Cloud 9 · Legal
Privacy Policy
A clear account of how Cloud 9 handles personal data for prize draws, competition entries, payments, verification, responsible play, marketing and support.
1. Who we are
This Privacy Policy explains how Cloud 9 collects and uses personal data when you visit our website, create an account, enter a prize draw or competition, use a free postal entry route, make a payment, contact us or receive marketing from us.
The controller is Cloud 9. Cloud 9 publishes operator details and the postal contact route on the website before entries open.
Contact us at support@cloud9draws.co.uk. If a Data Protection Officer or UK representative is appointed, their details will be published on this page.
2. Personal data we collect
The data we collect depends on how you use Cloud 9. It may include:
- Identity and profile data: name, date of birth, age confirmation, username/account details and verification status.
- Contact data: email address, postal address, telephone number and communication preferences.
- Competition and entry data: selected competition, ticket/entry numbers, answers to skill questions, free postal entry details, referral codes, prize preferences and draw outcomes.
- Payment and order data: order value, package, payment status, refunds, transaction references and limited payment metadata. We do not store full card numbers.
- Eligibility, fraud-prevention and compliance data: proof of age, identity, address, residency, self-exclusion status, responsible-play limits, device and risk signals where necessary.
- Technical data: IP address, device/browser information, session identifiers, security logs, cookie identifiers and site usage data.
- Marketing and support data: consent records, opt-out records, messages you send to us, survey responses and customer-service notes.
3. How we collect data
We collect personal data directly from you when you register, enter, pay, submit a postal entry, contact us, set responsible-play preferences or update your account.
We also collect data automatically through our website and security systems, including cookies and similar technologies where used. Third parties may provide data to us, including payment providers, identity/age verification providers, fraud-prevention services, delivery partners and referral or analytics providers.
4. Purposes and lawful bases
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract performance and legitimate interests in operating a secure platform. |
| Processing competition entries, free entries, orders, refunds and prize fulfilment | Contract performance, legitimate interests and legal obligations where records must be kept. |
| Checking age, identity, residency and eligibility | Legal obligations, contract performance and legitimate interests in preventing underage or ineligible participation. |
| Fraud prevention, platform security, responsible-play controls and abuse detection | Legitimate interests, legal obligations and, where special-category data is involved, substantial public interest or legal claims as applicable. |
| Customer support and service communications | Contract performance and legitimate interests in responding to requests and maintaining service quality. |
| Marketing communications | Consent where required, and legitimate interests for limited service-related or soft opt-in communications where lawful. |
| Analytics, measurement and site improvement | Consent where required for non-essential cookies/analytics; otherwise legitimate interests using privacy-respecting, minimal data. |
| Legal, regulatory, tax, audit and dispute management | Legal obligations and legitimate interests in establishing, exercising or defending legal rights. |
5. Entries, payments and checks
We use entry and order records to allocate entries, administer paid and free routes with equal chance where applicable, run draws, contact winners, publish winner information where required and maintain audit trails.
Payments are processed by third-party payment providers. They may act as independent controllers for some payment data. Cloud 9 receives only the information needed to reconcile orders, confirm payment status, manage refunds and investigate disputes.
Before awarding a prize, we may ask for proof of age, identity, address and residency. We may also run fraud, duplicate-account, self-exclusion, responsible-play and sanctions/AML checks where appropriate to protect entrants and the integrity of the promotion.
6. Marketing choices
We send marketing emails or similar communications only where we have a lawful basis to do so. Where consent is required, you can withdraw it at any time using the unsubscribe link in the message or by contacting us.
We may still send non-marketing service messages, such as account, entry, payment, security, legal or winner notifications. These are necessary for the operation of Cloud 9 and are not marketing.
9. International transfers
We aim to keep personal data in the UK or European Economic Area where practical. Some suppliers may process data in other countries.
Where personal data is transferred internationally, we will use appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful transfer mechanism.
10. How long we keep data
We keep personal data only for as long as necessary for the purposes described in this policy, including legal, tax, accounting, audit, fraud-prevention, responsible-play and dispute-resolution requirements.
| Record type | Typical retention approach |
|---|---|
| Account records | For the life of the account, then a reasonable closure period. |
| Entry, order, payment and draw audit records | Normally up to six years after the relevant promotion, unless a longer period is required for disputes, fraud prevention or legal compliance. |
| Identity, eligibility and winner verification records | Only as long as needed for verification, prize fulfilment, audit and legal defence, subject to minimisation. |
| Marketing consent and suppression records | While marketing continues and after opt-out as needed to respect your preferences. |
| Security logs and technical records | For a limited period appropriate to security, abuse prevention and incident investigation. |
11. Security
We use technical and organisational measures designed to protect personal data, including access controls, encryption or hashing where appropriate, audit logging, secure development practices and supplier due diligence.
No online service can be guaranteed completely secure. You should use a strong, unique password and contact us promptly if you suspect unauthorised access to your account.
12. Your UK GDPR rights
Subject to conditions and exemptions under data protection law, you may have the right to request access, correction, erasure, restriction, portability, objection to processing, withdrawal of consent and review of certain automated decisions.
To exercise your rights, contact us using the details above. We may need to verify your identity before responding. Some records, such as entry, payment, fraud-prevention and legal audit records, may need to be retained even if you ask us to delete your account.
13. Complaints
Please contact us first if you have a concern so we can try to resolve it. You also have the right to complain to the UK Information Commissioner's Office.
ICO contact details: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; telephone 0303 123 1113; website ico.org.uk.
14. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will be published on this page with its effective date. If a change is material, we will take reasonable steps to bring it to your attention.