Introduction

This Privacy Notice applies to the prize redemption store operated by Oxigen Inc Ltd on behalf of People’s Postcode Lottery (PPL). It explains how personal data is collected, used, and protected in the course of enabling winners to redeem their non-cash prizes. PPL is the data controller for this platform, and Oxigen Inc Ltd acts as the data processor.

Contact

For any privacy-related concerns, you may contact:

Data Protection Officer

Oxigen Inc Ltd

Email: dpo@oxigen.co

 

What Personal Data We Collect/ Hold

 

We collect and/or process the following categories of personal data when you visit the prize redemption store to select or choose your prize: 

1.      Your postal delivery address 

2.     Your email address 

3.     Your phone number 

4.    Redemption code

5.     IP address, browser and device data (for security and analytics)

6.    Technical session data (cookies and site behaviour tracking)

 

How We Use Your Personal Data

Below is a list of the specific activities for which we may use your personal data on this Shopify-based prize redemption website. We have also outlined the legal basis under UK GDPR for each activity.

Activity	Legal Basis
To verify your eligibility to redeem a non-cash prize through a redemption code issued by PPL	Contract
To present you with the appropriate prize options based on your entitlement category (e.g., quiz, gift card, letterbox prize)	Contract
To collect and process your prize selection, delivery address and contact details in order to fulfil your redemption order	Contract
To send fulfilment status updates, confirmation emails and dispatch tracking notifications	Contract
To process your redemption and log the order into the backend fulfilment and customer service systems	Contract
To respond to queries related to your prize redemption (e.g., non-receipt, faulty product, return)	Legitimate Interest
To generate and send out a new code if your original redemption code has expired or is not working	Legitimate Interest
To monitor use of the website to detect fraudulent behaviour, prevent abuse, and ensure security	Legitimate Interest
To generate operational reports to support customer service, stock forecasting, and campaign effectiveness	Legitimate Interest
To log redemption activity and maintain records for audit, warranty and fulfilment traceability	Legal Obligation and Legitimate Interest
To anonymise redemption data for analytics purposes and business reporting	Legitimate Interest

We do not process payment or gambling data. No financial or transactional information is collected or stored on this website.

Data Sharing and Transfers

Who do we share your personal data with and why?

To provide you with a seamless prize redemption experience, your personal data may be shared with carefully selected third parties who act on our behalf to support the fulfilment of your prize. These organisations are only permitted to process your data under our instructions and are subject to strict data protection obligations.

Who we share your data with	Why we share it
Fulfilment Partners and Warehousing Providers	To store, pick, pack, and dispatch physical prizes you redeem via the website.
Delivery and Logistics Services (e.g. Royal Mail, DPD)	To deliver your prize or physical gift card to your address and provide tracking updates.
Technology Providers (e.g. Shopify and AWS)	To power the redemption platform and process your order securely and efficiently.
Customer Experience and Contact Centre Services	To support prize redemption queries, complaints, and updates related to your order.
Email and Communication Platforms (e.g. Adobe Campaign, Klaviyo)	To send order confirmation emails, redemption instructions, and delivery updates.
IT and Security Service Providers	To maintain system uptime, protect against unauthorised access, and deliver ongoing technical support.

We do not sell or rent your data to any third party. Any data transfers are governed by legally binding agreements and are in full compliance with UK data protection laws.

International Data Transfers

We store your data within the UK or EEA. Where data may be transferred outside these areas, appropriate safeguards such as standard contractual clauses are in place.

Data Retention

We retain your transaction data for two years to support any prize fulfilment, warranty or customer service queries. Data may be retained for up to seven years for regulatory and operational auditing purposes.

Cookies and Tracking

The site uses Shopify cookies to ensure functionality and security. We also integrate PPL’s OneTrust cookie management tool to allow users to manage their cookie preferences. We collect technical data to improve website performance and security.

Your Rights

Under UK data protection law, you have the following rights in relation to your personal data. You may exercise these rights by contacting our Data Protection Officer at: dpo@oxigen.co

Your Right	What This Means
Right to be informed	You have the right to be informed about the collection and use of your personal data. This privacy notice is part of how we do that.
Right of access	You have the right to request a copy of the personal data we hold about you, along with details of how we use it.
Right to rectification	You have the right to request that inaccurate or incomplete data about you is corrected or updated.
Right to erasure	In certain circumstances, you may have the right to request that your personal data is deleted. This is also known as the ‘right to be forgotten’.
Right to restrict processing	You have the right to request that we restrict the processing of your personal data in specific situations, for example where you contest the accuracy of the data or have objected to the processing.
Right to data portability	You may have the right to obtain and reuse your personal data for your own purposes across different services. This applies to data you have provided to us, where we process it on the basis of your consent or for the performance of a contract.
Right to object	You have the right to object to the processing of your personal data where it is based on legitimate interests or for direct marketing purposes.
Rights in relation to automated decision making and profiling	We do not conduct automated decision-making or profiling in connection with our prize redemption site. If this changes, we will inform you and update this privacy notice.

 

Your right to be informed if your personal data is compromised

In the unlikely event that personal data we hold in relation to the prize redemption service is breached or compromised in a way that poses a high risk to your rights and freedoms, we will contact you without undue delay. We will inform you of:

• What happened and how it happened
• What data was affected and the potential impact to you
• What actions we are taking to address the breach
• How you can stay informed and protect yourself
• How to contact our Data Protection Officer

We will also notify the Information Commissioner’s Office (ICO), where required under UK data protection law.

How we keep your personal data safe

At Oxigen Inc Ltd, the security and protection of personal data is a fundamental part of how we operate and deliver services on behalf of People’s Postcode Lottery. We are committed to ensuring the confidentiality, integrity and availability of data processed on our prize redemption platform.

How we minimise risk and approach IT security

• Our platform is a cloud-based e-commerce system that follows international best practices in IT and data security.
• All customer data is stored in secure environments that are protected by access controls and encryption.
• Oxigen applies strict internal access governance protocols and staff training in line with data protection regulations.
• All data transfers to fulfilment or third-party partners are governed by data processing agreements and are transmitted securely.
• Our systems are regularly monitored for unusual activity, and security patches are applied promptly.

We maintain a culture of security awareness throughout our operations.

Policy Updates

This Privacy Notice may be updated periodically. The most current version will always be available on this website. Last updated: May 2025