Privacy Policy

Your data, plainly treated.

What we collect, why we collect it, what we do with it, and how to ask us to stop. Written in plain English because it ought to be.

Back to home

The Golden Passport Ltd is the data controller for the personal information you share with us when you visit this website or enter one of our prize draws. We take data protection seriously. This policy sets out exactly what we do with your information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The short version We collect only the information we need to run the draw and contact you if you win. We don't sell your data. We don't share it with anyone other than the providers we need to use to take payment and send email. You can ask to see, correct, or delete your data at any time by emailing ollie@thegoldenpassport.co.uk.

  1. Who we are

    The data controller is The Golden Passport Ltd, a company registered in England and Wales with company number 17173453. Registered office: Newcastle upon Tyne.

    For any question about your personal data or about this policy, contact ollie@thegoldenpassport.co.uk.

  2. What we collect

    We collect only what we need.

    When you enter a draw (paid)

    • Your name;
    • Your email address;
    • A billing address (as required by our payment processor);
    • Transaction data (amount, date, entry count) - not card numbers, which we never see;
    • Your marketing preferences if you've opted in.

    When you enter a draw (free postal)

    • The name, postal address, date of birth, and email address you include on the entry;
    • The fact that you have entered that specific draw.

    When you visit the website

    • A small set of technical data automatically generated by your browser (IP address, browser type, pages visited). See the Cookie Policy for detail.

    If you win

    • Identity documents (passport or driving licence) and proof of UK residency (utility bill or equivalent) for eligibility verification. We confirm the check and delete the documents within 30 days unless we are legally required to retain them for longer.

  3. Why we use it (legal basis)

    Under UK GDPR, we must have a lawful basis to use your personal data. Here is the basis for each purpose:

    Purpose Legal basis
    Running the draw (processing your entry, notifying you if you win, issuing the prize) Performance of a contract (Article 6(1)(b) UK GDPR)
    Identity and eligibility verification of the winner Legal obligation and performance of a contract (Article 6(1)(b) and (c))
    Preventing fraud and abuse of the draw Legitimate interests (Article 6(1)(f)) - running a fair draw
    Sending you marketing emails about future draws Consent (Article 6(1)(a)) or soft opt-in for existing paid entrants under PECR Regulation 22(3)
    Accounting, tax, and regulatory record-keeping Legal obligation (Article 6(1)(c))
    Publishing winner's first name and town Legitimate interests - promoting a genuinely awarded prize, which is required by the CAP Code

  4. Who we share your data with

    We share personal data only with trusted service providers who help us run the draw. Each of them is bound by a written data-processing agreement that requires them to handle your data at least as carefully as we would.

    Data processors we rely on

    • Payment processor - for taking and refunding paid entries. We use a UK or EU-based processor. Processor to be confirmed before launch.
    • Email provider - for sending transactional confirmations and marketing emails (if you've opted in). Provider to be confirmed before launch.
    • Hosting provider - for operating this website. We use Netlify, a provider with data-processing terms in place.
    • a premier luxury travel concierge - if you are the winner, we share your name and contact details with a premier luxury travel concierge so they can deliver the prize.

    We may also share your data where we are legally required to - for example, with HMRC for tax purposes, with the Information Commissioner's Office if requested, or with a court under a lawful order.

    We do not sell your data, full stop. We do not share it with advertisers, list brokers, or any party not listed above.

  5. How long we keep it

    Data type Retention period
    Entrant records (name, email, entries) 3 years after the close of the relevant draw, then deleted or anonymised
    Winner records (including proof of ID) ID documents deleted within 30 days of verification. Core winner record kept for 7 years for tax and accounting purposes.
    Payment records 7 years from the end of the relevant tax year (HMRC requirement)
    Marketing preferences (opt-ins and opt-outs) Until you withdraw consent, or 3 years of inactivity, whichever comes first
    Postal entries (physical) Destroyed securely within 60 days of the relevant draw
    Website technical data See the Cookie Policy

  6. Your rights

    Under UK GDPR, you have the right to:

    • Access - ask for a copy of the personal data we hold about you;
    • Rectification - ask us to correct any inaccurate or incomplete data;
    • Erasure - ask us to delete your data (with some exceptions where we have a legal obligation to keep it);
    • Restriction - ask us to temporarily stop using your data while a concern is investigated;
    • Portability - ask us to provide your data to you or another provider in a portable format;
    • Objection - object to processing based on legitimate interests, including direct marketing;
    • Withdrawal of consent - where we rely on consent, you can withdraw it at any time.

    To exercise any of these rights, email ollie@thegoldenpassport.co.uk. We aim to respond within 30 days, and we do not charge a fee for reasonable requests.

    If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, at ico.org.uk or by calling their helpline on 0303 123 1113.

  7. Marketing

    We may send you occasional marketing emails about upcoming draws, winner stories, and charity updates. We will only do this if:

    • You have explicitly opted in at sign-up or at a later point; or
    • You have previously entered a paid draw (the PECR "soft opt-in"), and we are contacting you about very similar products (namely, future Golden Passport draws).

    Every marketing email includes a one-click unsubscribe link. You can also email us to opt out at any time.

  8. Children

    This service is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have done so, we will delete the data promptly.

  9. International transfers

    Where possible, your personal data stays in the UK or EU. If any of our service providers transfer your data outside the UK or EU (for example, if our email provider routes data through a US data centre), we rely on either (a) an adequacy decision by the UK government, or (b) Standard Contractual Clauses approved by the ICO, together with any further safeguards required to ensure your data receives equivalent protection.

  10. Security

    We take reasonable technical and organisational measures to protect your personal data from accidental loss, unauthorised access, disclosure, or alteration. That includes encrypted connections (HTTPS) across the site, restricted access to entrant records, and secure destruction of physical postal entries.

    No system is entirely secure. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, will contact affected individuals directly.

  11. Changes to this policy

    We may update this policy from time to time. Material changes will be clearly marked, and where we have your contact details, we will notify you directly. The "last updated" date below always reflects the current version.

Last updated · April 2026 · Pending final legal review before Draw One opens