Prizology

Prizology

Privacy Policy

Last Updated: 05 October 2025

0. INTRODUCTION

0.1 Purpose and Legal Status. This Privacy Policy (hereinafter referred to as the “Policy”) constitutes a formal statement issued by Prizology Ltd, a private company limited by shares, duly incorporated and existing under the laws of England and Wales under Company Number 16738557, having its registered office in the United Kingdom (hereinafter the “Company”). This Policy sets forth the principles, obligations, and procedures governing the collection, use, disclosure, and protection of personal data by the Company in accordance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and any other applicable legislation or regulatory framework (collectively, “Applicable Law”).

0.2 Scope of Application. This Policy applies to all individuals or entities accessing, registering for, or otherwise utilising any portion of the Company’s online platform, including, without limitation, its website, applications, curated database, subscription services, and all ancillary digital functionalities operated under the “Prizology” brand (collectively, the “Services”).

0.3 Acknowledgement. By accessing or continuing to use the Services, the data subject (hereinafter, the “User”) acknowledges that they have read, comprehended, and accepted the data processing practices described herein. Continued use of the Services shall constitute conclusive evidence of such acknowledgement and acceptance.

0.4 Ancillary Relationship. This Policy forms an integral component of the contractual framework established between the Company and the User pursuant to the Terms and Conditions of Service, which shall prevail to the extent of any inconsistency.

1. DEFINITIONS

  • Personal Data shall mean any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the UK GDPR.
  • Processing shall mean any operation or set of operations performed upon Personal Data, whether by automated means, including, without limitation, collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
  • Controller shall mean the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data; in this context, the Controller is the Company.
  • Processor shall mean any natural or legal person who Processes Personal Data on behalf of the Controller.
  • Applicable Law shall mean all data protection and privacy legislation in force within the United Kingdom, including the UK GDPR and the Data Protection Act 2018, together with any statutory instruments or guidance issued thereunder.

2. CATEGORIES OF PERSONAL DATA PROCESSED

2.1 Account and Identification Data. The Company may collect and Process identifiers such as name, email address, authentication credentials, and related account information.

2.2 Billing and Transaction Data. Payment and invoicing details (including, without limitation, billing address, contact information, and payment method) may be collected for the purpose of subscription management. Payment credentials are processed securely by authorised third-party processors such as Stripe Payments Europe, Ltd., acting as independent or sub-processors under written agreement.

2.3 Usage and Technical Data. When interacting with the Services, technical data including IP address, device identifiers, browser type, timestamps, session metadata, and other diagnostic information may be automatically collected for operational, analytical, and security purposes.

2.4 Communications Data. Correspondence and enquiries submitted through support channels, forms, or other communications may be retained for record-keeping, dispute resolution, and customer service.

2.5 Marketing and Preference Data. Information relating to User preferences, consent status, and engagement with marketing communications may be collected where lawful.

2.6 Special Category Data. The Company does not intentionally solicit or Process special category data (as defined in Article 9 of the UK GDPR). Should such data be inadvertently received, it shall be erased or pseudonymised without undue delay.

3. PURPOSES OF PROCESSING

The Company shall Process Personal Data strictly for legitimate, explicit, and specified purposes, including but not limited to:

  1. the creation, administration, and maintenance of User accounts and Subscriptions;
  2. the management and execution of payments, billing, and related financial obligations;
  3. the delivery and improvement of the Services and underlying infrastructure;
  4. the fulfilment of legal and regulatory obligations, including tax and accounting requirements;
  5. the detection, prevention, and investigation of fraud, abuse, or security incidents;
  6. the provision of technical and customer support;
  7. the distribution of product updates, communications, and promotional material where consent has been granted; and
  8. compliance with judicial, governmental, or regulatory demands to the extent required by law.

4. LAWFUL BASES FOR PROCESSING

4.1 Lawful Bases for Processing. The Company shall ensure that all Processing of Personal Data is undertaken on at least one of the lawful bases enumerated in Article 6 of the UK GDPR, namely: (a) Contractual Necessity, where Processing is required for the performance of a contract to which the User is a party; (b) Legal Obligation, where Processing is necessary to comply with applicable statutory duties; (c) Legitimate Interests, pursued by the Company or third parties, provided such interests are not overridden by the rights and freedoms of the User; and (d) Consent, freely given, specific, informed, and unambiguous, in cases where required by Applicable Law.

4.2 Legitimate Interests Assessment. The Company maintains documented Legitimate Interests Assessments (“LIAs”) for Processing operations reliant upon Article 6(1)(f) UK GDPR.

5. DISCLOSURE AND INTERNATIONAL TRANSFER OF DATA

5.1 Processors and Subprocessors. Personal Data may be disclosed to trusted Processors engaged under written agreement containing obligations of confidentiality and data protection. Such entities may include, without limitation:

  • Supabase – authentication and database hosting;
  • Vercel – web infrastructure and analytics;
  • Stripe Payments Europe, Ltd. – payment processing;
  • Postmark – transactional email delivery.

5.2 Legal and Regulatory Disclosure. Personal Data may be disclosed where required by applicable law, judicial order, regulatory request, or to protect the vital interests of any individual.

5.3 Corporate Transactions. In the event of merger, acquisition, or transfer of assets, Personal Data may be lawfully transferred to the successor entity, subject to equivalent safeguards.

5.4 International Transfers. Where Personal Data is transferred outside the United Kingdom, the Company shall ensure appropriate safeguards are implemented pursuant to Chapter V of the UK GDPR, including adequacy regulations, standard contractual clauses, or UK International Data Transfer Agreements (IDTAs).

7. DATA SECURITY

7.1 Implementation of Security Measures. The Company shall implement appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR.

7.2 Examples of Safeguards. Such measures may include, without limitation, encryption in transit (TLS 1.2 or higher), restricted access controls, pseudonymisation, periodic audits, and continuous monitoring of infrastructure integrity.

7.3 Limitation of Liability. No system of transmission or storage is entirely secure. The Company shall not be liable for unauthorised access or loss of data arising from circumstances beyond its reasonable control.

7.4 Personal Data Breach Notification. In the event of a Personal Data Breach, the Company shall notify the Information Commissioner’s Office (ICO) and, where required, affected Users, without undue delay and in accordance with Article 33 UK GDPR.

8. RIGHTS OF DATA SUBJECTS

8.1 Enumerated Rights. Subject to Applicable Law, the User is entitled to exercise the following rights:

  1. Access – to obtain confirmation as to whether their Personal Data is being Processed and to receive a copy thereof;
  2. Rectification – to request correction of inaccurate or incomplete data;
  3. Erasure – to request deletion where lawful grounds exist;
  4. Restriction – to limit Processing under specific conditions;
  5. Portability – to receive data in a structured, commonly used, machine-readable format; and
  6. Objection – to Processing based on legitimate interests or for direct marketing purposes.

8.2 Withdrawal of Consent. Where Processing is based on consent, the User retains the right to withdraw such consent at any time, without affecting the lawfulness of prior Processing.

8.3 Procedural Requirements. Requests for the exercise of rights shall be submitted in writing to support@prizology.org. The Company shall respond within one (1) month, extendable where justified under Article 12(3) UK GDPR.

8.4 Supervisory Authority. Users may lodge complaints with the Information Commissioner’s Office (www.ico.org.uk) without prejudice to any other remedy.

9. CHILDREN’S DATA

9.1 Age Limitation. The Services are not intended for, and shall not knowingly be made available to, individuals under sixteen (16) years of age.

9.2 Unlawful Collection. If the Company becomes aware that Personal Data has been collected from a minor without requisite consent, such data shall be erased without undue delay.

10. THIRD-PARTY LINKS AND EXTERNAL SERVICES

10.1 Disclaimer of Responsibility. The Services may contain hyperlinks to external websites, plugins, or third-party applications. The Company assumes no responsibility or liability for the data protection practices or content of such third parties.

10.2 User Due Diligence. Users are advised to review the privacy policies of any third-party sites accessed through the Services.

11. MARKETING COMMUNICATIONS

11.1 Lawful Communications. The Company may, where lawful, transmit marketing communications relating to its Services, updates, or affiliated opportunities.

11.2 Opt-Out Mechanism. Users may withdraw consent or opt out of receiving marketing or promotional communications at any time by using the “unsubscribe” link provided in each email or by contacting support@prizology.org. Following receipt of such a request, the Company shall remove the User from all relevant mailing lists within a reasonable period, without affecting the lawfulness of Processing prior to the withdrawal.

11.3 Operational Notices. Operational notices relating to billing, security, or policy changes are not considered marketing and may continue to be sent notwithstanding opt-out preferences.

12. CONTROLLER DETAILS AND CONTACT

Data Controller: Prizology Ltd
Company Number: 16738557
Registered Jurisdiction: England and Wales
Contact: support@prizology.org

The Company has designated an internal Data Protection Lead responsible for overseeing compliance with this Policy.

13. AMENDMENTS

13.1 The Company reserves the right to amend or revise this Policy from time to time in response to legislative, technical, or operational developments.

13.2 Material amendments shall be notified to Users by electronic means prior to taking effect. Continued use of the Services after such effective date shall constitute acceptance of the revised Policy.

13.3 Archived versions of this Policy shall be maintained and made available upon request.

14. GOVERNING LAW AND JURISDICTION

This Policy, together with any non-contractual obligations arising therefrom, shall be governed by and construed in accordance with the laws of England and Wales. Any dispute or claim arising out of or in connection with this Policy shall fall under the exclusive jurisdiction of the courts of England and Wales, without prejudice to any mandatory rights of consumers under Applicable Law.