Winsome — Privacy Policy (draft)

The short version. Winsome is part of a consumer data panel. In exchange for free weekly chances to win, members let us see read-only spending activity through Plaid. We use that data to confirm active accounts and to produce anonymized, aggregated insights — that's how we make money, never from you. We never see your bank password, we can never move your money, and we never publish your real name. Winners are shown by username only.

Effective date: [TODO: legal to set]. This Privacy Policy is a draft provided for legal review and is not the final, governing version. [TODO: legal to confirm all bracketed items and state-specific disclosures.]

1. What this Privacy Policy covers

This policy describes how Winsome [TODO: legal to confirm full legal entity, e.g. Winsome, Inc.] ("Winsome," "we," "us") collects, uses, discloses, and protects personal information when you visit our website, use our app, or otherwise interact with the Winsome service (the "Service"). It does not apply to third parties we do not control. If you do not agree with this policy, please do not use the Service.

2. Personal information we collect

The categories of personal information we collect, the sources, and the business purposes for each are described below.

Account & profile information you provide — email address, username, age/eligibility confirmation, and demographic details collected during onboarding. Source: you.
Financial activity accessed via Plaid on a read-only basis — transactions, account metadata, balances, and spending categories. We never receive your bank login credentials. Source: Plaid, at your direction.
Sweepstakes & entry records — entries earned, drawing participation, winner status, and payout records. Source: you and our systems.
Device & usage information — IP address, device identifiers, app/website interactions, and similar technical data. Source: automatic collection.

[TODO: legal to confirm the full data inventory and statutory categories (e.g., CCPA categories) under applicable state law.]

3. How and why we use personal information

To create and administer your account and confirm that it is "active."
To run weekly sweepstakes drawings, verify winners, and deliver prizes.
For fraud prevention, security, identity verification, and enforcing our Terms and Official Rules.
To produce anonymized and aggregated consumer-panel insights — the Winsome business model. These insights do not identify you personally.
To communicate with you about the Service, and, where permitted, about features and updates.
To comply with legal, tax, and regulatory obligations.

4. What we never do

We never access or store your bank username or password.
We never move, hold, or withdraw your money — our Plaid access is read-only.
We never publish your real name; winners are shown by username only.
We never sell personal information tied to your real-world identity. [TODO: legal to confirm against state-law "sale"/"share" definitions.]

5. How we disclose personal information

We disclose personal information to: service providers who help us operate the Service (for example, Plaid for read-only connectivity, our prize-payout provider, our messaging provider, and analytics providers) under contracts limiting their use of it; affiliates within our corporate family [TODO: legal to confirm affiliate entities]; and third parties as part of aggregated or de-identified panel data that does not identify you. We may also disclose information to comply with law, enforce our agreements, or protect rights and safety, and in connection with a corporate transaction. [TODO: legal to confirm recipients and "sale"/"sharing" disclosures.]

6. Tracking tools, advertising & opt-out

We and our providers use cookies and similar technologies to operate the Service, remember preferences, measure performance, and, where applicable, support interest-based advertising. You can control cookies through your browser settings, and where required we honor opt-out preference signals (such as Global Privacy Control). [TODO: legal to confirm cookie/advertising practices, GPC handling, and any "Do Not Sell or Share" link.]

7. Data security & retention

We use administrative, technical, and physical safeguards designed to protect personal information. No system is perfectly secure, and we cannot guarantee absolute security. We retain information for as long as needed to provide the Service and as required by law; auditable drawing, payout, and tax records are retained for the periods required by applicable sweepstakes and tax rules. [TODO: legal to confirm security disclosures and retention schedules.]

8. Personal information of children

The Service is intended only for adults 21 and older and is not directed to children. We do not knowingly collect personal information from anyone under 21. If we learn we have collected such information, we will delete it. [TODO: legal to confirm age threshold and children's-privacy language.]

9. California resident rights

If you are a California resident, you may have the right to know/access the personal information we collect, to request deletion, to request correction, and to opt out of the "sale" or "sharing" of personal information and certain targeted advertising, subject to exceptions. We will not discriminate against you for exercising these rights. [TODO: legal to confirm CCPA/CPRA categories disclosed, retention, and sensitive-PI handling.]

10. Additional state privacy rights

Residents of certain other states [TODO: legal to confirm current list — e.g., Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia] may have comparable rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising, sale, or certain profiling. You may also have the right to appeal a denied request. [TODO: legal to confirm per-state rights and appeal process.]

11. Exercising your rights

You can unlink a connected card at any time in the app. To exercise privacy rights, contact us using the details below [TODO: legal to confirm request channel and any webform]. We will verify your identity before fulfilling a request and will respond within the timeframe required by law. You may use an authorized agent where permitted. [TODO: legal to confirm verification and agent process.]

12. California "Shine the Light"

California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for their direct-marketing purposes. [TODO: legal to confirm whether any such disclosures are made and how to request this information.]

13. Nevada resident privacy rights

Nevada residents may have the right to opt out of the sale of certain covered information. [TODO: legal to confirm Nevada opt-out mechanism and contact.]

14. Consumer health data

To the extent any information we process is treated as "consumer health data" under applicable state law, additional terms apply. See our Consumer Health Data Privacy Policy.

15. Changes to this policy

We may update this policy from time to time. Material changes will be communicated as required, and the effective date above will be updated. [TODO: legal to confirm notice mechanism.]

16. Contact

Questions about this policy may be directed to Winsome [TODO: legal to confirm entity and privacy contact email].

Winsome — Privacy
[Mailing address — TODO confirm before launch]