withdraw consent. To submit a request, email privacy@prizeheist.com with subject line “Data Subject Request” and provide identity verification. We will acknowledge within 7 business days and respond within 30 days (or as required by law). If you remain dissatisfied, you may lodge a complaint with the relevant supervisory authority.
16. Third-party links, offers & review sites
Our Sites may link to third-party sites and display third-party advertisements or offer walls. These third parties have separate privacy policies and practices for which we are not responsible. We may share basic contact information with review platforms solely to invite reviews — this will be done only where permitted and with an opt-out option.
17. Testimonials, publicity & winner materials
We will request consent before publishing testimonials or using winner photographs and videos for promotional purposes. Winners must provide government-issued ID to verify identity prior to prize delivery. By accepting a prize, winners consent to reasonable publicity unless otherwise agreed.
18. Payment data & PCI
We use third-party payment processors to handle card and payment details. We do not store full card numbers on our servers. Payment processors are required to be PCI-DSS compliant; review processor policies for specific details.
19. Changes to this Policy
We may amend this Policy. Material changes will be communicated via the Sites or email. The “Last revised” date will reflect the effective date.
20. Contact
For privacy enquiries or to exercise your rights: privacy@prizeheist.com. For general queries: info@prizeheist.com.
PrizeHeist - Privacy Summary
Who we are: PrizeHeist Pvt. Ltd. runs PrizeHeist contests at www.prizeheist.com. Contact: privacy@prizeheist.com.
We don’t sell your data: We do not sell your personal data for other companies’ marketing. If the business is sold, personal data may transfer to the buyer as needed.
What we collect: Name, email, phone, payment token (handled by payment partner), contest entries, IP/device data, and optional Government ID for age verification.
How we use it: To run contests, process payments, prevent fraud, send service messages, and (with consent) send marketing. We publish contest entrants’ names for up to 7 days only if you agree at entry.
Cookies: We use essential cookies for site function and optional cookies for analytics and advertising. You can choose which cookies to accept.
How long we keep data: Account data: 2 years after closure. Payment and tax records: 7 years. Contest entry lists: public for 7 days, archived for 2 years.
Your rights: Access, correction, deletion, withdraw consent, portability, and objection. To act on these rights, email privacy@prizeheist.com. We’ll respond within 30 days.
Security: We use technical and organizational measures to protect your data, but no internet service is perfectly secure.
Questions or complaints: privacy@prizeheist.com. If you’re not satisfied, you can complain to your local data protection authority.
Cookie & Tracking Table
Use this as part of a Cookie Policy and in your cookie banner with granular choices.
| Category | Purpose | Examples / tools | Duration | User choice |
|---|---|---|---|---|
| Essential (Strictly necessary) | Site functionality, login, security, contest entry | Session cookie, CSRF token, auth cookie | Session / 24 hours | Cannot be disabled (site may not function) |
| Preferences | Save language, display preferences | pref_lang, ui_theme | 6 months – 2 years | Opt-out via settings |
| Analytics | Site usage, performance, product improvement | Google Analytics (anonymized), internal logs | 12 months | Opt-out via cookie banner |
| Marketing / Advertising | Personalized ads, ad measurement | Ad networks, pixels (Facebook Pixel, ad trackers) | 6 – 24 months | Opt-in via cookie banner; revoke in settings |
| Functional (optional) | Social login, maps, offer walls | Google Maps API, social SDKs | Varies by provider | Opt-in/out where applicable |
Sample cookie banner text (consent):
“We use cookies to provide and improve our service. Some cookies are essential; others are optional. By clicking Accept All you consent to optional cookies. Manage preferences to choose which optional cookies you allow. [Manage preferences] [Accept all] [Reject non-essential]”
Entrant public-list consent checkbox (sample wording):
[ ] I consent to PrizeHeist publishing my name on the public entrants list for this contest for up to 7 days. I understand I can withdraw consent or request earlier removal by contacting privacy@prizeheist.com.