Privacy Policy

Last updated: April 2026

1. Who we are

1.1 Noble Wins Ltd (“we”, “us”, “our”) is a company registered in England and Wales (Company No. 16946745). We operate the website noblewins.co.uk and the associated mobile experiences (the “Website”).

1.2 For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller for the personal data we collect about you.

1.3 Contact for data protection queries: support@noblewins.co.uk.

2. The personal data we collect

2.1 Account information — full name, email address, telephone number (UK mobile), date of birth, and postal address (where you supply one).

2.2 Competition and order data — the Competitions you have entered, ticket numbers allocated to you, the number of paid and free Entries, order history, applied discount codes, and site credit balance.

2.3 Payment data — transaction identifiers, the last four digits of the card used, billing address, and the payment status returned by our payment provider. We never see, store, or transmit your full card number, expiry, or CVC. Card data is collected directly by our PCI-DSS Level 1 payment provider, Trust Payments Group, in iframes hosted on Trust Payments' own domain.

2.4 Verification documents — only when you win a prize: government-issued photo ID, proof of address, and (for cash prizes) a UK bank account in your name.

2.5 Technical data — IP address, browser and device information, language and locale, pages visited, and approximate location derived from IP. Used for security, fraud detection, and (with your consent) analytics.

2.6 Marketing preferences — your choices for email, SMS, and push notifications, and the date you last gave or withdrew consent.

2.7 Responsible-play settings — any spending caps, cooling-off periods, or self-exclusion you have set on your account.

2.8 We do not knowingly collect special-category data (such as data about health, race, religion, or sexual orientation). Do not send us such data unless we specifically ask for it.

3. How we use your data and on what legal basis

3.1 The table below sets out, for each purpose for which we use your personal data, the lawful basis we rely on under UK GDPR Article 6.

PurposeLawful basis
Creating and managing your account, processing your Entries, and operating the CompetitionsPerformance of a contract (Art. 6(1)(b))
Processing payments and managing refundsPerformance of a contract (Art. 6(1)(b))
Verifying winners' identity, age, and eligibilityPerformance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Fraud prevention and detectionLegitimate interest (Art. 6(1)(f)) — protecting the integrity of our Competitions
Tax, accounting, and other statutory record-keepingLegal obligation (Art. 6(1)(c))
Service-related communications (e.g. order confirmation, draw notifications, account security alerts)Performance of a contract (Art. 6(1)(b))
Marketing communications (newsletters, promotions)Consent (Art. 6(1)(a)); withdrawable any time in your account or via the unsubscribe link
Analytics and marketing pixels (e.g. Meta Pixel)Consent (Art. 6(1)(a)); only loaded if you accept optional cookies
Publishing the winner's first name, last name, and countyLegitimate interest (Art. 6(1)(f)) — transparency of winners under CAP Code rule 8.28.5

4. Who we share your data with

4.1 We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes set out in section 3:

  • Trust Payments Group — our PCI-DSS Level 1 payment service provider. Trust Payments handles card capture, 3-D Secure authentication, and payment authorisation. Their privacy notice is available at trustpayments.com/privacy-policy.
  • Resend — our transactional email provider, used for order confirmations, draw notifications, and password resets.
  • Cloud infrastructure providers — for hosting the Website, the database, and our backups (UK and EU data centres).
  • Delivery partners — only the winner's name and address, and only after they win a physical prize.
  • Meta Platforms (Facebook) — only if you have consented to marketing cookies, in which case the Meta Pixel sends pseudonymised event data to Meta for ad attribution.
  • Professional advisers — accountants, auditors, and lawyers, where engaged on our behalf and bound by confidentiality.
  • Regulators, authorities, and law enforcement — where we are legally required to disclose data, or where disclosure is necessary to protect our rights, our customers, or the public.

4.2 We do not sell your personal data to anyone, ever.

5. International transfers

5.1 Your personal data is primarily stored in the United Kingdom. Some of our service providers (such as Meta, when consent is given) may process data outside the UK and EEA. Where this happens, we rely on the UK Government's adequacy decisions or, in their absence, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another approved transfer mechanism.

6. How long we keep your data

  • Account data: while your account is active and for 6 years after closure (in line with our limitation-period and dispute-resolution obligations).
  • Competition entries and ticket records: 6 years from the date of the relevant Draw.
  • Transaction and tax records: 7 years from the end of the relevant accounting period (HMRC requirement).
  • Verification documents: deleted within 6 months of prize delivery, unless retention is required by law (for example, an ongoing fraud investigation).
  • Marketing preferences: retained until you withdraw consent and for 2 years thereafter to prevent accidental re-subscription.
  • Cookies: see our Cookie Policy for the expiry of each cookie.
  • CCTV and live-stream recordings of Draws: 90 days, after which footage is deleted unless required for an ongoing dispute.

7. Marketing

7.1 We will only send you marketing emails, SMS, or push notifications if you have given us your specific consent.

7.2 You can withdraw your consent at any time:

  • From the “Preferences” section in your account;
  • By using the unsubscribe link in any marketing email;
  • By replying STOP to any marketing SMS; or
  • By emailing support@noblewins.co.uk.

7.3 Service-related messages (order confirmations, security alerts, prize delivery updates) are not marketing and will continue while you have an active account.

8. Your rights under UK GDPR

8.1 You have the right to:

  • Access the personal data we hold about you;
  • Rectification of inaccurate or incomplete data;
  • Erasure of your data (the “right to be forgotten”), subject to our retention obligations in section 6;
  • Restrict processing of your data in certain circumstances;
  • Data portability — receive your data in a structured, machine-readable format;
  • Object to processing based on legitimate interests, including direct marketing (where we will stop without question);
  • Withdraw consent at any time, where we rely on consent.

8.2 To exercise any of these rights, email support@noblewins.co.uk. We will respond within one calendar month. If your request is complex or you have submitted multiple requests, we may extend this by a further two months and will let you know if so.

8.3 You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

We'd appreciate the chance to address any concerns first, but you can complain to the ICO directly at any time.

9. Cookies

9.1 We use a small number of cookies. Strictly-necessary cookies (sign-in, basket, cookie preference) are always set; analytics and marketing cookies (including the Meta Pixel) are only set after you click “Accept all” on the cookie banner.

9.2 The full list, with the purpose and lifetime of each cookie, is available on our Cookie Policy page. You can change your preference at any time from that page.

10. Data security

10.1 We take security seriously. Measures include:

  • HTTPS / TLS encryption on all Website traffic;
  • Hashed and salted passwords (we never see your password in plain text);
  • HttpOnly, Secure, SameSite=Strict authentication cookies;
  • Card capture is delegated entirely to our PCI-DSS Level 1 payment provider — your card data never reaches our servers;
  • Encrypted backups stored in UK and EU data centres;
  • Role-based access controls and audit logging on internal systems;
  • Regular vulnerability and dependency scanning.

10.2 No system is perfect. If we suffer a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ICO in line with UK GDPR Articles 33 and 34.

11. Children

11.1 Our service is for adults aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has supplied us with personal data, please contact us and we will delete it.

12. Automated decision-making

12.1 Winning Entries are selected by an automated random-number generator. This is not “automated decision-making” in the sense of UK GDPR Article 22 because the decision (whether your specific Entry wins) does not produce a legal effect or a similarly significant effect on you beyond the fact of winning the advertised prize.

12.2 We do not use automated profiling to make decisions that produce legal or similarly significant effects on you.

13. Changes to this policy

13.1 We may update this policy from time to time. The current version will always be available on this page with the date last updated. Material changes will be notified by email or via the Website.

14. Contact

Email: support@noblewins.co.uk

Noble Wins Ltd
128 City Road
London
EC1V 2NX
United Kingdom

Registered in England and Wales, Company No. 16946745.