Introduction

1. Purpose of Policy
2. Legal Framework (UK GDPR, DPA 2018, PECR)
3. Scope of Policy

Information We Collect

4. Personal Data Collected Directly
5. Data from Third Parties
6. Automatically Collected Data
7. Special Category Data

Lawful Bases of Processing

8. Consent
9. Contractual Necessity
10. Legal Obligations
11. Legitimate Interests

How We Use Personal Data

12. Service Delivery
13. Event Management
14. Communication & Marketing
15. Analytics & Improvements
16. Security & Fraud Prevention

Data Sharing & Disclosure

17. With Event Organisers
18. With Vendors & Partners
19. Legal Disclosures
20. Corporate Transactions

International Transfers

21. Adequacy Regulations
22. IDTAs & SCCs
23. Safeguards

Data Retention

24. Retention Periods
25. Deletion Procedures

Children’s Data

26. Age Restrictions
27. Parental Consent
28. Safeguarding Measures

User Rights under UK GDPR

29. Right to be Informed
30. Right of Access
31. Right to Rectification
32. Right to Erasure
33. Right to Restriction
34. Right to Data Portability
35. Right to Object
36. Automated Decision-Making Rights
37. Exercising Your Rights
38. Complaints & Judicial Remedies

Data Security Measures

39. Organisational Safeguards
40. Technical Safeguards
41. Account Security
42. Physical Safeguards
43. Breach Response & Notification

Cookies & Tracking Technologies

44. Types of Cookies Used
45. Legal Basis for Cookies
46. Cookie Consent & Preferences
47. Managing Cookies

Third-Party Links & Integrations

48. External Links
49. Embedded Content
50. Social Logins & SSO
51. Payment Processors
52. Analytics & Advertising

Contact Information & Complaints Procedures

53. How to Contact Us
54. DPO Contact Details
55. ICO Contact Details
56. Judicial Remedies

1. Introduction:

1.1 This Privacy Policy explains how Winngoo Gala (“the Company”, “we”, “us”, or “our”), a UK-based provider of virtual celebration and event-hosting services, collects, uses, shares, and protects personal data when individuals (“you”, “Users”) interact with our platform, services, and related offerings.

1.2 The Company is committed to protecting the privacy and rights of Users in line with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

1.3 This Policy applies regardless of how you access our platform, including through web browsers, mobile devices, third-party integrations, or partner links.

2. Identity of the Data Controller:

2.1 The Data Controller responsible for your personal data is:

Winngoo Gala Limited

Registered in England and Wales, Company Number: [Insert Number]

Registered Office: [Insert Address]

Email: [Insert dedicated privacy contact email]

2.2 In some situations, such as joint events or co-branded celebrations, we may act as a Joint Controller with an Organizer or Sponsor. In those cases, responsibilities for compliance will be defined in a Joint Controller Agreement according to Article 26 UK GDPR.

2.3 For services involving third-party integrations (e.g., video-conferencing tools, payment providers), those parties may also act as Data Controllers or Data Processors, based on the context of processing.

3. Scope of this Privacy Policy:

3.1 This Privacy Policy applies to the following categories of data subjects:

• Attendees who register for or join Winngoo Gala events
• Organizers who create, host, or manage events via the Platform
• Performers, speakers, or contributors who take part in events
• Sponsors or partners with whom data may be shared for event-related purposes
• Visitors who browse the Platform without registering

3.2 This Policy covers all personal data processing across:

• Account creation and profile management
• Ticket purchasing, billing, and refunds
• Virtual celebration attendance (including livestreams, chat, polls, recordings, and interactive features)
• Marketing communications and newsletters
• Use of cookies, analytics, and tracking technologies

3.3 It does not cover processing activities by:

• Event Organizers acting independently outside the Platform
• Third-party service providers with separate privacy policies (e.g., PayPal, Stripe, Zoom, Google)
• External websites or social media platforms linked from our Platform

4. Relationship with Other Documents:

4.1 This Privacy Policy should be read alongside:

• Our Terms & Conditions
• Our Cookie Policy
• Event-specific policies, if applicable

4.2 In case of a conflict, the order of precedence is:

1. Event-specific terms (if legally required)
2. This Privacy Policy
3. The Cookie Policy
4. The general Terms & Conditions

5. Definitions:

For clarity, the following definitions apply throughout this Policy:

• “Personal Data”: Any information related to an identified or identifiable natural person
• “Processing”: Any operation performed on personal data, including collection, storage, use, sharing, or deletion
• “Controller”: The entity that determines the purposes and means of processing personal data
• “Processor”: A thirdparty processing data on behalf of the Controller
• “Special Category Data”: Sensitive data, including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health information, or sexual orientation
• “Event Data”: Data generated during participation in a virtual celebration (e.g., chat transcripts, video recordings, polls, Q&A inputs)

Legal Framework

6. Applicable Data Protection Laws:

6.1 Winngoo Gala operates within the UK, and our data processing activities are mainly regulated by:

• UK General Data Protection Regulation (UK GDPR): Retained EU law after Brexit, which sets out rules on lawful processing, data subject rights, and international transfers
• Data Protection Act 2018 (DPA 2018): UK legislation that supports UK GDPR, including exemptions, conditions for processing special category data, and powers of the Information Commissioner’s Office (ICO)
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR): Governs electronic marketing, cookies, and tracking technologies
• Consumer Rights Act 2015 and E-Commerce Regulations 2002: Additional rules on online services, transparency, and user rights

6.2 Users outside the UK may also benefit from local consumer and privacy laws, but the Company will prioritize compliance with UK law as the governing framework.

7. Data Protection Principles:

7.1 Winngoo Gala is dedicated to following the seven principles of data protection as established under Article 5 UK GDPR:

1. Lawfulness, fairness, and transparency – Data must be processed in a lawful and transparent way
2. Purpose limitation – Data must only be collected for specific, explicit, and legitimate purposes
3. Data minimization – Data collected must be sufficient, relevant, and limited to what is necessary
4. Accuracy – Personal data must be accurate and kept up to date
5. Storage limitation – Data must not be kept longer than necessary for the purposes for which it is processed
6. Integrity and confidentiality (security) – Data must be processed securely to protect against unauthorized access, loss, or damage
7. Accountability – The Company is responsible for showing compliance with these principles

7.2 These principles guide all aspects of our processing activities, from initial collection to deletion or anonymization.

8. Supervisory Authority:

8.1 The main regulatory body for Winngoo Gala is the Information Commissioner’s Office (ICO), the UK’s independent authority established to uphold information rights.

8.2 Users can file complaints directly with the ICO if they think their data has been mishandled.

9. Accountability and Governance Measures:

9.1 To show compliance with UK GDPR and DPA 2018, Winngoo Gala has put in place the following governance measures:

• Appointment of a Data Protection Officer (DPO) or a designated Privacy Lead
• Keeping internal records of processing activities (Article 30 UK GDPR)
• Regular data protection impact assessments (DPIAs) for high-risk processing like video recording or biometric verification
• Staff training and awareness programs on data protection obligations
• Contracts with third-party processors that include mandatory Article 28 UK GDPR clauses

9.2 These measures are reviewed at least annually or sooner if there are significant changes in law, regulation, or business operations.

10. Extraterritorial Application:

10.1 Under Article 3 of the UK GDPR, this Privacy Policy also applies to Users outside the UK when:

• They attend events hosted on our UK-based Platform
• Their data is processed in connection with goods or services offered by Winngoo Gala
• Behavioural tracking is done through cookies, analytics, or other technologies

10.2 As a result, non-UK Users receive the same protections as UK-based Users, subject to any mandatory provisions under their local laws.

Data Collected:

11. Overview of Data Categories:

11.1 Winngoo Gala collects and processes various types of personal and non-personal data to provide its services.

11.2 The categories of data collected include:

• Identification Data
• Contact Data
• Financial and Transactional Data
• Technical and Device Data
• Usage Data
• Event Participation Data
• Special Category Data (if applicable)

12. Identification Data:

12.1 Information that helps us identify Users includes:

• Full name
• Username or account ID
• Date of birth or age range
• Gender or title
• Profile photo or avatar (if uploaded)

12.2 This data is collected during account registration, ticket purchases, or profile updates.

13. Contact Data:

13.1 Data used to communicate with Users includes:

• Email address
• Mobile number
• Postal address (if given for billing or correspondence)
• Emergency contact details (optional, for safety at certain events)

13.2 Contact data allow Users to receive confirmations, reminders, and customer support.

14. Financial and Transactional Data:

14.1 For payments and refunds, we may process:

• Payment method (credit/debit card, PayPal, Stripe, or the other gateway)
• Billing address
• Transaction history
• Partial card numbers (last four digits only – full details are not stored)

14.2 Winngoo Gala does not store full payment card information. Payments are processed securely via PCI DSS-compliant third-party providers.

15. Technical and Device Data:

15.1 When Users access the Platform, we automatically collect technical data that includes:

• IP address
• Device type and operating system
• Browser type and version
• Time zone setting and approximate geolocation
• Login timestamps and session activity logs
• Cookies, device identifiers, and tracking pixels

15.2 This information is necessary for service delivery, fraud prevention, and analytics.

16. Usage Data:

16.1 We also collect information on how Users interact with the Platform:

• Pages visited and features accessed
• Search queries within the Platform
• Event registration and attendance patterns
• Customer support interactions
• Preferences selected in account settings.

17. Event Participation Data:

17.1 As a virtual celebration platform, we collect data generated during events, including:

• Attendance records
• Chat messages, polls, and Q&A inputs
• Audio and video recordings of sessions (when applicable)
• Feedback forms and surveys completed after events

17.2 When events are recorded, Users will be clearly informed at the start of the session, and consent will be obtained when legally required.

18. Special Category Data:

18.1 In rare cases, Users may provide sensitive data, such as:

• Accessibility needs (e.g., sign language interpretation, captioning)
• Dietary restrictions (if an event includes physical elements)
• Religious or cultural information (e.g., celebration themes)

18.2 This data is only collected with explicit consent and is handled according to the safeguards required by Article 9 UK GDPR.

19. Non-Personal and Aggregated Data:

19.1 We may also collect non-identifiable information, such as:

• Aggregated statistics about event attendance
• Anonymized analytics reports
• General trends in user engagement

19.2 Non personal data may be used for research, product development, or marketing insights but cannot reasonably be used to identify individuals.

How Data Is Collected

20. Direct Data Collection:

20.1 We collect data directly from you when you:

• Register for an account on the Platform
• Purchase or redeem a ticket
• Submit feedback or contact customer support
• Update your profile details
• Opt into newsletters or marketing communications
• Participate in surveys, polls, or promotions

20.2 Data provided directly is under your control, and you can choose which optional information to share. However, not supplying required fields (e.g., name, email, payment details) may limit access to services.

21. Automated Data Collection:

21.1 Certain information is collected automatically when you interact with the Platform, including:

• Device identifiers (IP address, browser, operating system, mobile device ID)
• Interaction logs (pages visited, buttons clicked, features used)
• Cookies and similar technologies (see Part L – Cookies & Tracking)
• Location approximations based on IP address

21.2 Automated data collection helps us:

• Secure the Platform against fraudulent activity
• Analyse User engagement for performance optimization
• Deliver a customized User experience.

22. Third-Party Data Collection:

22.1 Data may also be collected through third-party service providers integrated into the Platform, including:

• Payment processors (Stripe, PayPal, etc.) – for processing financial transactions securely
• Video-conferencing platforms (Zoom, Microsoft Teams, Google Meet) – for live event participation
• Analytics tools (Google Analytics, Hotjar, etc.) – for monitoring usage trends
• Marketing and communication tools (Mailchimp, HubSpot) – for newsletters and updates

22.2 These providers act either as Processors (handling data on our behalf) or as Independent Controllers (with their own privacy obligations).

23. Social Media:

23.1 You may have the option to register or log into the Platform using third-party authentication services (e.g., Google, Facebook, LinkedIn).

23.2 If you choose this method, the authentication provider may share certain information with us, such as:

• Your public profile name
• Email address
• Profile picture
• Social graph connections (only with your consent)

23.3 You can control the data shared by adjusting your privacy settings on the relevant third-party platform.

24. Event Organizer Contributions:

24.1 If you register for an event through an Organizer, that Organizer may share limited personal data with us for ticketing and event access purposes.

24.2 Such data typically includes:

• Your name and email address
• Ticket reference number
• Seating or grouping preferences (if relevant)
• Accessibility needs (if disclosed to the Organizer)

24.3 Organizers remain independent Controllers for any processing they perform outside the Platform.

25. Publicly Available Sources:

25.1 In rare cases, we may add User data from publicly available sources, including:

• Social media platforms when your settings allow.
• Publicly accessible business directories.
• Government registers for fraud prevention or compliance checks.

25.2 This practice is limited and only done where it is legal under UK GDPR and the Data Protection Act 2018.

26. Combined Data:

26.1 We may combine data collected from different sources, like direct, automated, or third-party sources, to:

• Keep accurate and up-to-date records.
• Prevent duplicate registrations.
• Provide a smooth User experience across devices.

26.2 Combined data is protected with the same safeguards as individually collected data.

Purposes of Processing

27. Overview of Processing Purposes:

27.1 Winngoo Gala processes personal data for various valid business, contractual, and legal reasons.

27.2 All data processing follows the lawful bases outlined in the UK GDPR:

• Consent (Article 6(1)(a))
• Contract (Article 6(1)(b))
• Legal obligation (Article 6(1)(c))
• Vital interests (Article 6(1)(d))
• Legitimate interests (Article 6(1)(f))

28. Account Creation and Management:

28.1 We process your Identification and Contact Data to:

• Register new accounts.
• Verify your identity.
• Allow you to update your profile and reset your password.
• Manage account security.

Lawful basis: Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

29. Event Registration and Participation:

29.1 We process your data to:

• Register you for virtual celebrations.
• Provide secure event access links.
• Manage participation features, like chat, Q&A, and polls.
• Send recordings and post-event resources.

Lawful basis: Contract (Art. 6(1)(b)).

30. Payment Processing:

30.1 Your Financial and Transactional Data is processed to:

• Handle ticket sales, refunds, and invoicing.
• Prevent fraudulent transactions.
• Provide proof of purchase.

Lawful basis: Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) for financial records).

31. Communication and Customer Support:

31.1 We use your Contact Data to:

• Send service updates and confirmations.
• Respond to enquiries, complaints, and technical issues.
• Provide tailored support based on your account. Lawful basis: Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

32. Marketing and Promotional Communications:

32.1 With your consent, we may process your data to:

• Send newsletters and promotional offers.
• Personalise recommendations for upcoming events.
• Deliver targeted advertising based on PECR regulations.

32.2 You can withdraw consent anytime via unsubscribe links or account settings.

Lawful basis: Consent (Art. 6(1)(a)) and legitimate interests (Art. 6(1)(f), where allowed).

33. Service Improvement and Analytics:

33.1 We analyse Usage and Technical Data to:

• Monitor Platform performance.
• Diagnose bugs and technical issues.
• Improve features, layouts, and accessibility.
• Conduct research on User engagement.

Lawful basis: Legitimate interests (Art. 6(1)(f)).

34. Safety, Security, and Fraud Prevention:

34.1 We process data to:

• Detect and prevent fraudulent or suspicious activity.
• Ensure secure login and session management.
• Protect event integrity from misuse or abuse.
• Enforce Terms and Conditions.

Lawful basis: Legitimate interests (Art. 6(1)(f)) and legal obligations (Art. 6(1)(c)).

35. Legal and Regulatory Compliance:

35.1 We may need to process and keep certain data to:

• Comply with financial reporting and tax laws.
• Cooperate with law enforcement investigations.
• Respond to regulatory audits or legal claims.

Lawful basis: Legal obligation (Art. 6(1)(c)).

36. Special Category Data Processing:

36.1 In some instances, we may collect health, accessibility, or cultural preference data for event accommodation.

36.2 We only process this data with explicit consent (Art. 9(2)(a)) or when necessary to protect vital interests (Art. 9(2)(c)).

37. Research, Insights, and Reporting:

37.1 We may process aggregated and anonymised data to:

• Understand industry trends.
• Prepare reports for stakeholders.
• Publish anonymised insights into event participation.

Lawful basis: Legitimate interests (Art. 6(1)(f)).

Lawful Bases for Processing

38. Introduction to Lawful Bases:

38.1 Under the UK GDPR and the Data Protection Act 2018, personal data can only be processed if there is a lawful basis.

38.2 Winngoo Gala relies on the following lawful bases:

1. Consent
2. Performance of a contract
3. Legal obligation
4. Vital interests
5. Legitimate interests

39. Consent (Article 6(1)(a))

39.1 We ask for consent before:

• Sending marketing or promotional emails.
• Collecting optional information during surveys.
• Recording video or audio at events.
• Processing Special Category Data, like accessibility needs.

39.2 Consent is:

• Given freely; it is never forced or tied to unrelated services.
• Specific and related to a defined purpose.
• Informed with clear explanations.
• Revocable; Users can withdraw consent at any time.

39.3 Withdrawal of consent does not affect the legality of processing that occurred before the withdrawal.

40. Performance of a Contract (Article 6(1)(b))

40.1 We process data when necessary to:

• Register and authenticate accounts.
• Issue tickets for events.
• Facilitate participation in virtual celebrations.
• Provide customer service regarding event access or billing.

40.2 Without this processing, Winngoo Gala cannot provide its main services.

41. Legal Obligation (Article 6(1)(c))

41.1 Certain laws require us to keep and disclose data, such as:

• Financial regulations that require payment records for tax and auditing.
• Consumer protection laws that ensure refund policies and records are maintained.
• Law enforcement cooperation where disclosure is required by lawful request.

41.2 Data processed under this basis cannot be erased until the legal requirement has expired.

42. Vital Interests (Article 6(1)(d))

42.1 We may process data to protect Users in rare situations, such as:

• Emergency contact in case of health issues during hybrid events.
• Sharing details with emergency services when a User is in immediate danger.

42.2 This basis is only used in exceptional, life-threatening situations.

43. Legitimate Interests (Article 6(1)(f))

43.1 Winngoo Gala processes data when necessary for our legitimate interests, as long as these interests do not override your fundamental rights.

43.2 Legitimate interests include:

• Ensuring cybersecurity and detecting fraud.
• Improving platform performance and user experience.
• Enforcing Terms and Conditions.
• Conducting anonymised research and analytics.
• Sending limited service-related updates.

43.3 We conduct a balancing test to ensure these interests are suitable and do not unfairly affect User rights.

44. Special Category Data (Article 9 UK GDPR)

44.1 When processing Special Category Data, like health or cultural data, Winngoo Gala relies on:

• Explicit consent (Art. 9(2)(a)).
• Vital interests (Art. 9(2)(c)).
• Employment and equality obligations (Art. 9(2)(b), when involving staff or performers).

44.2 This processing is subject to extra safeguards, such as restricted access and enhanced security.

45. Children’s Data:

45.1 Winngoo Gala’s services target mostly adults. For family-friendly events, we may process some data of minors with parental consent.

45.2 Consent must be verifiable, and parents or guardians can request deletion of their child’s data.

Data Sharing & Disclosure

46. General Principles of Data Sharing:

46.1 Winngoo Gala follows data minimization and only shares data when it is absolutely necessary.

46.2 We do not sell, rent, or trade personal data to third parties.

46.3 Any sharing is based on appropriate contractual safeguards and follows the UK GDPR.

47. Sharing with Service Providers (Processors)

47.1 We work with trusted third-party service providers to perform tasks on our behalf, including:

• Payment gateways like Stripe and PayPal for secure financial transactions.
• Cloud hosting providers like AWS and Microsoft Azure for data storage and management.
• Video-conferencing tools like Zoom and Teams for live celebrations.
• Email and SMS providers like Mailchimp and Twilio for communication and notifications.
• Analytics and performance tools like Google Analytics and Mixpanel.

47.2 These providers act as Processors and are bound by Article 28 UK GDPR agreements that require:

• Processing only based on our instructions.
• Implementing appropriate technical and organizational safeguards.
• Ensuring confidentiality for their staff.
• Assisting with User rights requests.

48. Sharing with Event Organisers:

48.1 If you register for an event, we may share limited data with the event organiser, including:

• Name and email address.
• Ticket purchase details.
• Attendance records.

48.2 Organisers may act as Independent Controllers, responsible for their compliance obligations.

48.3 Users should check the organiser’s separate privacy policy.

49. Sharing with Business Partners:

49.1 Sometimes, we may partner with third parties for co-branded or jointly hosted events.

49.2 Data shared is limited to what is necessary for participation, and partners must follow similar data protection standards.

50. Legal and Regulatory Disclosures:

50.1 We may disclose data to public authorities when required to:

• Follow applicable laws and regulations.
• Respond to valid court orders or legal processes.
• Help with law enforcement investigations.
• Protect the safety, rights, or property of Users and the Company.

50.2 We will carefully assess such disclosures to ensure they are lawful and reasonable.

51. Corporate Transactions:

51.1 If there is a merger, acquisition, reorganization, or sale of assets, User data may be transferred as part of that deal.

51.2 Any successor entity will still be bound by this Privacy Policy or a similar framework that provides equal or stronger protections.

52. International Transfers:

52.1 Some third-party providers might process data outside the United Kingdom.

52.2 When this happens, we implement one or more of the following safeguards:

• Adequacy regulations for transfers to countries recognized by the UK as providing good protection.
• International Data Transfer Agreements (IDTAs) that have been approved by the UK ICO.
• Binding Corporate Rules (BCRs) for transfers within our group.

52.3 We do not allow international transfers without lawful protections.

53. Transparency of Sharing:

53.1 We keep a current list of third-party Processors, which is available upon request.

53.2 We inform users in advance when introducing new categories of disclosures.

Data Retention & Storage:

54. General Retention Principle

54.1 Winngoo Gala keeps personal data only as long as necessary to meet the purposes for which it was collected, like:

• Providing services and support.
• Following legal obligations.
• Resolving disputes.
• Enforcing agreements.

54.2 Once data is no longer needed, we will securely delete, anonymize, or archive it as part of our retention schedule.

55. Specific Retention Periods:

55.1 Retention periods vary based on the data type:

• Account Data (Identification & Contact) is kept while the account is active, plus 24 months after closure to allow for reactivation or dispute resolution.
• Financial and Transaction Data is kept for at least 6 years under HMRC and UK accounting rules.
• Event Participation Data is held for 12 months after the event unless recordings or surveys are part of anonymized archives.
• Customer Support Records are retained for 3 years for handling complaints or service queries.
• Marketing Data is kept until consent is withdrawn or after 24 months of inactivity.
• Technical & Usage Logs are stored for 12 months unless needed longer for cybersecurity reasons.

56. Criteria for Determining Retention:

56.1 When deciding how long to keep personal data, we consider:

• The purpose for which it was collected.
• The type and sensitivity of the data.
• The potential risk of harm from keeping or deleting it.
• Any legal or regulatory requirements.
• Ongoing business needs, like defending legal claims.

57. Archiving and Anonymisation:

57.1 In some cases, we may anonymise data instead of deleting it so that it can no longer identify anyone.

57.2 Anonymised data may be kept indefinitely for research, reporting, or statistical use.

58. Storage Locations:

58.1 Personal data is stored on secure servers located in the United Kingdom and the European Economic Area (EEA).

58.2 If storage outside these regions is necessary, we apply international transfer safeguards as discussed (see Part G).

59. Security of Storage:

59.1 We use strong security measures to protect stored data, including:

• Encryption at rest and during transmission.
• Multi-factor authentication for administrative access.
• Role-based access controls.
• Regular vulnerability assessments and penetration tests.
• Secure backup and disaster recovery systems.

60. Deletion Procedures:

60.1 When data reaches the end of its retention period, it will be permanently removed from all active systems and backups using secure deletion methods that comply with NCSC guidelines.

60.2 When third-party Processors hold data for us, we enforce deletion through binding contracts.

61. Exceptions to Retention Rules:

61.1 Certain data may be kept longer if:

• Required by law or regulation,
• Necessary for ongoing litigation or legal defense,
• Specifically agreed to by the User.

User Rights under UK GDPR

62. Overview of Rights:

62.1 Users of Winngoo Gala, referred to as "Data Subjects" under the UK GDPR and Data Protection Act 2018, have enforceable rights regarding their personal data.

62.2 These rights aim to provide you with greater transparency, control, and independence over how your data is used.

63. Right to be Informed:

63.1 You have the right to know about the collection and use of your personal data.

63.2 This Privacy Policy informs you. Additional notices may be given:

• At the point of data collection,
• Within event registration forms,
• Through cookie banners and preference centers.

64. Right of Access:

64.1 You can request a copy of the personal data we hold about you, known as a Data Subject Access Request or DSAR.

64.2 When you make this request, we will:

• Confirm whether we process your data,
• Provide a copy of that data,
• Explain the purposes, categories, recipients, retention, and protections in place.

64.3 DSARs are free of charge, though a reasonable fee may apply for repeated or excessive requests.

65. Right to Rectification:

65.1 If any of the personal data we hold is incorrect or incomplete, you may request a correction.

65.2 Updates will usually be processed within one month.

66. Right to Erasure (“Right to be Forgotten”):

66.1 You can request the deletion of your personal data in certain situations, such as when:

• The data is no longer necessary for its original purpose,
• You withdraw consent and no other lawful basis applies,
• Processing is unlawful,
• Deletion is needed to comply with a legal obligation.

66.2 The right to deletion is not absolute. For instance, financial records must be kept under tax law.

67. Right to Restriction of Processing:

67.1 You can ask us to temporarily stop processing your data when:

• You contest its accuracy,
• Processing is unlawful but you do not want it deleted,
• We no longer need the data, but you need it for legal claims,
• You object to processing, and we are evaluating the balance of interests.

67.2 During the suspension, we can store the data but will not process it further.

68. Right to Data Portability:

68.1 You can request to receive your personal data in a structured, commonly used, machine-readable format and have it sent directly to another controller where technically feasible.

68.2 This right applies only if:

• Processing is based on consent or contract,
• Processing is done by automated means.

69. Right to Object:

69.1 You can object to the processing of your data if it is based on:

• Legitimate interests (Art. 6(1)(f)),
• Direct marketing purposes.

69.2 We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests or if processing is needed for legal claims.

70. Rights Relating to Automated Decision-Making and Profiling:

70.1 You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal or significant effects.

70.2 When such decisions are necessary, for example, fraud checks, safeguards will be applied, including:

• Human intervention in the decision-making,
• The chance to dispute the outcome.

71. Exercising Your Rights:

71.1 Requests to exercise your rights can be made by contacting our Data Protection Officer (DPO) or Privacy Lead (see Part M – Contact Information).

71.2 We will respond promptly and within one month. For complex or multiple requests, this period may be extended by two additional months, with notification provided.

71.3 Verifying identity may be necessary before fulfilling a request to protect User data.

72. Right to Complain:

72.1 If you think your rights have been violated, you can file a complaint with the Information Commissioner’s Office (ICO).

72.2 You also have the right to seek judicial remedy in UK courts.

Data Security Measures

73. Commitment to Security:

73.1 Winngoo Gala is dedicated to keeping User data confidential, intact, and accessible.

73.2 Security is part of every stage of our operations, from system design to daily management, following the idea of "privacy by design and default."

74. Organisational Safeguards:

74.1 Measures implemented across the Company include:

• Appointing a Data Protection Officer (DPO) or Privacy Lead,
• Regular staff training on data protection, cybersecurity, and responses to incidents,
• Employees and contractors signing confidentiality agreements,
• Access controls ensuring only authorized personnel can view sensitive data,
• Clear desk and clear screen policies in physical workspaces.

75. Technical Safeguards:

75.1 Winngoo Gala uses strong technical controls, including:

• Encryption during transmission and at rest (TLS/SSL, AES-256),
• Firewalls and intrusion detection systems,
• Multi-factor authentication (MFA) for staff and admin logins,
• Regular penetration testing by independent security experts,
• Automated backups with secure, geographically diverse storage.

76. User Account Security:

76.1 Users are encouraged to:

• Choose strong, unique passwords,
• Enable multi-factor authentication when possible,
• Log out after sessions on shared devices.

76.2 Winngoo Gala will never ask for passwords via email or phone.

77. Physical Security:

77.1 When personal data is stored on physical systems, protections include:

• Secure data centers with biometric access controls,
• 24/7 monitoring and CCTV surveillance,
• Climate-controlled server rooms with fire suppression systems.

78. Vendor and Third-Party Security:

78.1 Third-party service providers undergo due diligence, including:

• Security assessments before onboarding,
• Contractual obligations under Article 28 UK GDPR,
• Ongoing checks of compliance certifications (e.g., ISO 27001, SOC 2).

79. Breach Detection and Response:

79.1 Even with our precautions, no system is completely free of risks.

79.2 We maintain a formal Incident Response Plan, which includes:

• Continuous monitoring for suspicious activity,
• Internal reporting and escalation procedures,
• Immediate investigation of suspected breaches,
• Containment and mitigation steps.

80. Breach Notification:

80.1 If a personal data breach occurs:

• The ICO will be notified within 72 hours if legally required,
• Affected Users will be informed without undue delay if the breach poses a high risk to their rights and freedoms,
• Information provided will include the nature of the breach, probable consequences, and actions taken.

81. Continuous Improvement:

81.1 Security practices are reviewed and updated regularly to address:

• Emerging cyber threats,
• Technological progress,
• Changes in regulations.

81.2 Annual audits and vulnerability scans occur to ensure ongoing resilience.

Cookies & Tracking Technologies

82. Introduction to Cookies

82.1 Cookies are small text files placed on your device when you visit the Platform.

82.2 They serve various purposes, such as enabling core functions, remembering preferences, and improving performance.

82.3 Winngoo Gala's use of cookies complies with the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).

83. Types of Cookies We Use:

83.1 Strictly Necessary Cookies

• Essential for basic platform functions, like logging in and secure navigation.
• The Platform cannot operate properly without these.
• Example: Session management cookie.

83.2 Performance & Analytics Cookies

• Collect anonymous data on how Users interact with the Platform.
• Help us improve speed, usability, and event experience.
• Example: Google Analytics cookies.

83.3 Functionality Cookies

• Remember User preferences (e.g., language, theme).
• Improve personalization without gathering sensitive data.

83.4 Targeting & Advertising Cookies

• Used to deliver relevant marketing content and measure how effective campaigns are.
• May track browsing across websites, subject to User consent.

83.5 Social Media Cookies

• Enable sharing features and single sign-on through platforms like Facebook, LinkedIn, or Google.
• Operated by third-party networks.

84. Other Tracking Technologies:

84.1 Besides cookies, Winngoo Gala may use:

• Web beacons (pixel tags) – small images embedded in emails or webpages to track engagement,
• Local storage – browser-based storage for faster loading,
• Device fingerprinting – non-intrusive gathering of device information to prevent fraud.

85. Third-Party Cookies:

85.1 Some cookies are set by third parties involved with the Platform, like:

• Analytics providers,
• Payment processors,
• Social media networks,
• Video-conferencing services.

85.2 These third parties have their own privacy policies, and we suggest reviewing them for more details.

86. Legal Basis for Cookies:

86.1 For strictly necessary cookies, the legal basis is legitimate interests (Art. 6(1)(f) UK GDPR).

86.2 For all other cookies (analytics, targeting, functionality), the legal basis is consent (Art. 6(1)(a)).

87. Cookie Consent and Management:

87.1 Users see a cookie banner on their first visit to the Platform.

87.2 You may:

• Accept all cookies,
• Reject non-essential cookies,
• Manage preferences by category.

87.3 Consent is recorded and kept in line with ICO guidance.

88. How to Control Cookies:

88.1 Users can also manage cookies through browser settings:

• Block all cookies,
• Allow cookies only from trusted sites,
• Delete cookies after each session.

89. Consequences of Disabling Cookies:

89.1 If you disable cookies, some features may not work correctly, including:

• Secure login sessions,
• Ticket purchase and checkout processes,
• Personalized event recommendations.

90. Updates to Cookie Policy:

90.1 The list of cookies used by the Platform is regularly reviewed.

90.2 Important changes will be communicated through:

• Updated cookie banners,
• Notices within this Privacy Policy.

Third-Party Links & Integrations

91. External Links:

91.1 The Winngoo Gala Platform may include links to external websites, applications, or resources not managed by us.

91.2 These links are offered for convenience or to enhance the event experience, such as:

• Learning and development resources,
• Social media event pages,
• Third-party booking systems,
• Sponsor or partner websites.

91.3 We do not control, support, or take responsibility for the privacy practices of these third parties.

92. Embedded Content:

92.1 Our Platform may incorporate content from third parties, such as:

• Video streams (e.g., YouTube, Vimeo, Zoom),
• Interactive games or polls,
• Music or entertainment services,
• Social media feeds.

92.2 These services may gather data about your interaction with their content, even if you do not actively engage with it.

93. Single Sign-On (SSO) and Social Logins:

93.1 Users may have the option to log in using third-party credentials (e.g., Google, Facebook, LinkedIn).

93.2 If this option is chosen:

• Limited profile information may be shared with Winngoo Gala (e.g., name, email, profile picture),
• The third-party provider will also process data under its own privacy terms.

94. Payment Processors:

94.1 Payments for events or premium features may be managed by trusted third-party providers.

94.2 These providers:

• Operate independently of Winngoo Gala,
• Process personal and financial information securely,
• Comply with PCI DSS (Payment Card Industry Data Security Standards).

94.3 We do not store sensitive payment card details.

95. Analytics and Performance Tools:

95.1 Winngoo Gala may use analytics providers like Google Analytics, Mixpanel, or Hotjar.

95.2 These tools assist us in:

• Monitoring site traffic,
• Understanding how Users interact with events,
• Improving user experience.

95.3 Data collected is usually aggregated and anonymized, but some tools may gather identifiable information subject to your consent.

96. Advertising and Marketing Partners:

96.1 When allowed, anonymized data may be shared with advertising platforms to provide relevant promotions.

96.2 These platforms may use cookies, beacons, or other identifiers to track ad effectiveness across websites.

96.3 Consent for such sharing is managed through cookie banners and privacy settings.

97. Third-Party Contracts and Compliance:

97.1 Any third-party service provider engaged by Winngoo Gala agrees to:

• Data Processing Agreements (DPAs) compliant with Article 28 UK GDPR,
• Confidentiality clauses and data protection obligations.

97.2 We ensure that third parties implement adequate safeguards, including encryption and limited access.

98. User Responsibility:

98.1 Users should review the privacy policies of third-party platforms before interacting with them.

98.2 By accessing third-party links or integrations, you acknowledge that Winngoo Gala is not responsible for:

• Data collected by those third parties,
• How they use, store, or share your data.

99. International Data Transfers by Third Parties:

99.1 Some third-party services may transfer data outside the UK or EEA.

99.2 These transfers will be subject to appropriate safeguards, such as:

• UK Adequacy Regulations
• International Data Transfer Agreements (IDTAs)
• Standard Contractual Clauses (SCCs)

100. Updates to Integrations:

100.1 As our Platform evolves, we may add new third-party integrations or remove existing ones.

100.2 Users will be notified of important changes when necessary.

Contact Information & Complaints Procedures:

101. Contacting Winngoo Gala

101.1 Users may contact us with questions, requests, or complaints about this Privacy Policy or how we handle their personal data.

101.2 Contact details are:

• Email: privacy@winngoogala.co.uk
• Postal Address (UK Office): Winngoo Gala Ltd., Privacy Team, [Insert Registered Office Address], United Kingdom
• Telephone (UK Support Line): [Insert Contact Number]

101.3 For faster resolution, please include:

• Your full name and registered email
• A clear description of your request or concern
• Supporting documentation, if necessary

Response Times

• We aim to acknowledge all privacy-related inquiries within five business days.
• We will provide substantial responses within one calendar month, extendable by up to two months for complex or multiple requests.
• We are committed to resolving issues quickly and openly.

Changes to Contact Information:

- Any updates to our contact details will be posted in this Privacy Policy. - Users are encouraged to check regularly to ensure they have the most current information.

---