Privacy Policy

Registration: Email address, username, password (hashed — we cannot see plaintext), referral source.

Transaction data: Credits purchase history, draw entries, direct purchases, prize claims, referral commissions, check-in history.

Payment data: When purchasing Credits, payment is processed by third-party providers (e.g. Stripe, Checkout.com). We do not store your full card number. We receive a transaction reference and amount only.

Delivery data: If you claim a physical prize, we collect your full name, delivery address, and phone number.

Technical data: IP address, browser type, device type, pages visited, timestamps. Collected automatically via server logs and Google Analytics.

• To operate your account and process Credits transactions
• To conduct draws and notify winners
• To ship physical prizes to winners
• To deliver digital prizes and activation codes by email
• To calculate and pay referral commissions
• To send transactional emails (purchase confirmations, draw results, prize notifications)
• To detect and prevent fraud and abuse
• To improve the Platform using aggregated analytics
• To comply with legal obligations

We use Google Analytics to understand how users interact with the Platform. This involves setting cookies and transmitting anonymised usage data to Google. You may opt out via Google's opt-out browser add-on.

We use essential cookies for authentication (login session). These cannot be disabled without preventing you from logging in.

We do not sell your personal information. We share data only with:

• Payment processors (e.g. Stripe, Checkout.com) — to process Credits purchases
• Shipping carriers (e.g. DHL, FedEx) — to deliver physical prizes
• Email service providers (Resend) — to send transactional emails
• Cloud infrastructure (Vercel, Railway, Supabase) — to host the Platform
• Law enforcement — when required by law or to protect rights

We retain your account data for as long as your account is active. Transaction records are retained for 7 years for accounting and legal compliance. If you delete your account, personal identifiers are removed within 30 days, but anonymised transaction records may be retained.

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Withdraw consent for marketing communications at any time

To exercise these rights, email support@onegrab.io. We will respond within 20 working days.

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, row-level security on our database, and access controls. No system is 100% secure; we encourage you to use a strong unique password.

Your data may be stored and processed in countries outside New Zealand (including the United States and EU) by our infrastructure providers. We rely on standard contractual clauses and provider certifications to protect your data in these transfers.

The Platform is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately.

Email: support@onegrab.io

Company: OneGrab Limited, New Zealand

If you have an unresolved privacy concern, you may lodge a complaint with the New Zealand Office of the Privacy Commissioner at privacy.org.nz.