ICO Compliance Statement

ICO Compliance - The People's Prizes

Last updated: 1 February 2026

Data controller: THE PEOPLES PRIZES LTD (Company No. 16966014)

This document is an operational summary of compliance controls and is not legal advice. For full legal wording, refer to our Privacy Policy and Terms & Conditions.

1) Legal framework

Our data protection approach is based on:

• UK GDPR principles (lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability);
• Data Protection Act 2018;
• PECR for consent-led electronic marketing and non-essential cookies.

2) Governance and accountability

We maintain documented ownership and controls for data protection operations, including:

• versioned policy rollouts for terms/privacy consent evidence;
• audit trails for data rights requests;
• defined contact channel for privacy requests and complaints: support@peoplesprizes.com.

3) Lawful bases and purpose control

We map processing activities to lawful bases including contract, legitimate interests, legal obligation, and consent where required.

• Competition administration, winner verification, and fulfilment are processed as contract/legitimate interest obligations.
• Marketing and optional updates are processed using consent controls and can be withdrawn at any time.
• Non-essential cookies are optional and can be controlled by users.

4) Consent evidence and withdrawals

Consent choices are recorded and can be updated by signed-in users.

• Current marketing consent version: 2026-02-23
• Privacy center for updates/withdrawals: Privacy Center
• Cookie preference controls: Cookie controls

5) Data subject rights workflow

Users can submit and track rights requests through self-service and support channels.

• Supported request categories: access, erasure, rectification, restriction, objection, portability.
• Users can cancel submitted requests before fulfilment.
• Fulfilment events are logged with timestamps and outcome states.

6) Security controls

Core controls include:

• TLS for data in transit;
• secure authentication cookies with environment-aware secure flags;
• production database TLS enforcement;
• PII-safe fallback/error logging and minimisation of personal data in operational logs.

7) Cookie controls and retention

Essential cookie lifetimes are controlled server-side and reflected in policy pages.

• pp_token: 14 days
• pp_guest_id: 30 days
• pp_skill_session: 2 days

8) Operational retention windows

Configured technical retention windows for security and verification datasets:

• Password reset artifacts: 7 days
• Email verification artifacts: 30 days
• Login challenge records: 30 days
• Login attempt logs: 90 days
• Email delivery events: 180 days
• Referral signal logs: 180 days

9) International transfers and vendors

Where vendors process data outside the UK, we apply recognised UK transfer safeguards and contractual controls. We review processors based on role, necessity, and risk.

10) Complaint and escalation route

We ask users to contact us first so we can resolve concerns quickly.

If unresolved, users can complain to the UK Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

11) Compliance maintenance cycle

We update this statement when material privacy controls, legal wording, or technical processing flows change.

Last updated: 1 February 2026.