Privacy Policy

1. Introduction and Identity of the Controller

Viraloo ("we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what personal data we collect, how we use and protect it, and what rights you have in relation to it.

Viraloo is the data controller for personal data collected directly from users of our platform. Where our platform is used by third-party campaign Operators to collect participant data, those Operators are the data controllers and Viraloo acts as a data processor — see our Data Processing Agreement for details.

This policy applies to viraloo.org and all sub-domains, our web application, APIs, and related services. If you have questions, contact our data protection team at privacy@viraloo.org.

2. Personal Data We Collect

2.1 Account Holders (Operators)

• Registration data: full name, email address, password (stored as a cryptographic hash)
• Business information: company name, website URL, billing address
• Payment data: billing details processed by Stripe — we do not store full card numbers; we retain the last four digits, card type, and expiry date for billing reference
• Communication records: support tickets, contact form messages, email correspondence
• Usage and behavioural data: feature usage, campaign configurations, login timestamps, IP addresses

2.2 Campaign Participants

When you enter a campaign hosted on our platform, the Operator collecting your data acts as data controller. Viraloo processes the following as data processor on the Operator's behalf:

• Name and email address (provided during entry)
• Referral code and referral attribution data
• Entry timestamp, source/medium, and device/browser metadata
• IP address (used for fraud detection and geo-restriction enforcement)
• Leaderboard position and points tally
• Email open and click data (where transactional emails are sent)

2.3 Automatically Collected Data

• Device information: operating system, browser type and version, screen resolution
• Network information: IP address, approximate geolocation (country/city level)
• Usage data: pages visited, clicks, session duration, referring URL, exit URL
• Cookies and similar tracking technologies (see our Cookie Policy)

3. Legal Bases for Processing (GDPR)

Where GDPR or UK GDPR applies, we process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): processing necessary to deliver the Service to account holders and to fulfil transactional obligations
• Legitimate interests (Art. 6(1)(f)): security and fraud prevention, platform analytics and improvement, direct marketing to existing customers (with opt-out available), network monitoring
• Legal obligation (Art. 6(1)(c)): complying with tax, financial reporting, and law enforcement requirements
• Consent (Art. 6(1)(a)): marketing communications to prospects; non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. How We Use Personal Data

• Provide, operate, and improve the Service
• Process payments and manage subscription billing
• Authenticate users and maintain account security
• Send transactional emails (receipts, password resets, account alerts)
• Send product updates, newsletters, and marketing communications (where consented or under legitimate interests, with opt-out)
• Enforce our Terms of Service and detect fraudulent activity
• Conduct internal analytics, A/B testing, and product research
• Respond to support requests and legal inquiries
• Comply with legal and regulatory obligations

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only as follows:

• Service providers (sub-processors): carefully vetted third parties who process data on our behalf under written data processing agreements, including cloud infrastructure providers, email delivery services (transactional and marketing), payment processor (Stripe, Inc.), error monitoring and analytics tools, and customer support platforms
• Campaign Operators: participant data collected through an Operator's campaign is accessible to that Operator as data controller
• Legal and regulatory authorities: where required by applicable law, court order, or lawful government request
• Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets, subject to the acquirer assuming equivalent data protection obligations
• Professional advisers: lawyers, auditors, and insurers under confidentiality obligations where necessary

6. International Data Transfers

Your data may be transferred to, and processed in, countries outside your jurisdiction, including outside the European Economic Area (EEA) or UK. Where such transfers occur, we ensure appropriate safeguards are in place including: EU Standard Contractual Clauses (SCCs) approved by the European Commission; the UK International Data Transfer Agreement (IDTA); or transfers to countries with an EU/UK adequacy decision. You may request a copy of relevant transfer mechanisms by contacting us.

7. Data Retention

• Account data: retained for the duration of your account plus 30 days after account closure (or longer if required by law)
• Billing records: retained for 7 years for tax and accounting compliance
• Campaign participant data: retained per the Operator's instructions; default retention is 24 months from campaign end unless the Operator instructs otherwise
• Support communications: retained for 3 years
• Server logs: retained for 90 days for security monitoring
• Anonymised/aggregated analytics: retained indefinitely (no personal data)

8. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: obtain a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data in certain circumstances
• Right to restriction: limit how we process your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing purposes
• Rights related to automated decision-making: not to be subject to solely automated decisions that produce significant legal effects
• Right to withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@viraloo.org. We will respond within 30 days (extendable by a further 60 days for complex requests with notice). Identity verification may be required. If you are a campaign participant, you should contact the Operator directly as they are the data controller for your participant data.

You also have the right to lodge a complaint with your local supervisory authority (e.g., the UK ICO, or the relevant EU Data Protection Authority).

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Bcrypt password hashing (minimum cost factor 10)
• Role-based access controls and principle of least privilege
• Regular security assessments and dependency audits
• Multi-factor authentication available for all accounts
• Intrusion detection and anomaly monitoring

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by applicable law.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete it promptly. If you believe we hold personal data relating to a child, contact privacy@viraloo.org immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email (to the address associated with your account) or a prominent notice within the platform, at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.