Annual Privacy Metrics Report
Last updated: March 6, 2026
Reporting Period
This report covers the calendar year January 1, 2025 — December 31, 2025, in compliance with the California Consumer Privacy Act (CCPA/CPRA) regulations requiring annual disclosure of consumer data request metrics, as referenced in Section 14 of our Privacy Policy.
1. Consumer Data Requests Received
The following table summarizes the consumer privacy requests received, fulfilled, and denied during the reporting period:
- Requests to Know (Access): Received: 0 | Fulfilled: 0 | Denied: 0 | Median Response Time: N/A
- Requests to Delete: Received: 12 | Fulfilled: 12 | Denied: 0 | Median Response Time: 4 days
- Requests to Opt-Out (Do Not Sell/Share): Received: 3 (manual) + GPC signals honored automatically | Fulfilled: 3 | Denied: 0 | Median Response Time: 1 day
- Requests to Correct: Received: 0 | Fulfilled: 0 | Denied: 0 | Median Response Time: N/A
No requests were denied during this reporting period. All requests were verified and processed within the statutory timeframes required by applicable law.
2. Global Privacy Control (GPC)
SweepFeed honors the Global Privacy Control (GPC) signal as a valid opt-out request under CCPA/CPRA. GPC-based opt-outs are processed automatically at the browser level and are not included in the manual request counts above. When a GPC signal is detected, all non-essential cookies (analytics and advertising) are automatically blocked, and a persistent opt-out cookie (sf_gpc) is set.
3. Data Processing Activities
During the reporting period, SweepFeed processed personal information for the following purposes:
- Account registration and authentication (passwordless via Google, Apple, Magic Link)
- Sweepstakes feed personalization and AI-powered recommendations
- Subscription billing and payment processing (via Stripe)
- Analytics and product improvement (via PostHog, consent-gated)
- Advertising delivery (via Google AdSense/AdMob, consent-gated)
- DustBunnies rewards program operation
- Email communications (via Mailgun)
- Fraud prevention and platform security (via Arcjet)
4. Risk Assessments
SweepFeed conducted 2 data processing risk assessments during the reporting period, as required by CPRA regulations:
- Assessment 1: AI-powered email parsing for Pro subscribers (SweepFeed Email). Assessed risk of processing email content, safeguards implemented (encryption at rest, automated-only access, 30-day retention post-cancellation), and concluded benefits outweigh risks with existing safeguards.
- Assessment 2: Behavioral interest segmentation for advertising personalization. Assessed risk of profiling, safeguards implemented (consent-gated collection, GPC enforcement, opt-out mechanisms), and concluded benefits outweigh risks with user controls in place.
Summaries of risk assessments are available to the California Privacy Protection Agency upon request.
5. Data Breaches
Zero data breaches were reported or detected during the reporting period. SweepFeed maintains a 72-hour breach notification protocol as described in our Privacy Policy and Data Processing Agreement.
6. Data Retention Updates
No changes were made to data retention schedules or processing purposes during the reporting period. Current retention policies remain as documented in Section 7 of our Privacy Policy.
7. Contact
Consumers may request additional details about this report or exercise their privacy rights by contacting support@sweepfeed.com. For opt-out requests, visit our Do Not Sell or Share My Personal Information page.
Questions about this policy? Reach out at support@sweepfeed.com