Privacy Policy

Skillful Squirrel Creative Inc. (operating as "Sweeperoo") ("we," "us," "our," or the "Company") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sweepstakes platform services.

This Privacy Policy applies to:

• Business users who create and manage sweepstakes campaigns
• Participants who enter sweepstakes created on our platform
• Visitors to our website and platform

2.1 Information from Business Users

Account Information:

• Company name and business details
• Contact name and title
• Email address and phone number
• Business address
• Payment and billing information
• Tax identification numbers

Usage Information:

• Campaign creation and management data
• Widget customization preferences
• Analytics and reporting access
• API usage and integration data
• Support ticket history

2.2 Information from Sweepstakes Participants

Entry Information:

• Name and email address
• Date of birth (for age verification)
• Location (country/province/state)
• Social media handles (if applicable)
• Entry method completion data
• IP address and device information

Optional Information:

• Phone number (for prize fulfillment or SMS verification)
• Mailing address (for prize fulfillment)
• Survey responses
• User-generated content submissions

Phone Verification Data (when required by campaign):

• Phone number in E.164 format
• Phone verification status and timestamp
• Phone line type (to detect VoIP numbers)
• Verification attempt history (for fraud prevention)

Third-Party Platform Data (when you connect accounts):

• Twitch user ID and username (for Twitch extension entries)
• Twitch subscription status (for subscription entry methods)
• Discord user ID, username, and server membership (for Discord server join entry methods)
• OAuth tokens (encrypted, for platform verification such as follows, subscriptions, and server membership)
• Social media profile information (when completing social entry methods)

2.3 Automatically Collected Information

Technical Data:

• IP addresses
• Browser type and version
• Device information
• Operating system
• Time zone settings
• Cookie data and similar technologies
• Log files and usage data

3.1 Business User Information

We use business user information to:

• Provide and maintain your account
• Process payments and send invoices
• Deliver customer support
• Send service updates and announcements
• Improve our platform and develop new features
• Comply with legal obligations
• Prevent fraud and abuse

3.2 Participant Information

We process participant information on behalf of our business users (acting as a data processor). For business users, our data processing relationship is governed by our Data Processing Agreement. We process this information to:

• Facilitate sweepstakes entry and management
• Verify eligibility and prevent duplicate entries
• Verify phone numbers via SMS when required by campaign settings (using Twilio Verify)
• Enable winner selection and prize fulfillment
• Generate analytics and reports for campaign owners
• Comply with legal requirements

4.1 Business Users Access

Business users have access to:

• Participant data from their campaigns
• Campaign analytics and performance metrics
• Winner selection tools and reports
• Entry data exports for their records

4.2 Service Providers (Subprocessors)

We share information with trusted third-party service providers who assist us in operating our platform. A complete list of our subprocessors is available at sweeperoo.com/subprocessors.

All subprocessors are bound by data processing agreements and must:

• Process data only as instructed
• Implement appropriate security measures
• Maintain confidentiality
• Assist with data subject rights requests
• Notify us of any data breaches

4.3 Legal Requirements

We may disclose information when required by law, court order, or government request.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity.

5.1 Business User Data

• Active account data: Retained for the duration of your subscription
• Closed account data: Retained for 7 years for tax and legal purposes
• Payment records: Retained as required by financial regulations

5.2 Participant Data

• Active campaign data: Retained for campaign duration plus 90 days
• Winner information (general): Retained for minimum 6 years for tax compliance
• US winners (prizes $600+): Retained for 7 years per IRS Form 1099-MISC requirements
• Canadian winners: Retained for 6 years per Canada Revenue Agency requirements
• Tax forms and documentation: Retained per applicable tax authority requirements (6-7 years)
• Non-winner participant data: Deleted upon business user request or after campaign end + 90 days (whichever is later)
• OAuth tokens (Twitch, Discord): Retained while participant account is active; deleted upon account deletion or disconnection
• Phone verification data: Retained while participant account is active; verification attempt logs retained for 90 days
• Fraud detection records: Retained for 3 years for security purposes

5.3 Deletion Requests

You may request deletion of your personal information, subject to legal retention requirements.

6.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information:

• Encryption in transit: TLS 1.3/SSL for all data transmission
• Encryption at rest: AES-256 encryption for sensitive data
• Access controls: Role-based access control and multi-factor authentication
• Network security: Firewalls, intrusion detection, DDoS protection
• Regular security assessments: Penetration testing and vulnerability scans
• Employee training: Security awareness and confidentiality agreements
• Incident response: 24/7 monitoring and documented response procedures
• Regular backups: Encrypted backups with disaster recovery procedures

6.2 Data Breach Notification

In the event of a data breach affecting personal information:

• We will notify affected individuals without undue delay (within 72 hours where required by law)
• We will notify relevant supervisory authorities as required by law
• Notification will include: nature of the breach, potential consequences, measures taken, and recommended actions
• Business users will be notified immediately if their participant data is affected
• We maintain a breach response plan and incident log
• Contact for breach notifications: security@sweeperoo.com

6.3 Limitations

While we strive to protect your information using industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to continuous improvement, prompt response to incidents, and transparency about our security practices.

7.1 Data Location and Transfer Mechanisms

• Primary data storage: Canada (adequate jurisdiction under GDPR)
• Secondary processing: United States (via subprocessors)
• For EU data subjects: We use Standard Contractual Clauses (SCCs) approved by the European Commission
• For UK data subjects: We use the UK International Data Transfer Agreement (IDTA)
• Additional safeguards: Encryption, access controls, and contractual protections
• Transfer documentation: Copies of transfer mechanisms available upon request

7.2 Your Acknowledgment

By using our services, you consent to the transfer of your information to Canada and other jurisdictions where we or our service providers operate.

8.1 Under PIPEDA, you have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your information (subject to legal requirements)
• Port your data in a structured format
• Withdraw consent where applicable
• Object to certain processing

8.2 Exercising Your Rights

To exercise your rights:

• Email: privacy@sweeperoo.com
• Include sufficient information to verify your identity
• Specify which rights you wish to exercise
• We will respond within 30 days

8.3 Complaints

If you have concerns about our privacy practices:

1. Contact our Privacy Officer
2. If unresolved, file a complaint with the Privacy Commissioner of Canada

We use cookies and similar tracking technologies on our platform. For detailed information about our cookie practices, please see our Cookie Policy.

9.1 Types of Cookies We Use

• Essential Cookies: Required for platform functionality
• Analytics Cookies: Help us understand usage patterns
• Preference Cookies: Remember your settings
• Marketing Cookies: Used for our own marketing (not participant tracking)

9.2 Managing Cookies

• Most browsers allow you to refuse or delete cookies
• Disabling cookies may affect platform functionality
• We respect "Do Not Track" signals where applicable

• Our platform is not intended for children under 13
• We do not knowingly collect information from children under 13
• For participants aged 13-18, we require parental consent where legally required
• Business users must implement age verification for their campaigns
• If we discover we have collected information from a child under 13, we will delete it immediately
• Parents may contact us at privacy@sweeperoo.com to review or delete their child's information

• Our platform may contain links to third-party websites
• We are not responsible for third-party privacy practices
• Review privacy policies of any third-party services you use
• Business users may integrate third-party services at their discretion

12.1 From Us

• We may send service-related emails (non-optional)
• Marketing emails require opt-in consent
• You can unsubscribe from marketing emails at any time

12.2 From Business Users

• Business users control their own marketing to participants
• We are not responsible for business user marketing practices
• Participants should review each business's privacy policy

• We may update this Privacy Policy periodically
• Material changes will be notified via email or platform notice
• Continued use after changes constitutes acceptance
• Previous versions available upon request

14.1 Quebec Residents

Additional rights under Quebec privacy laws:

• Enhanced consent requirements
• Right to be forgotten in certain circumstances
• Specific provisions for minors (14-17 years)

14.2 European Union Residents

If GDPR applies:

• Additional legal bases for processing
• Enhanced data subject rights
• Right to lodge complaints with supervisory authorities

14.3 California Residents

If CCPA/CPRA applies:

• Right to know categories of information collected
• Right to opt-out of "sale" of personal information
• Non-discrimination for exercising rights

California Residents - Do Not Sell

Under the California Consumer Privacy Act (CCPA):

• We do not sell personal information in the traditional sense
• However, some data sharing with third parties may constitute a "sale" under CCPA's broad definition
• We do not sell personal information of minors under 16 without affirmative opt-in consent
• We will not discriminate against you for exercising your CCPA rights
• To exercise your rights, contact us at privacy@sweeperoo.com

For privacy-related inquiries, contact our Privacy Officer:

We are committed to:

• Compliance with PIPEDA and applicable privacy laws
• Transparency in our data practices
• Continuous improvement of privacy protections
• Regular privacy impact assessments
• Employee privacy training