WinnerScript

Privacy Policy

Effective date: 19 April 2026. This policy explains how WinnerScript collects, uses, stores, and protects personal data.

1. Controller and Contact

WinnerScript Platform ("WinnerScript", "we", "us") is the controller of personal data processed through the website and application.

• Contact email: [email protected]
• Data rights requests: use subject line "Data Request"
• Response time: up to 30 days, unless law allows an extension

If you need full contracting or invoicing entity details, request them by email and we will provide them for your case.

2. Scope

This policy applies to data processed when you use our website, application, support channels, and report features. It does not apply to third-party websites linked from our pages.

3. Data We Process

• Account and identity data: email address, authentication identifiers, account status flags.
• Consent records: granted and revoked consent types, timestamps, and related audit metadata.
• Assessment input data: questionnaire answers and session records.
• Derived profile data: instinct scores, element scores, flow analysis, and R.I.F.T. diagnostics.
• Report data: generated report content and report status history.
• Commercial data: checkout events, entitlements, discount usage, and transaction metadata.
• Technical and security data: logs, error telemetry, and anti-abuse signals.
• Support communications: messages sent to our support email.

Questionnaire and profiling data may qualify as special category personal data under GDPR Article 9, depending on context.

4. Purposes and Legal Bases (GDPR)

• Account access and service delivery - Article 6(1)(b) GDPR (contract performance).
• Processing assessment/profile data - Article 6(1)(b) and Article 9(2)(a) GDPR (explicit consent).
• AI report generation - Article 6(1)(b) and Article 9(2)(a) GDPR.
• Payments, invoicing, and accounting - Article 6(1)(b) and Article 6(1)(c) GDPR.
• Security, fraud prevention, and service stability - Article 6(1)(f) GDPR (legitimate interests).
• Optional analytics and optional marketing - Article 6(1)(a) GDPR (consent).

5. AI, Profiling, and Automated Processing

We combine deterministic scoring logic with AI-generated narrative text. AI is used to generate explanatory reports based on your scores and diagnostics. We do not use profiling to make solely automated decisions that produce legal or similarly significant effects.

You can request review and clarification by contacting [email protected].

6. Cookies and Similar Technologies

• Strictly necessary cookies: used for login/session security, CSRF protection, and locale preferences.
• Optional analytics cookies: enabled only after consent where required.
• Consent management: handled through our cookie banner tooling.

You can change cookie preferences at any time through the cookie settings interface on the website.

7. Data Recipients and Processors

We use trusted providers for specific processing operations, including:

• Kinde - authentication and identity tooling.
• Anthropic - AI report generation.
• Stripe - payment processing.
• Google Cloud - infrastructure hosting.
• Cloudflare - CDN and security delivery layer.
• Sentry - error monitoring and diagnostics.

Vendors are engaged under contractual data protection terms and are limited to relevant processing purposes.

8. International Data Transfers

Some providers may process data outside the EEA. When that happens, we use appropriate safeguards required by GDPR, including standard contractual clauses (SCCs) or equivalent lawful transfer mechanisms.

9. Data Retention

• Account and profile data: retained while your account is active, then deleted or anonymized after closure workflows.
• Consent and audit records: retained for accountability and legal defense periods.
• Payment/accounting records: retained for periods required by tax and accounting law.
• Security logs: retained for limited operational and security windows.

Where deletion is requested, we perform deletion workflows and restrict residual processing except where retention is required by law.

10. Your Rights

Subject to GDPR and local law, you can request:

• Access to your data (Article 15 GDPR).
• Rectification of inaccurate data (Article 16 GDPR).
• Erasure of data (Article 17 GDPR).
• Restriction of processing (Article 18 GDPR).
• Data portability (Article 20 GDPR).
• Objection to specific processing (Article 21 GDPR).
• Withdrawal of consent where consent is the legal basis.

You also have the right to file a complaint with your supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO): uodo.gov.pl.

11. Security Measures

We apply technical and organizational controls, including encrypted transport (TLS), access controls, logging, and least-privilege operational practices. Security controls evolve with product risk.

12. Minimum Age

WinnerScript is intended for users aged 18 and older. If we learn that we processed data of a minor without valid basis, we will delete it as required by law.

13. Policy Updates

We may update this policy when legal requirements or product behavior changes. Material changes will be communicated through appropriate channels. The "Effective date" at the top indicates the latest version.

Back to Landing