Privacy Policy | SweepFeed

1. Information We Collect

We collect the following categories of personal information when you use SweepFeed, operated by SweepFeed LLC ("we," "us," or "our"), a Wyoming limited liability company. The Service is intended for users in the United States and Canada. Users outside these jurisdictions access the Service at their own initiative and are responsible for compliance with local laws:

1.1 Information You Provide

Account Information: Name, email address, authentication provider (Google, Apple, or Magic Link), profile photo, and preferences you set during registration. We do not store passwords - authentication is handled securely through third-party providers.
Payment Information: Billing address and payment method details (processed and stored by Stripe; we do not store full card numbers)
User-Generated Content: Winner stories, reviews, photos, and community posts you submit
Communications: Messages you send to our support team or through in-app contact forms
SweepFeed Email Content: If you use a @sweepfeed.com email address (Pro tier), we collect the content of incoming emails to provide the service, including automated AI analysis to identify winning notifications and promotional offers

1.2 Information Collected Automatically

Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers
Usage Data: Pages visited, sweepstakes viewed and clicked, search queries, filter preferences, time spent on pages, and referral sources
Location Data: Approximate location (city/region level) derived from your IP address
Log Data: IP address, access times, error logs, and API call records

1.3 Information from Third Parties

Authentication Providers: If you sign in with Google, Apple, or other social login providers, we receive your name, email, and profile photo as authorized by you
Analytics Providers: Aggregated and individual usage data from Google Analytics, PostHog, and Firebase Analytics
Crash Reporting: Device information, app state, and error data via Firebase Crashlytics to diagnose issues
Advertising: Device identifiers and usage data via Google AdMob (mobile) and Google AdSense (web) to serve relevant ads
Subscription Management: Purchase and subscription data via RevenueCat to manage your subscription status

2. How We Use Your Information

To provide, operate, and maintain the Service
To personalize your sweepstakes feed and recommendations using AI
To provide the SweepFeed Premium Email service, including automated AI parsing of emails to identify and notify you of wins
To calculate and assign behavioral interest segments based on your activity
To process your account registration, payments, and manage your profile
To operate the DustBunnies rewards program, including leaderboard calculations
To communicate with you regarding account activity, service updates, and (with your consent) marketing
To analyze usage patterns and improve the Service
To detect and prevent fraud, abuse, and security incidents
To comply with legal obligations

3. CCPA/CPRA Data Categories Disclosure

The following table describes the categories of personal information we have collected in the preceding 12 months, as defined under the California Consumer Privacy Act (CCPA/CPRA):

A. Identifiers (name, email, device IDs, IP address) — Collected: Yes | Sold: No | Shared: Yes (ad partners) | Business Purpose: Account management, personalization, fraud prevention
B. Personal Information (Cal. Civ. Code § 1798.80) (name, address, payment info) — Collected: Yes | Sold/Shared: No | Business Purpose: Payment processing
C. Protected Classification Characteristics (age range) — Collected: Yes (age gate only) | Sold/Shared: No | Business Purpose: Eligibility verification
D. Commercial Information (subscription history, purchase records) — Collected: Yes | Sold/Shared: No | Business Purpose: Billing, service delivery
F. Internet/Network Activity (browsing history, search queries, entry patterns) — Collected: Yes | Sold: No (but aggregated, de-identified behavioral data derived from this category is included in Data Intelligence reports; see Section 5.2) | Shared: Yes (ad partners) | Business Purpose: Personalization, analytics, advertising
G. Geolocation Data (approximate city/region) — Collected: Yes | Sold: No (but aggregated, de-identified geographic data derived from this category is included in Data Intelligence reports; see Section 5.2) | Shared: Yes (ad partners) | Business Purpose: Content localization, advertising
K. Inferences (interest profiles, behavioral predictions) — Collected: Yes | Sold: No (but aggregated, de-identified inference data derived from this category is included in Data Intelligence reports; see Section 5.2) | Shared: Yes (ad partners) | Business Purpose: Personalization, advertising relevance

To opt out of the sale or sharing of your personal information, visit our Do Not Sell or Share My Personal Information page.

4. Legal Basis for Processing (International Users)

SweepFeed is a U.S.-based service intended for users in the United States and Canada. However, if you access the Service from the European Economic Area (EEA), United Kingdom, or Switzerland, we voluntarily extend the following protections as a matter of best practice. Our legal basis for processing your personal data includes:

Consent: Where you have given us explicit consent (e.g., marketing emails, non-essential cookies)
Contract: Where processing is necessary to perform our contract with you (e.g., providing the Service, processing payments)
Legal Obligation: Where processing is required to comply with applicable law
Legitimate Interests: Where processing is necessary for our legitimate interests (e.g., fraud prevention, service improvement), provided those interests do not override your fundamental rights and freedoms

5. Information Sharing and Disclosure

We may share your personal information in the following circumstances:

Service Providers: Third-party vendors who assist in operating the platform (hosting via Firebase/Google Cloud and Vercel, analytics via PostHog, crash reporting via Firebase Crashlytics, advertising via Google AdMob/AdSense, subscription management via RevenueCat, email delivery via Mailgun, SMS and phone services via Twilio, payment processing via Stripe, edge security via Arcjet, caching and rate limiting via Upstash Redis) under contractual obligations to protect your data
Sweepstakes Sponsors: Only when you explicitly choose to enter a sweepstakes, and only the minimum information required by that sponsor
Advertising and Marketing Partners: We may share certain personal information — including demographic data, usage activity, interest segments, and device identifiers — with third-party advertising partners to deliver relevant, unintrusive advertising and measure ad performance. We do not sell personally identifiable information. We do sell aggregated, de-identified data reports through our Data Intelligence marketplace (see Section 5.2). You may opt out of having your data included in these reports via our Do Not Sell page
Data Analytics Partners: We may share aggregated and anonymized usage data with data analytics companies for market research and trend analysis. Individual-level data is not sold or shared for commercial purposes without your explicit consent
Legal Requirements: When required by law, subpoena, court order, or government regulation, or when we believe disclosure is necessary to protect our rights, safety, or property
Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, where user data may be among the transferred assets. We will notify you via email and/or prominent notice on our Service of any change in ownership

5.1 Aggregated and Anonymized Data Sharing

We may share aggregated, de-identified data with business partners, advertisers, and data analytics companies. This data cannot reasonably be used to identify you and includes:

Category engagement patterns (e.g., which sweepstakes types are trending)
Entry timing data (e.g., when users are most active by hour/day)
Prize preference data (e.g., what prize types and values drive the most engagement)
Geographic engagement distributions (e.g., regional popularity of sweepstakes categories)
Conversion funnel data (e.g., aggregate view-to-click-to-enter rates by category)

This aggregated data is stripped of all personally identifiable information before sharing. It does not constitute a "sale" or "sharing" of personal information under CCPA/CPRA or other applicable privacy laws because it cannot be linked back to any individual consumer.

5.2 Data Intelligence Reports

We sell aggregated, anonymized data reports through our Data Intelligence marketplace. These reports are one-time purchases by businesses and contain only de-identified, aggregated insights such as category engagement trends, entry timing patterns, prize value distributions, and geographic engagement data. Reports are generated with k-anonymity safeguards (minimum group size of 20) and contain zero personally identifiable information. Users who have exercised their right to opt out of data sales via our Do Not Sell page are excluded from all report data. Data Intelligence reports are priced between $199 and $1,499 per report period.

Because Data Intelligence reports contain only de-identified and aggregated data that cannot reasonably be linked to any individual consumer, they are exempt from the CCPA/CPRA definition of "sale" of personal information (Cal. Civ. Code § 1798.140(v)). Nevertheless, we honor all opt-out requests as described above and disclose this activity for full transparency.

6. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and least-privilege principles
Regular security audits and vulnerability assessments
Secure credential management using environment variables and Firebase secrets
Automated monitoring for suspicious activity

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security. In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by applicable law.

7. Data Retention

Active Accounts: We retain your personal information for as long as your account is active or as needed to provide the Service
Account Deletion: Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes
Payment Records: Retained for 7 years for tax and accounting compliance
Server Logs: Retained for 90 days for security and debugging purposes
Analytics Data: Anonymized after 26 months
SweepFeed Email: Deleted within 30 days of Pro subscription cancellation

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

8.1 All Users

Access, correct, update, or delete your personal information via your account settings
Opt out of marketing communications at any time (unsubscribe link in every email)
Request a portable copy of your data in machine-readable format

8.2 California Residents (CCPA/CPRA)

Right to know what personal information is collected, used, and shared
Right to delete personal information
Right to opt out of the sale or sharing of personal information
Right to non-discrimination for exercising your privacy rights
Right to correct inaccurate personal information
Right to limit use and disclosure of sensitive personal information

8.3 EEA/UK Visitors

While SweepFeed is intended for U.S. and Canadian users, we voluntarily extend the following rights to visitors from the EEA/UK as a matter of best practice:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Right to withdraw consent at any time
Right to lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at support@sweepfeed.com. We will respond within 30 days (or as required by applicable law). We may verify your identity before processing certain requests.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information within 5 business days. If you believe a child has provided us with personal data, please contact us immediately at support@sweepfeed.com.

10. International Data Transfers

Your information is processed in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws that differ from those of your country. We take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with all service providers
Encryption and access controls as described in Section 6

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) sending an email to registered users at least 15 days before the changes take effect; and (b) posting the updated policy on the Service with a revised "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the revised policy.

12. Contact

For all privacy-related inquiries:

Privacy Team: support@sweepfeed.com
General Support: support@sweepfeed.com
CCPA/Do Not Sell Requests: Do Not Sell or Share My Personal Information
Data Processing Agreements: View our DPA

13. Risk Assessment (CCPA 2026)

In compliance with the California Privacy Rights Act (CPRA) regulations effective 2026, SweepFeed conducts and documents data processing risk assessments for any processing activity that presents a significant risk to consumers' privacy. These assessments evaluate:

The categories of personal information processed and the purpose
Whether the processing involves sensitive personal information
The risk of harm to consumers from unauthorized access, use, or disclosure
Safeguards implemented to mitigate identified risks
Whether the benefits of the processing outweigh the risks to consumer privacy

Risk assessments are conducted before launching new processing activities that involve profiling, selling or sharing personal information, or processing sensitive personal information. Assessments are reviewed annually and updated when processing activities materially change. Summaries of risk assessments are available to the California Privacy Protection Agency upon request.

14. Annual Compliance Reporting (CCPA 2026)

SweepFeed maintains annual privacy compliance reports as required by the CPRA 2026 regulations. These reports include:

Total number of consumer data requests received, fulfilled, and denied (by type: access, deletion, opt-out, correction)
Median response time for each request type
Summary of data processing activities conducted during the reporting period
Number and summary of risk assessments conducted
Description of any data breaches and remediation actions taken
Updates to data retention schedules or processing purposes

Annual compliance reports cover the prior calendar year and are finalized by March 1 of each year. The most recent report is published at our CCPA Annual Metrics page. Consumers may also request a summary by contacting support@sweepfeed.com.

15. Version History

Version 1.6 (March 14, 2026): Added Data Intelligence reports disclosure (Section 5.2) for CCPA compliance. Updated CCPA data categories table to note aggregated behavioral data included in Data Intelligence reports. Updated advertising partners disclosure.
Version 1.5 (March 6, 2026): Clarified geographic scope (United States and Canada). Updated GDPR section to reflect voluntary best-practice compliance. Added link to CCPA Annual Metrics page.
Version 1.4 (February 15, 2026): Updated service provider disclosures to explicitly name all third-party services (Mailgun, Twilio, Arcjet, Upstash, Vercel).
Version 1.3 (February 15, 2026): Added aggregated data sharing disclosure (Section 5.1), CCPA 2026 risk assessment (Section 13), annual compliance reporting (Section 14), and DPA link. Updated to reflect current compliance requirements.
Version 1.2 (February 9, 2026): Removed password authentication references - SweepFeed now uses passwordless authentication only (Google Sign-In, Apple Sign-In, and Magic Link).
Version 1.1 (February 9, 2026): Added detailed CCPA/CPRA data categories table, specified legal bases for GDPR processing, and updated data retention periods.
Version 1.0 (December 1, 2024): Initial release of the SweepFeed Privacy Policy.