WINIT PRIVACY POLICY
INFORMATION ABOUT ZNL GAMING LIMITED PRIVACY POLICY
ZNL GAMING LIMITED is a digital raffle gaming platform registered under the laws of the Federal Republic of Nigeria. ZNL GAMING LIMITED is committed to safeguarding your privacy by protecting your Personal Data in accordance with the Applicable Data Protection Law. This Privacy Policy sets out how ZNL GAMING LIMITED uses and protects your Personal Data.
References in this policy to “we”, “us”, “platform” or “WinIt” are references to ZNL Gaming Limited. References to “you” in this policy refers to any natural person who are our Data Subjects (Users/Participants, Prize Winners, Prospective Users, Website Visitors, Vendors/Partners, Employees/Staff, Prospective Employees, Support and Enquiry Contacts, Marketing Recipients, NGO Beneficiaries) who visit our website or any of our physical offices or interact with any of our controlled information collection links or forms or such other information collection or exchange points, now known or to be developed in the future.
CATEGORIES OF DATA SUBJECTS
Users/Participants:
Individuals who create an account, browse raffles, buy tickets, participate in draws, and potentially win prizes. This is WinIt’s primary data subject class.
Data Collected:
Name
Phone number
Email address
Date of birth
Username
Password
Wallet history
Referral source
Raffle entry history
Cookies
Cookie ID
IP address
Device/browser type
Screen size
Pages visited
Interaction logs and custom event data (e.g. raffle share activity (clicks to share raffle links via WhatsApp, X), draw views, cart actions)
Justification: Required to create account, verify eligibility (18+), manage entries, personalize user experience, and deliver optimized sessions.
Prize Winners:
A subset of users whose entries are selected in a draw. Their identities must be verified, and additional data (e.g. ID documents, location details, payout details) is collected to fulfil prize delivery.
Data Collected:
Name
Photo ID (for identity verification)
Phone number
Email address
Delivery location
Payment method (e.g. bank or WinIt wallet)
Donation history (to NGO beneficiaries)
Justification: Fulfil regulatory and prize delivery obligations; to prevent fraud.
Prospective Users:
Individuals who browse raffles and initiate a ticket purchase but do not complete basic account creation to enter into a raffle. Limited data (e.g. device info, name and email entered at checkout) may be collected via cookies or marketing forms.
Data Collected:
Cookies
Cookie ID
IP address
Device/browser information
Pages visited
Justification: Support onboarding, retargeting, deliver optimized sessions, and analytics.
Website Visitors:
People who visit WinIt’s website or interact with its digital content. Collected data may include cookies, IP address, device info and interaction logs, without account registration.
Data Collected:
IP address
Device type and OS
Screen size
Cookies
Cookie ID
Browsing behaviour
Crash logs
Coarse location
Justification: To enhance website experience and track engagement.
Vendors/Partners:
Organizations or individuals who provide services to support WinIt’s operations (e.g. payment service providers, logistics partners, promotional collaborators, or NGOs receiving donations).
Data Collected:
Contact name
Email
Service terms
Bank details
Company registration information
Communication logs.
Justification: For contracting, payment and compliance.
Employees/Staff:
Individuals hired by ZNL Gaming Limited to develop, manage, or support the WinIt platform. This includes full-time staff, part-time staff, contract staff, support hires and interns.
Data Collected:
Name
Email
Phone number
Employment contract
ID number
Payroll details
System access logs
Emergency contact
Justification: HR and operations purposes.
Prospective Employees:
Individuals undergoing recruitment for roles at ZNL Gaming Limited. Data includes CVs, contact information, and professional background.
Data Collected:
Name
Phone number
Email
CV
Interview notes
References
Justification: Hiring and candidate management.
Support and Enquiry Contacts:
Anyone who contacts WinIt via WhatsApp, email, chat box, phone calls, or social media for support, complaints, or questions. Data collected may include name, contact information, and content of communications.
Data Collected:
Name
Email
Message/call content
Date and time of contact
Device type and OS
Justification: To resolve issues and track interactions.
Marketing Recipients:
Users or site visitors who opt in to receive promotional emails, alerts, or surveys.
Data Collected:
Name
Email address
Ad tracking status
Device ID
Marketing preferences
Interaction with marketing materials
Justification: Consent-based communication and relevance.
NGO Beneficiaries:
Charities or causes listed on the WinIt platform and selected by winners to receive donations. Data collected includes contact details and transaction confirmations.
Data Collected:
Organization name
CAC registration details
Name and email of contact person
Bank/payment details
Justification: Required to fulfil donations and verify legitimacy.
This privacy policy provides information about how WinIt collects and uses your Personal Data, the parties with whom we may share it, and the measures we take to protect your data. It also explains your rights and choices regarding your Personal Data and how you can contact us with questions or concerns about our privacy practices.
This Privacy Policy applies to all personal data collected, stored, or processed through the WinIt Platform, including but not limited to interactions via our website, mobile application, and customer support channels. WinIt does not collect personal data on behalf of third-party clients or operate under external instructions. All data processing carried out by WinIt is done in our capacity as a Data Controller, in accordance with our Terms and Conditions and applicable Data Protection Laws.
Where we collect your Personal Data indirectly – such as from payment processors, social media integrations, or marketing analytics tools – we apply the principles of this Privacy Policy and ensure compliance with the Nigeria Data Protection Act 2023 and related regulations.
This Privacy Policy applies to all services provided through the WinIt platform, including our website, mobile application, and customer support channels (collectively referred to as “Our Services”).
OUR DATA PROCESSING PRINCIPLES
We process your Personal Data in accordance with the following recognized principles of data protection. At ZNL Gaming Limited (WinIt), Personal Data is:
Processed lawfully, fairly, and transparently, ensuring users are informed of what data is collected, how it is used, and their rights.
Collected for specific, explicit, and legitimate purposes, and only further processed in ways that are compatible with such purposes.
Adequate, relevant, and limited to what is necessary for the intended purposes (e.g., identity verification, prize fulfilment, engagement tracking).
Accurate and kept up to date, with mechanisms in place to allow users to access and update their information.
Stored securely, protected against unauthorized access, alteration, destruction, or disclosure, using encryption, access controls, and secure infrastructure.
Retained only for as long as necessary to fulfill legal or operational purposes, after which data is deleted or anonymized.
LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
WinIt processes your Personal Data in accordance with the Nigeria Data Protection Act 2023 (NDPA), the General Application and Implementation Directive (GAID 2025), and other applicable laws. The lawful bases on which we rely include:
Consent
We may in certain instances, rely on your explicit consent to process some of your Personal Data for non-essential uses, such as marketing communications or the use of analytics and advertising cookies (e.g. Meta Pixel). Consent means your informed, freely given agreement or confirmation to our collection, processing and use of your data for a specific purpose.
Where we require your consent, your consent may be obtained through visible interactions such as:
Checking a box
Clicking or tapping an “Accept” or “Submit” confirmation button or toggle
Selecting a preference in your account settings
Non-essential cookies and third-party tracking technologies will not be activated
unless you provide consent through our cookie banner or your account settings
panel.
You may withdraw your consent at any time by contacting us at info@winitnaija.com. Doing so does not affect the lawfulness of any processing carried out prior to the withdrawal. However, if you do not provide consent, or later withdraw your consent, we may be unable to provide certain features of the Platform or include you in specific communications (e.g. personalized raffle alerts or promotions).
Contractual Necessity
We may process your Personal Data where it is necessary to perform our obligations under a contract with you or take steps at your request before entering a contract. This includes:
Creating and managing your account
Facilitating raffle entry and WinIt wallet credits
Selecting winners and delivering prizes
Processing donations to your selected NGO(s)
Legal Obligations
We may process your Personal Data where required to comply with applicable legal or regulatory obligations, including those imposed by Nigerian authorities such as the National Lottery Regulatory Commission (NLRC), the Nigeria Data Protection Commission (NDPC), or tax authorities. For example, we may process data to:
Verify your age and identity
Maintain statutory records
Respond to lawful requests from regulators or enforcement bodies
Legitimate Interests
We may process your Personal Data for the purpose of our legitimate interests or those of third parties – provided those interests are not overridden by your fundamental rights and freedoms. These interests include:
Improving platform functionality and user experience
Detecting and preventing fraud
Analyzing platform engagement and performance
Internal reporting and non-intrusive marketing (where permitted)
Where we rely on legitimate interest, we conduct a Legitimate Interest Assessment (LIA) to ensure your rights are respected and balanced against our purposes.
Vital Interests
In rare cases, we may process your Personal Data to protect your vital interests or those of another person; for example, in a security, health, or safety emergency, where you are unable to provide consent.
CATEGORIES AND TYPES OF PERSONAL DATA COLLECTED
We may collect, use, store, and transfer different types of Personal Data about you, which we have categorized as follows:
Identity Data: This includes full name, date of birth, gender (optional), and government-issued identification (e.g. ID card or passport) for prize winners.
Contact Data: This includes email address, mobile phone number, delivery address (for prize fulfilment), and location (directly provided by you or inferred from IP address).
Account Data: This includes username, password (encrypted), user preferences, account status (Active/Inactive/Suspended/Terminated), profile photo (if provided), and WinIt wallet balance.
Raffle Participation Data: This includes raffles entered, number of tickets bought, WinIt wallet ID, WinIt wallet credit balance, WinIt wallet credit history, selected NGOs, time of entry, and draw results.
Technical Data: This includes IP address, device type, operating system (OS), browser type, session logs, crash reports, screen size, cookies, cookie ID, time zone, and CDN metadata.
Usage and Behavioural Data: This includes pages visited, time spent on raffle pages, clickstream activity, interaction logs, session heatmaps, scrolls, rage clicks, custom events (e.g. raffle shares, draws entered)
Marketing and Preference Data: This includes marketing opt-in/opt-out status, campaign interactions, ad click history, Google Advertising ID (Android) and Identifier for Advertisers (Apple), referral source, and preferred channels.
Audio/Visual Data: This includes submitted images and/or videos for identity verification or promotional purposes (e.g. winner clips); may include identifiable voice or face of user(s).
Support and Communications Data: This includes messages via WhatsApp, email support logs, chat/call transcripts, timestamps, and complaint history.
Payment Data: This includes payment confirmation metadata (WinIt does not collect card or banking details directly), WinIt wallet ID, WinIt wallet credits.
Social Media Interaction Data: This includes data collected via raffle share widgets or embedded content from platforms such as Instagram, X (formerly known as Twitter), TikTok, including usage data and engagement.
Infrastructure Monitoring Data: This includes data collected by traffic optimization tools such as IP address, country, and page request timing, for performance and security purposes.
HOW WE COLLECT YOUR PERSONAL DATA
We collect Personal Data from and about you through a combination of direct interactions, automated technologies, and third-party sources. This may include:
Directly from you
We collect Personal Data when you:
Create or update your WinIt account
Enter a raffle, use your WinIt wallet credits, or claim a prize
Submit delivery details or select an NGO to donate to
Communicate with us via email, WhatsApp, support forms, support phone calls, or social media.
Provide identification documents during prize verification or compliance checks
Participate in promotions, surveys, or referrals
Through Automated Technologies or Interactions
As you use and interact with our platform and communication channels, subject to your consent, we automatically collect data using:
Cookies and similar tracking technologies
Device metadata
Custom even tracking (e.g. page visits, button clicks, cart behaviour, draw views)
Analytics tools
Heatmaps and session replays
This data helps us enhance the platform performance, detect anomalies, understand user behaviour patterns, and personalize user experience.
From Third-Party Sources
We may receive Personal Data from:
Payment service providers and processors for transaction validation and fraud checks
Marketing platforms for referral tracking and advertising attribution
Social media integrations if you interact with our raffles via shared links or social media widgets
Email service providers to monitor campaign performance and delivery success
Regulatory bodies or legal authorities, where required for compliance or enforcement
Recruitment Exercises and Job Applications
If you apply for a role at WinIt, we may collect Personal Data to assess your qualifications and suitability for current or future roles. This may include:
Educational and professional background
CV or Portfolio submissions
Employment history and references
Health status or medical fitness, where legally required
Diversity data
Note: Any diversity or equal opportunities data (such as gender, ethnicity, or disability status) is collected on a voluntary basis and only were permitted by applicable law. Submission of such information is not mandatory, and choosing not to provide it will not affect your application or evaluation in any way. Where collected, it is used solely for anonymized reporting and compliance with diversity obligations.
Screening outcomes, including eligibility to work and vocational suitability.
By submitting your application, you consent to our collection and processing of this data for the purposes of recruitment assessment, compliance with labour regulations, and lawful diversity monitoring (where applicable).
We may also:
Collect data from third parties, including recruitment agencies, referees, academic institutions, and professional bodies
Disclose data to screening providers, health service providers, diversity analytics firms, or law enforcement
Use anonymized or aggregated recruitment data for internal reporting or research purposes
Without your Personal Data, we may not be able to proceed with your application(s) for employment with us. However, submission of diversity-related information is entirely optional and will not affect the outcome of your application.
Additional sources of collection and context for processing are outlined in the next section: Purpose of Processing: Why and How We May Use Your Personal Data.
PURPOSE OF PROCESSING: WHY AND HOW WE MAY USE YOUR PERSONAL DATA.
We use your Personal Data across WinIt’s business functions to support platform operation, regulatory compliance, and user experience. The specific purposes for which we may process your Personal Data include:
Business Function: Account Management
Specific Purpose of Processing: Create and manage user accounts
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; WinIt Account Details
Categories of Data Subjects: Users/Participants
Legal Basis: Contractual Necessity
Business Function: Raffle Operations
Specific Purpose of Processing: Process raffle entries and manage wallet activity
Source of Data: Direct from user; Payment processor
Categories of Data: Raffle Participation; Payment
Categories of Data Subjects: Users/Participants
Legal Basis: Contractual Necessity
Business Function: Winner Management
Specific Purpose of Processing: To select, verify and contact winners; to deliver prizes
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; Audio/Visual Data; Payment
Categories of Data Subjects: Prize Winners
Legal Basis: Contractual Necessity; Legal Obligation
Business Function: NGO Donation Facilitation
Specific Purpose of Processing: Process and log charitable donations made by prize winners
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; Audio/Visual Data; Payment; NGO Selection
Categories of Data Subjects: Prize Winners; NGO Beneficiaries
Legal Basis: Contractual Necessity
Business Function: Marketing & Promotions
Specific Purpose of Processing: Send targeted campaigns and updates to consenting users
Source of Data: Direct from user; Analytics providers
Categories of Data: Contact Information; Marketing Preferences; Ad Click History
Categories of Data Subjects: Marketing Recipients
Legal Basis: Consent; Legitimate Interest
Business Function: Analytics & Optimization
Specific Purpose of Processing: Track platform usage, improve UX, identify drop-offs
Source of Data: Automated; Cookies; Pixels; Analytics tools
Categories of Data: Technical Information; Usage Information; Heatmaps; Cookie ID; Behavioural Information (e.g., rage clicks, session length)
Categories of Data Subjects: Users/Participants, Website Visitors
Legal Basis: Consent (for non-essential cookies); Legitimate Interest
Business Function: Third-Party Analytics & Infrastructure
Specific Purpose of Processing: Share technical and behavioral data with external analytics and hosting tools to monitor performance, and improve UX
Source of Data: Automated; Cookies; Pixels; Analytical tools
Categories of Data: Technical Information; Usage Information; Heatmaps; Cookie ID; Behavioural Information (e.g., rage clicks, session length)
Categories of Data Subjects: Users/Participants, Website Visitors
Legal Basis: Consent (for non-essential cookies); Legitimate Interest
Business Function: Customer Support
Specific Purpose of Processing: Respond to questions, complaints, and support tickets
Source of Data: Direct from user
Categories of Data: Contact Information; Communications
Categories of Data Subjects: Users/Participants, Support and Enquiry Contacts
Legal Basis: Contractual Necessity; Legal Obligation
Business Function: Legal & Compliance
Specific Purpose of Processing: Verify age and identity, respond to regulator
Source of Data: Direct from user; Third parties
Categories of Data: Identity Information; Transaction Information
Categories of Data Subjects: Users/Participants, Prize Winners
Legal Basis: Legal Obligation
Business Function: Employment & Hiring
Specific Purpose of Processing: Assess candidates, conduct background checks
Source of Data: Direct from applicant; Referees
Categories of Data: Recruitment; Employment Information; References
Categories of Data Subjects: Prospective Employees
Legal Basis: Consent, Pre-contractual Measures
Business Function: Security & Fraud Detection
Specific Purpose of Processing: Detect abuse, fraud, or policy violations
Source of Data: Platform logs; Analytics tools
Categories of Data: Technical Information; Account Details; Usage Information
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Business Continuity
Specific Purpose of Processing: Backup systems, ensure disaster recovery and platform reliability
Source of Data: Internal systems
Categories of Data: All collected data (as stored)
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Corporate Transactions
Specific Purpose of Processing: Facilitate business sale, merger, acquisition, or partnerships
Source of Data: Internal systems; Prospective partners
Categories of Data: All relevant data related to users or staff
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Research & Anonymization
Specific Purpose of Processing: Create reports and aggregated insights from user behaviour and raffle engagement for internal use or investor updates
Source of Data: Derived from patterns of user data internally
Categories of Data: Anonymized Transactions; Usage Information, Participation Data (e.g. number of raffles entered, average number of tickets bought)
Categories of Data Subjects: Users/Participants
Legal Basis: Legitimate Interest
Additional Purposes and Lawful Flexibility
In addition to the purposes outlined above, we may process your Personal Data for other legitimate business needs that are not incompatible with those listed. These may include protecting the security and integrity of our systems, complying with applicable laws and regulatory requests, preventing fraud or abuse, creating backups for business continuity, or analyzing anonymized datasets for internal research and reporting. Where required, we will provide specific notice at the time of collection or obtain your consent in accordance with applicable law.
SHARING AND DISCLOSURE OF PERSONAL DATA
We do not sell your Personal Data. However, in order to deliver our services, comply with the law, and operate efficiently, we may share your Personal Data with trusted third parties under appropriate legal and contractual safeguards. These include:
Service Providers and Data Processors
We engage external vendors who process data on our behalf (“Data Processors”) to support key business operations. These include:
Payment processors: to process and validate transactions
Email and communications tools (e.g. WhatsApp, email providers): to send messages, alerts, and service updates
Marketing and advertising service providers: to deliver promotional campaigns, manage customer outreach, track ad performance, and personalize content (e.g. Meta Ads, Google Ads, external marketing agencies).
Analytics and tracking tools (Google Analytics, Meta Pixel): to understand user behavior and optimize the platform
Web hosting and CDN providers: to ensure secure, fast delivery of our platform (e.g. traffic distribution, caching, DDoS protection)
Recruitment service providers: to assist in evaluating candidates (when applicable)
All such vendors are bound by confidentiality and data processing agreements and are not permitted to use your data for their own purposes.
NGO Donations (at Prize Winner’s Instruction)
If a raffle winner chooses to donate their winnings to a selected NGO, we may process and transfer the donation directly to the nominated organization. Where the winner consents to be identified, we may share limited information such as:
Name of Prize Winner
Donation amount
This disclosure is optional and only done at the user’s request or with their consent.
Legal and Regulatory Authorities
We may share your Personal Data when required to:
Comply with a lawful request or investigation
Meet obligations imposed by the NLRC, NDPC, tax authorities, or courts
Report suspected fraud or criminal activity
Protect the safety, rights, or property of users or the platform
Corporate Restructuring
In the event of a merger, acquisition, asset sale, or joint venture, your Personal Data may be shared with or transferred to a third party as part of that transaction. We will ensure appropriate confidentiality and data protection obligations are maintained.
With Your Consent
In any situation where we plan to share your Personal Data outside the scope of this Policy, we will first seek your explicit consent.
AUTOMATED DECISION-MAKING AND PROFILING
We use limited automated decision-making and profiling on the WinIt Platform, primarily to enhance your user experience.
Automated Winner Selection: Our raffle draw process is conducted using secure, randomized algorithms. This process does not evaluate personal traits or behaviours and does not significantly affect users' legal rights or status.
Profiling for Personalization: We use profiling techniques to recommend raffles that may be more relevant or appealing to you, based on your interactions and preferences on the Platform. This helps us optimize your experience but does not result in legal or similarly significant effects.
We do not use profiling for automated decisions that:
Produce legal effects concerning you, or
Significantly affect you (e.g., denial of service or eligibility).
If we ever introduce such processing in the future, we will provide you with clear notice, explain your rights, and obtain your consent where required by law.
MARKETING
You may receive marketing communications from WinIt if:
You have provided your explicit consent; or
We rely on a recognized lawful basis for contacting you, such as legitimate interest (in accordance with applicable law).
You have the right to opt out of marketing communications at any time. This can be done by:
Adjusting your preferences in your account settings
Contacting us directly at info@winitnaija.com
We will honour your opt-out request promptly and in accordance with data protection laws.
We do not share your Personal Data with third parties for their own marketing purposes without your express consent.
COOKIES AND TRACKING TECHNOLOGIES
WinIt uses Cookies and similar technologies to distinguish you from other users, personalize your experience, and enhance the performance of our Platform. This section outlines how and why we use Cookies, and your choices regarding their use.
Definition
Cookies are small text files placed on your device (computer, tablet, or mobile) when you visit a website or use a digital service. They collect certain data (IP address, device type, browser settings, session activity, or preferences) to remember information about the user to provide functionality or personalized experiences.
Types of Cookies We Use
The following terms help you understand how Cookies behave and how they are used:
Session Cookies: Temporary cookies that are erased once you close your browser. These help keep you logged in or track your activity during a single visit. They do not persist between sessions.
Persistent Cookies: Remain on your device until their expiration date or until you manually delete them. They are used to remember things like login tokens or language preferences and may also be used to track behavior over time.
First-Party Cookies: Set directly by WinIt (the website you are visiting) to support core functionality and remember your settings. These are only accessible to WinIt.
Third-Party Cookies: Set by other companies (e.g. Meta, Google) through embedded content or analytics scripts. These cookies may be used for advertising, tracking, or social media features across different websites. Some browsers now block these by default.
We categorize Cookies used on our Platform as follows:
Strictly Necessary/Essential Cookies
Purpose: Enable essential platform functions such as navigation, secure login, basket checkout, and fraud prevention.
Consent Required: No
Party: First Party
Duration: Session
Functional/Preference Cookies
Purpose: To remember your preferences (e.g. language, raffle categories, prize interests) to personalize your experience.
Consent Required: Yes
Party: First Party
Duration: Persistent
Analytics/Performance Cookies
Purpose: Collect usage data such as page visits, time spend and click patterns to improve the Platform. May use anonymization.
Consent Required: Yes
Party: Third-party (e.g. Google Analytics)
Duration: Session/Persistent
Marketing/Advertising Cookies
Purpose: Track your engagement with ads, measure conversion, and personalize promotions. May share data across sites via advertising networks.
Consent Required: Yes
Party: Third-party (Meta Pixel, Google Ads)
Duration: Persistent
Cookie Consent and Control
Essential Cookies are deployed automatically and do not require consent.
Optional Cookies (e.g. Analytics, Marketing) are only activated with your consent.
You will see a Cookie banner when you first visit our website, allowing you to set your preferences.
Managing or Disabling Cookies
You can manage cookies through:
Your browser settings (to block, delete, restrict or notify you before placing cookies)
Our Cookie Preference Centre available on the Platform
Google's opt-out tool for analytics: http://tools.google.com/dlpage/gaoptout
Note that disabling non-essential Cookies may affect your ability to fully interact with some parts of our Platform, as some features of our website may not function optimally.
Changes to This Policy
Policy History: This Cookie Policy was last updated May 2025.
We may update this Cookies section from time to time to reflect changes in the law, our technology, or our use of cookies. It is your responsibility to regularly check the content of this policy to learn about any changes.
INTERNATIONAL DATA TRANSFERS
In the course of providing our Services, we may need to transfer your Personal Data outside Nigeria. We will only do so under the following lawful bases:
With your explicit consent
Where necessary to perform a contract with you or take pre-contractual steps at your request
Where the transfer is solely for your benefit and obtaining consent is impracticable
To establish, exercise, or defend a legal claim
To protect your vital interests
We take reasonable steps to ensure that all cross-border transfers of Personal Data are conducted in compliance with the Nigeria Data Protection Act 2023 and other applicable data protection laws.
Wherever possible, we transfer data only to jurisdictions that offer an Adequate Level of Data Protection as recognized by the Nigeria Data Protection Commission. Where this is not the case, we implement appropriate safeguards, such as Data Transfer Agreements, Standard Contractual Clauses (SCCs), or other mechanisms approved by law — to protect your data.
We may rely on any lawful data transfer mechanism available under applicable data protection laws to ensure that your Personal Data remains protected in accordance with legal and regulatory standards.
DATA SECURITY
WinIt takes the security of your Personal Data seriously. We implement a combination of technical, organizational, and physical safeguards to protect your data against unauthorized access, alteration, disclosure, misuse, or loss.
We adopt industry best practices to ensure that your data is processed and stored securely, whether in transit or at rest.
Technical Measures
Encryption: We use Transport Layer Security (TLS 1.3) to encrypt the transmission of Personal Data between your device and our servers. Sensitive data at rest, such as payment credentials and passwords, is encrypted using strong cryptographic algorithms.
Firewalls: Our systems are protected by robust firewalls configured to detect and block unauthorized access and monitor for suspicious activity.
Access Controls: Access to Personal Data is strictly role-based and granted only on a need-to-know basis. Strong password policies, regular access reviews, and authentication controls are enforced internally.
Security Patching: We apply software and operating system patches proactively to remediate known vulnerabilities and maintain the security of our systems.
Intrusion Detection and Prevention Systems (IDPS): We use real-time monitoring systems to detect, flag, and respond to potential security threats and suspicious behaviour.
Organizational Measures
Employee Training: All team members receive periodic training on data security, incident reporting, and privacy responsibilities, including phishing prevention and data handling protocols, ensuring our team understands their responsibilities in protecting Personal Data.
Incident Response Plan: We maintain a detailed incident response plan to identify, contain, and mitigate any data breach, including notification procedures aligned with legal requirements.
Security Audits: We conduct regular internal and third-party audits to evaluate the integrity of our systems and the adequacy of our controls.
Data Minimization: We limit data collection and retention to only what is necessary for our specific business purposes. Reviews are conducted periodically to ensure data is not retained longer than needed.
Data Backups and Disaster Recovery: We maintain regular encrypted backups of essential data and operate a disaster recovery plan to ensure business continuity in the event of a system failure or emergency.
Third-Party Risk Management: Before engaging external service providers who may access or process Personal Data, we assess their security posture and require binding contractual obligations that uphold data protection standards.
Access to your Personal Data is restricted to authorized personnel and service providers who are bound by strict confidentiality obligations and are only permitted to process such data under our instructions.
DATA RETENTION
WinIt retains your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law, regulation, or legitimate business interest. Once those purposes have been achieved, your data will be securely deleted or anonymized.
Retention Periods
The duration of data retention depends on:
The specific purpose for which the data was collected
The applicable legal, tax, and regulatory requirements (e.g., for prize administration or audit)
The nature of your interaction with WinIt (e.g., active user, prize winner, job applicant)
Where no legal basis or legitimate interest for continued retention exists, we securely delete or anonymize (so that it can no longer be associated with you) your Personal Data in accordance with applicable data protection laws.
You may request the deletion of your data at any time at any time by contacting us at info@winitnaija.com. If we do not have a legal basis for retaining your information, we will delete it as required by the Applicable Data Protection Law and where we retain your Personal Data, we do so in compliance with limitation periods or retention obligations imposed by the Applicable Data Protection Law.
YOUR RIGHTS AS A DATA SUBJECT AND HOW TO EXERCISE THEM
As a user of the WinIt platform, you have specific rights in relation to your Personal Data under the Nigeria Data Protection Act 2023 and other applicable data protection laws. We are committed to respecting and facilitating the exercise of these rights.
You have the following rights:
Right of Access to your Personal Data
You have the right to request confirmation of whether we process your Personal Data and, where applicable, to receive a copy of that data and relevant details of its use.
To process your request, we may need to collect specific information from you as a security measure to help us confirm your identity and ensure that your Personal Data is not disclosed to any person who has no right to receive it.
You will not be required to pay any fees for us to process your subject access request. However, we may charge a reasonable fee where processing your request will impose unreasonable cost on us or refuse to comply with your request if you fail to do so. We try to respond to all legitimate requests within one month.
Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Right to Request Correction of the Personal Data that we hold about you
If your Personal Data is inaccurate or incomplete, you have the right to request that we correct or update it.
Right to Request Deletion or Removal of your Personal Data
You may request that we delete your Personal Data where:
The data is no longer necessary for the purposes for which it was collected
You withdraw your consent to the processing of your Personal Data (where applicable)
You object to the processing and we have no overriding legal basis to retain it
Note however, that the exception to this right is:
Where the Applicable Data Protection Law requires us to retain a historical archive of your Personal Data to fulfil regulatory requirements; or
Where you object to your data being used for marketing purposes and we have retained a set of your Personal Data to ensure we do not inadvertently contact you in future.
We may not always be able to comply with your request of erasure for specific legal reasons. Where we are unable to do so, you will be notified, if applicable, at the time of your request.
Right to Withdraw Consent
If we are processing your data based on consent, you may withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of any data processed before you withdrew your consent.
Right to Object to Processing of your Personal Data
You may object to our use of your Personal Data for direct marketing or where we rely on legitimate interest, and you believe it infringes on your rights. We will assess and respond in accordance with legal requirements.
In some cases, we may demonstrate that we have compelling legitimate interest or public interest grounds to continue to process your information which override your right to object.
Right to Restrict Processing
You may request that we temporarily suspend processing of your data in certain circumstances (e.g. while we verify its accuracy or consider an objection).
Right to Data Portability
You may request a copy of your Personal Data in a structured, commonly used, and machine-readable format, where the processing is based on consent or contract and carried out by automated means.
Right to Complain
If you believe that we have violated your privacy rights or mishandled your data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC)
How to Exercise Your Rights
To make a request regarding any of your rights, please contact us at:
Email: info@winitnaija.com
For your security, we may request additional information to verify your identity before acting on your request.
We aim to respond to all requests within 30 days. Where additional time is required, we will inform you of the reason and the expected timeframe for resolution.
Lodge a complaint with the Nigeria Data Protection Commission (NDPC) via https://ndpc.gov.ng
CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the “Last Updated” date of this Policy.
Changes will be posted on all platforms where we display our Privacy Policy. It is your responsibility to review the amended Privacy Policy. This Privacy Policy governs the use of Personal Data by us, unless otherwise agreed through a written contract. The revised version will be effective immediately after publication.
Your continued use of the WinIt Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.
THIRD-PARTY LINKS
Our Platform may offer links to third-party websites, plug-ins, or applications for your convenience or in connection with certain features or promotions. Clicking on these links or enabling such connections may allow third parties to collect or share Personal Data about you.
We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites you visit, especially before submitting any Personal Data.
CHILDREN AND PERSONS WITH LEGAL DISABILITIES
We do not knowingly or intentionally collect Personal Data from individuals under the age of 18 or from persons with legal disabilities. Where required by law, or in exceptional cases, such data may be collected through a parent, legal guardian, or authorized representative.
If you believe that we have mistakenly or unknowingly collected such information, please contact us immediately. We will promptly investigate and take the appropriate steps to restrict, delete, or anonymize the data, as required by applicable law.
CONTACTING US
If you wish to exercise any of the rights set out above or have any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us via:
Email: info@winitnaija.com
Address: No 32 Tunis Street Wuse Zone 6, Abuja, Nigeria
You also have the right to contact the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.
GLOSSARY OF TERMS
Adequate Level of Data Protection: A standard of protection for Personal Data that is considered equivalent to, or not less protective than, what is required under applicable Nigerian data protection law. This determination may be made by the Nigeria Data Protection Commission (NDPC) or other competent authority. It ensures that Personal Data transferred to another country will be subject to appropriate safeguards to maintain its confidentiality, integrity, and security.
Anonymization: The irreversible process of transforming Personal Data so that the individual can no longer be identified, directly or indirectly. Anonymized data is no longer considered Personal Data.
Applicable Data Protection Law: Refers to all legislation, regulations, directives, and policies governing the collection, use, storage, transfer, and processing of Personal Data, including the Nigeria Data Protection Act 2023, the General Administrative and Implementation Directive (GAID 2025), and any other applicable laws
Automated Decision-Making: The use of technology to make decisions without human involvement. In WinIt’s context, this includes randomized winner selection through secure algorithms.
Consent: Freely given, specific, informed, and unambiguous indication by a Data Subject that they agree to the processing of their Personal Data, typically via affirmative action such as ticking a box or clicking “Accept”.
Data Controller: An individual or legal entity that determines the purposes and means of processing Personal Data. In this Privacy Policy, ZNL Gaming Limited (WinIt) is the Controller.
Cookie ID : A unique identifier associated with a cookie, used to distinguish a user or device across browsing sessions or interactions.
Cookies: Small data files stored on a user’s device when visiting a website. Cookies may collect information such as user preferences, device identifiers, and session activity to enhance functionality and user experience.
Data Processor: A third party that processes Personal Data on behalf of the Data Controller, under contract and instruction, such as email providers, analytics platforms, or payment gateways.
Data Subject: The individual to whom Personal Data relates. In the context of WinIt, this includes users, prize winners, applicants, visitors to the Platform.
Legitimate Interest: A lawful basis for processing Personal Data where the Controller has a genuine and valid reason to process data, provided it does not override the rights and freedoms of the Data Subject.
Personal Data: Any information relating to an identified or identifiable individual (Data Subject), including but not limited to name, email address, phone number, device ID, IP address, wallet history, and photo ID.
Platform: The digital ecosystem operated by WinIt, including its website, mobile applications, backend systems, and third-party integrations used to deliver our services.
Processing: Any operation or set of operations performed on Personal Data, whether by automated or manual means, such as collection, recording, organization, storage, modification, retrieval, use, disclosure, deletion, or destruction.
Profiling: A form of automated processing of Personal Data used to evaluate, analyze, or predict aspects relating to a user’s preferences, interests, or behaviour. WinIt uses limited profiling techniques to personalize user experience and recommend raffles that are likely to be of interest. This profiling does not produce decisions with legal or similarly significant effects and is carried out in accordance with applicable data protection laws.
Third Party: Any individual or organization that is not the Data Subject or the Controller. This may include service providers, marketing platforms, regulatory authorities, or payment processors.
Policy History: This Privacy Policy was last updated May 2025.
WINIT PRIVACY POLICY
INFORMATION ABOUT ZNL GAMING LIMITED PRIVACY POLICY
ZNL GAMING LIMITED is a digital raffle gaming platform registered under the laws of the Federal Republic of Nigeria. ZNL GAMING LIMITED is committed to safeguarding your privacy by protecting your Personal Data in accordance with the Applicable Data Protection Law. This Privacy Policy sets out how ZNL GAMING LIMITED uses and protects your Personal Data.
References in this policy to “we”, “us”, “platform” or “WinIt” are references to ZNL Gaming Limited. References to “you” in this policy refers to any natural person who are our Data Subjects (Users/Participants, Prize Winners, Prospective Users, Website Visitors, Vendors/Partners, Employees/Staff, Prospective Employees, Support and Enquiry Contacts, Marketing Recipients, NGO Beneficiaries) who visit our website or any of our physical offices or interact with any of our controlled information collection links or forms or such other information collection or exchange points, now known or to be developed in the future.
CATEGORIES OF DATA SUBJECTS
Users/Participants:
Individuals who create an account, browse raffles, buy tickets, participate in draws, and potentially win prizes. This is WinIt’s primary data subject class.
Data Collected:
Name
Phone number
Email address
Date of birth
Username
Password
Wallet history
Referral source
Raffle entry history
Cookies
Cookie ID
IP address
Device/browser type
Screen size
Pages visited
Interaction logs and custom event data (e.g. raffle share activity (clicks to share raffle links via WhatsApp, X), draw views, cart actions)
Justification: Required to create account, verify eligibility (18+), manage entries, personalize user experience, and deliver optimized sessions.
Prize Winners:
A subset of users whose entries are selected in a draw. Their identities must be verified, and additional data (e.g. ID documents, location details, payout details) is collected to fulfil prize delivery.
Data Collected:
Name
Photo ID (for identity verification)
Phone number
Email address
Delivery location
Payment method (e.g. bank or WinIt wallet)
Donation history (to NGO beneficiaries)
Justification: Fulfil regulatory and prize delivery obligations; to prevent fraud.
Prospective Users:
Individuals who browse raffles and initiate a ticket purchase but do not complete basic account creation to enter into a raffle. Limited data (e.g. device info, name and email entered at checkout) may be collected via cookies or marketing forms.
Data Collected:
Cookies
Cookie ID
IP address
Device/browser information
Pages visited
Justification: Support onboarding, retargeting, deliver optimized sessions, and analytics.
Website Visitors:
People who visit WinIt’s website or interact with its digital content. Collected data may include cookies, IP address, device info and interaction logs, without account registration.
Data Collected:
IP address
Device type and OS
Screen size
Cookies
Cookie ID
Browsing behaviour
Crash logs
Coarse location
Justification: To enhance website experience and track engagement.
Vendors/Partners:
Organizations or individuals who provide services to support WinIt’s operations (e.g. payment service providers, logistics partners, promotional collaborators, or NGOs receiving donations).
Data Collected:
Contact name
Email
Service terms
Bank details
Company registration information
Communication logs.
Justification: For contracting, payment and compliance.
Employees/Staff:
Individuals hired by ZNL Gaming Limited to develop, manage, or support the WinIt platform. This includes full-time staff, part-time staff, contract staff, support hires and interns.
Data Collected:
Name
Email
Phone number
Employment contract
ID number
Payroll details
System access logs
Emergency contact
Justification: HR and operations purposes.
Prospective Employees:
Individuals undergoing recruitment for roles at ZNL Gaming Limited. Data includes CVs, contact information, and professional background.
Data Collected:
Name
Phone number
Email
CV
Interview notes
References
Justification: Hiring and candidate management.
Support and Enquiry Contacts:
Anyone who contacts WinIt via WhatsApp, email, chat box, phone calls, or social media for support, complaints, or questions. Data collected may include name, contact information, and content of communications.
Data Collected:
Name
Email
Message/call content
Date and time of contact
Device type and OS
Justification: To resolve issues and track interactions.
Marketing Recipients:
Users or site visitors who opt in to receive promotional emails, alerts, or surveys.
Data Collected:
Name
Email address
Ad tracking status
Device ID
Marketing preferences
Interaction with marketing materials
Justification: Consent-based communication and relevance.
NGO Beneficiaries:
Charities or causes listed on the WinIt platform and selected by winners to receive donations. Data collected includes contact details and transaction confirmations.
Data Collected:
Organization name
CAC registration details
Name and email of contact person
Bank/payment details
Justification: Required to fulfil donations and verify legitimacy.
This privacy policy provides information about how WinIt collects and uses your Personal Data, the parties with whom we may share it, and the measures we take to protect your data. It also explains your rights and choices regarding your Personal Data and how you can contact us with questions or concerns about our privacy practices.
This Privacy Policy applies to all personal data collected, stored, or processed through the WinIt Platform, including but not limited to interactions via our website, mobile application, and customer support channels. WinIt does not collect personal data on behalf of third-party clients or operate under external instructions. All data processing carried out by WinIt is done in our capacity as a Data Controller, in accordance with our Terms and Conditions and applicable Data Protection Laws.
Where we collect your Personal Data indirectly – such as from payment processors, social media integrations, or marketing analytics tools – we apply the principles of this Privacy Policy and ensure compliance with the Nigeria Data Protection Act 2023 and related regulations.
This Privacy Policy applies to all services provided through the WinIt platform, including our website, mobile application, and customer support channels (collectively referred to as “Our Services”).
OUR DATA PROCESSING PRINCIPLES
We process your Personal Data in accordance with the following recognized principles of data protection. At ZNL Gaming Limited (WinIt), Personal Data is:
Processed lawfully, fairly, and transparently, ensuring users are informed of what data is collected, how it is used, and their rights.
Collected for specific, explicit, and legitimate purposes, and only further processed in ways that are compatible with such purposes.
Adequate, relevant, and limited to what is necessary for the intended purposes (e.g., identity verification, prize fulfilment, engagement tracking).
Accurate and kept up to date, with mechanisms in place to allow users to access and update their information.
Stored securely, protected against unauthorized access, alteration, destruction, or disclosure, using encryption, access controls, and secure infrastructure.
Retained only for as long as necessary to fulfill legal or operational purposes, after which data is deleted or anonymized.
LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
WinIt processes your Personal Data in accordance with the Nigeria Data Protection Act 2023 (NDPA), the General Application and Implementation Directive (GAID 2025), and other applicable laws. The lawful bases on which we rely include:
Consent
We may in certain instances, rely on your explicit consent to process some of your Personal Data for non-essential uses, such as marketing communications or the use of analytics and advertising cookies (e.g. Meta Pixel). Consent means your informed, freely given agreement or confirmation to our collection, processing and use of your data for a specific purpose.
Where we require your consent, your consent may be obtained through visible interactions such as:
Checking a box
Clicking or tapping an “Accept” or “Submit” confirmation button or toggle
Selecting a preference in your account settings
Non-essential cookies and third-party tracking technologies will not be activated
unless you provide consent through our cookie banner or your account settings
panel.
You may withdraw your consent at any time by contacting us at info@winitnaija.com. Doing so does not affect the lawfulness of any processing carried out prior to the withdrawal. However, if you do not provide consent, or later withdraw your consent, we may be unable to provide certain features of the Platform or include you in specific communications (e.g. personalized raffle alerts or promotions).
Contractual Necessity
We may process your Personal Data where it is necessary to perform our obligations under a contract with you or take steps at your request before entering a contract. This includes:
Creating and managing your account
Facilitating raffle entry and WinIt wallet credits
Selecting winners and delivering prizes
Processing donations to your selected NGO(s)
Legal Obligations
We may process your Personal Data where required to comply with applicable legal or regulatory obligations, including those imposed by Nigerian authorities such as the National Lottery Regulatory Commission (NLRC), the Nigeria Data Protection Commission (NDPC), or tax authorities. For example, we may process data to:
Verify your age and identity
Maintain statutory records
Respond to lawful requests from regulators or enforcement bodies
Legitimate Interests
We may process your Personal Data for the purpose of our legitimate interests or those of third parties – provided those interests are not overridden by your fundamental rights and freedoms. These interests include:
Improving platform functionality and user experience
Detecting and preventing fraud
Analyzing platform engagement and performance
Internal reporting and non-intrusive marketing (where permitted)
Where we rely on legitimate interest, we conduct a Legitimate Interest Assessment (LIA) to ensure your rights are respected and balanced against our purposes.
Vital Interests
In rare cases, we may process your Personal Data to protect your vital interests or those of another person; for example, in a security, health, or safety emergency, where you are unable to provide consent.
CATEGORIES AND TYPES OF PERSONAL DATA COLLECTED
We may collect, use, store, and transfer different types of Personal Data about you, which we have categorized as follows:
Identity Data: This includes full name, date of birth, gender (optional), and government-issued identification (e.g. ID card or passport) for prize winners.
Contact Data: This includes email address, mobile phone number, delivery address (for prize fulfilment), and location (directly provided by you or inferred from IP address).
Account Data: This includes username, password (encrypted), user preferences, account status (Active/Inactive/Suspended/Terminated), profile photo (if provided), and WinIt wallet balance.
Raffle Participation Data: This includes raffles entered, number of tickets bought, WinIt wallet ID, WinIt wallet credit balance, WinIt wallet credit history, selected NGOs, time of entry, and draw results.
Technical Data: This includes IP address, device type, operating system (OS), browser type, session logs, crash reports, screen size, cookies, cookie ID, time zone, and CDN metadata.
Usage and Behavioural Data: This includes pages visited, time spent on raffle pages, clickstream activity, interaction logs, session heatmaps, scrolls, rage clicks, custom events (e.g. raffle shares, draws entered)
Marketing and Preference Data: This includes marketing opt-in/opt-out status, campaign interactions, ad click history, Google Advertising ID (Android) and Identifier for Advertisers (Apple), referral source, and preferred channels.
Audio/Visual Data: This includes submitted images and/or videos for identity verification or promotional purposes (e.g. winner clips); may include identifiable voice or face of user(s).
Support and Communications Data: This includes messages via WhatsApp, email support logs, chat/call transcripts, timestamps, and complaint history.
Payment Data: This includes payment confirmation metadata (WinIt does not collect card or banking details directly), WinIt wallet ID, WinIt wallet credits.
Social Media Interaction Data: This includes data collected via raffle share widgets or embedded content from platforms such as Instagram, X (formerly known as Twitter), TikTok, including usage data and engagement.
Infrastructure Monitoring Data: This includes data collected by traffic optimization tools such as IP address, country, and page request timing, for performance and security purposes.
HOW WE COLLECT YOUR PERSONAL DATA
We collect Personal Data from and about you through a combination of direct interactions, automated technologies, and third-party sources. This may include:
Directly from you
We collect Personal Data when you:
Create or update your WinIt account
Enter a raffle, use your WinIt wallet credits, or claim a prize
Submit delivery details or select an NGO to donate to
Communicate with us via email, WhatsApp, support forms, support phone calls, or social media.
Provide identification documents during prize verification or compliance checks
Participate in promotions, surveys, or referrals
Through Automated Technologies or Interactions
As you use and interact with our platform and communication channels, subject to your consent, we automatically collect data using:
Cookies and similar tracking technologies
Device metadata
Custom even tracking (e.g. page visits, button clicks, cart behaviour, draw views)
Analytics tools
Heatmaps and session replays
This data helps us enhance the platform performance, detect anomalies, understand user behaviour patterns, and personalize user experience.
From Third-Party Sources
We may receive Personal Data from:
Payment service providers and processors for transaction validation and fraud checks
Marketing platforms for referral tracking and advertising attribution
Social media integrations if you interact with our raffles via shared links or social media widgets
Email service providers to monitor campaign performance and delivery success
Regulatory bodies or legal authorities, where required for compliance or enforcement
Recruitment Exercises and Job Applications
If you apply for a role at WinIt, we may collect Personal Data to assess your qualifications and suitability for current or future roles. This may include:
Educational and professional background
CV or Portfolio submissions
Employment history and references
Health status or medical fitness, where legally required
Diversity data
Note: Any diversity or equal opportunities data (such as gender, ethnicity, or disability status) is collected on a voluntary basis and only were permitted by applicable law. Submission of such information is not mandatory, and choosing not to provide it will not affect your application or evaluation in any way. Where collected, it is used solely for anonymized reporting and compliance with diversity obligations.
Screening outcomes, including eligibility to work and vocational suitability.
By submitting your application, you consent to our collection and processing of this data for the purposes of recruitment assessment, compliance with labour regulations, and lawful diversity monitoring (where applicable).
We may also:
Collect data from third parties, including recruitment agencies, referees, academic institutions, and professional bodies
Disclose data to screening providers, health service providers, diversity analytics firms, or law enforcement
Use anonymized or aggregated recruitment data for internal reporting or research purposes
Without your Personal Data, we may not be able to proceed with your application(s) for employment with us. However, submission of diversity-related information is entirely optional and will not affect the outcome of your application.
Additional sources of collection and context for processing are outlined in the next section: Purpose of Processing: Why and How We May Use Your Personal Data.
PURPOSE OF PROCESSING: WHY AND HOW WE MAY USE YOUR PERSONAL DATA.
We use your Personal Data across WinIt’s business functions to support platform operation, regulatory compliance, and user experience. The specific purposes for which we may process your Personal Data include:
Business Function: Account Management
Specific Purpose of Processing: Create and manage user accounts
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; WinIt Account Details
Categories of Data Subjects: Users/Participants
Legal Basis: Contractual Necessity
Business Function: Raffle Operations
Specific Purpose of Processing: Process raffle entries and manage wallet activity
Source of Data: Direct from user; Payment processor
Categories of Data: Raffle Participation; Payment
Categories of Data Subjects: Users/Participants
Legal Basis: Contractual Necessity
Business Function: Winner Management
Specific Purpose of Processing: To select, verify and contact winners; to deliver prizes
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; Audio/Visual Data; Payment
Categories of Data Subjects: Prize Winners
Legal Basis: Contractual Necessity; Legal Obligation
Business Function: NGO Donation Facilitation
Specific Purpose of Processing: Process and log charitable donations made by prize winners
Source of Data: Direct from user
Categories of Data: Identity Information; Contact Information; Audio/Visual Data; Payment; NGO Selection
Categories of Data Subjects: Prize Winners; NGO Beneficiaries
Legal Basis: Contractual Necessity
Business Function: Marketing & Promotions
Specific Purpose of Processing: Send targeted campaigns and updates to consenting users
Source of Data: Direct from user; Analytics providers
Categories of Data: Contact Information; Marketing Preferences; Ad Click History
Categories of Data Subjects: Marketing Recipients
Legal Basis: Consent; Legitimate Interest
Business Function: Analytics & Optimization
Specific Purpose of Processing: Track platform usage, improve UX, identify drop-offs
Source of Data: Automated; Cookies; Pixels; Analytics tools
Categories of Data: Technical Information; Usage Information; Heatmaps; Cookie ID; Behavioural Information (e.g., rage clicks, session length)
Categories of Data Subjects: Users/Participants, Website Visitors
Legal Basis: Consent (for non-essential cookies); Legitimate Interest
Business Function: Third-Party Analytics & Infrastructure
Specific Purpose of Processing: Share technical and behavioral data with external analytics and hosting tools to monitor performance, and improve UX
Source of Data: Automated; Cookies; Pixels; Analytical tools
Categories of Data: Technical Information; Usage Information; Heatmaps; Cookie ID; Behavioural Information (e.g., rage clicks, session length)
Categories of Data Subjects: Users/Participants, Website Visitors
Legal Basis: Consent (for non-essential cookies); Legitimate Interest
Business Function: Customer Support
Specific Purpose of Processing: Respond to questions, complaints, and support tickets
Source of Data: Direct from user
Categories of Data: Contact Information; Communications
Categories of Data Subjects: Users/Participants, Support and Enquiry Contacts
Legal Basis: Contractual Necessity; Legal Obligation
Business Function: Legal & Compliance
Specific Purpose of Processing: Verify age and identity, respond to regulator
Source of Data: Direct from user; Third parties
Categories of Data: Identity Information; Transaction Information
Categories of Data Subjects: Users/Participants, Prize Winners
Legal Basis: Legal Obligation
Business Function: Employment & Hiring
Specific Purpose of Processing: Assess candidates, conduct background checks
Source of Data: Direct from applicant; Referees
Categories of Data: Recruitment; Employment Information; References
Categories of Data Subjects: Prospective Employees
Legal Basis: Consent, Pre-contractual Measures
Business Function: Security & Fraud Detection
Specific Purpose of Processing: Detect abuse, fraud, or policy violations
Source of Data: Platform logs; Analytics tools
Categories of Data: Technical Information; Account Details; Usage Information
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Business Continuity
Specific Purpose of Processing: Backup systems, ensure disaster recovery and platform reliability
Source of Data: Internal systems
Categories of Data: All collected data (as stored)
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Corporate Transactions
Specific Purpose of Processing: Facilitate business sale, merger, acquisition, or partnerships
Source of Data: Internal systems; Prospective partners
Categories of Data: All relevant data related to users or staff
Categories of Data Subjects: All data subjects
Legal Basis: Legitimate Interest; Legal Obligation
Business Function: Research & Anonymization
Specific Purpose of Processing: Create reports and aggregated insights from user behaviour and raffle engagement for internal use or investor updates
Source of Data: Derived from patterns of user data internally
Categories of Data: Anonymized Transactions; Usage Information, Participation Data (e.g. number of raffles entered, average number of tickets bought)
Categories of Data Subjects: Users/Participants
Legal Basis: Legitimate Interest
Additional Purposes and Lawful Flexibility
In addition to the purposes outlined above, we may process your Personal Data for other legitimate business needs that are not incompatible with those listed. These may include protecting the security and integrity of our systems, complying with applicable laws and regulatory requests, preventing fraud or abuse, creating backups for business continuity, or analyzing anonymized datasets for internal research and reporting. Where required, we will provide specific notice at the time of collection or obtain your consent in accordance with applicable law.
SHARING AND DISCLOSURE OF PERSONAL DATA
We do not sell your Personal Data. However, in order to deliver our services, comply with the law, and operate efficiently, we may share your Personal Data with trusted third parties under appropriate legal and contractual safeguards. These include:
Service Providers and Data Processors
We engage external vendors who process data on our behalf (“Data Processors”) to support key business operations. These include:
Payment processors: to process and validate transactions
Email and communications tools (e.g. WhatsApp, email providers): to send messages, alerts, and service updates
Marketing and advertising service providers: to deliver promotional campaigns, manage customer outreach, track ad performance, and personalize content (e.g. Meta Ads, Google Ads, external marketing agencies).
Analytics and tracking tools (Google Analytics, Meta Pixel): to understand user behavior and optimize the platform
Web hosting and CDN providers: to ensure secure, fast delivery of our platform (e.g. traffic distribution, caching, DDoS protection)
Recruitment service providers: to assist in evaluating candidates (when applicable)
All such vendors are bound by confidentiality and data processing agreements and are not permitted to use your data for their own purposes.
NGO Donations (at Prize Winner’s Instruction)
If a raffle winner chooses to donate their winnings to a selected NGO, we may process and transfer the donation directly to the nominated organization. Where the winner consents to be identified, we may share limited information such as:
Name of Prize Winner
Donation amount
This disclosure is optional and only done at the user’s request or with their consent.
Legal and Regulatory Authorities
We may share your Personal Data when required to:
Comply with a lawful request or investigation
Meet obligations imposed by the NLRC, NDPC, tax authorities, or courts
Report suspected fraud or criminal activity
Protect the safety, rights, or property of users or the platform
Corporate Restructuring
In the event of a merger, acquisition, asset sale, or joint venture, your Personal Data may be shared with or transferred to a third party as part of that transaction. We will ensure appropriate confidentiality and data protection obligations are maintained.
With Your Consent
In any situation where we plan to share your Personal Data outside the scope of this Policy, we will first seek your explicit consent.
AUTOMATED DECISION-MAKING AND PROFILING
We use limited automated decision-making and profiling on the WinIt Platform, primarily to enhance your user experience.
Automated Winner Selection: Our raffle draw process is conducted using secure, randomized algorithms. This process does not evaluate personal traits or behaviours and does not significantly affect users' legal rights or status.
Profiling for Personalization: We use profiling techniques to recommend raffles that may be more relevant or appealing to you, based on your interactions and preferences on the Platform. This helps us optimize your experience but does not result in legal or similarly significant effects.
We do not use profiling for automated decisions that:
Produce legal effects concerning you, or
Significantly affect you (e.g., denial of service or eligibility).
If we ever introduce such processing in the future, we will provide you with clear notice, explain your rights, and obtain your consent where required by law.
MARKETING
You may receive marketing communications from WinIt if:
You have provided your explicit consent; or
We rely on a recognized lawful basis for contacting you, such as legitimate interest (in accordance with applicable law).
You have the right to opt out of marketing communications at any time. This can be done by:
Adjusting your preferences in your account settings
Contacting us directly at info@winitnaija.com
We will honour your opt-out request promptly and in accordance with data protection laws.
We do not share your Personal Data with third parties for their own marketing purposes without your express consent.
COOKIES AND TRACKING TECHNOLOGIES
WinIt uses Cookies and similar technologies to distinguish you from other users, personalize your experience, and enhance the performance of our Platform. This section outlines how and why we use Cookies, and your choices regarding their use.
Definition
Cookies are small text files placed on your device (computer, tablet, or mobile) when you visit a website or use a digital service. They collect certain data (IP address, device type, browser settings, session activity, or preferences) to remember information about the user to provide functionality or personalized experiences.
Types of Cookies We Use
The following terms help you understand how Cookies behave and how they are used:
Session Cookies: Temporary cookies that are erased once you close your browser. These help keep you logged in or track your activity during a single visit. They do not persist between sessions.
Persistent Cookies: Remain on your device until their expiration date or until you manually delete them. They are used to remember things like login tokens or language preferences and may also be used to track behavior over time.
First-Party Cookies: Set directly by WinIt (the website you are visiting) to support core functionality and remember your settings. These are only accessible to WinIt.
Third-Party Cookies: Set by other companies (e.g. Meta, Google) through embedded content or analytics scripts. These cookies may be used for advertising, tracking, or social media features across different websites. Some browsers now block these by default.
We categorize Cookies used on our Platform as follows:
Strictly Necessary/Essential Cookies
Purpose: Enable essential platform functions such as navigation, secure login, basket checkout, and fraud prevention.
Consent Required: No
Party: First Party
Duration: Session
Functional/Preference Cookies
Purpose: To remember your preferences (e.g. language, raffle categories, prize interests) to personalize your experience.
Consent Required: Yes
Party: First Party
Duration: Persistent
Analytics/Performance Cookies
Purpose: Collect usage data such as page visits, time spend and click patterns to improve the Platform. May use anonymization.
Consent Required: Yes
Party: Third-party (e.g. Google Analytics)
Duration: Session/Persistent
Marketing/Advertising Cookies
Purpose: Track your engagement with ads, measure conversion, and personalize promotions. May share data across sites via advertising networks.
Consent Required: Yes
Party: Third-party (Meta Pixel, Google Ads)
Duration: Persistent
Cookie Consent and Control
Essential Cookies are deployed automatically and do not require consent.
Optional Cookies (e.g. Analytics, Marketing) are only activated with your consent.
You will see a Cookie banner when you first visit our website, allowing you to set your preferences.
Managing or Disabling Cookies
You can manage cookies through:
Your browser settings (to block, delete, restrict or notify you before placing cookies)
Our Cookie Preference Centre available on the Platform
Google's opt-out tool for analytics: http://tools.google.com/dlpage/gaoptout
Note that disabling non-essential Cookies may affect your ability to fully interact with some parts of our Platform, as some features of our website may not function optimally.
Changes to This Policy
Policy History: This Cookie Policy was last updated May 2025.
We may update this Cookies section from time to time to reflect changes in the law, our technology, or our use of cookies. It is your responsibility to regularly check the content of this policy to learn about any changes.
INTERNATIONAL DATA TRANSFERS
In the course of providing our Services, we may need to transfer your Personal Data outside Nigeria. We will only do so under the following lawful bases:
With your explicit consent
Where necessary to perform a contract with you or take pre-contractual steps at your request
Where the transfer is solely for your benefit and obtaining consent is impracticable
To establish, exercise, or defend a legal claim
To protect your vital interests
We take reasonable steps to ensure that all cross-border transfers of Personal Data are conducted in compliance with the Nigeria Data Protection Act 2023 and other applicable data protection laws.
Wherever possible, we transfer data only to jurisdictions that offer an Adequate Level of Data Protection as recognized by the Nigeria Data Protection Commission. Where this is not the case, we implement appropriate safeguards, such as Data Transfer Agreements, Standard Contractual Clauses (SCCs), or other mechanisms approved by law — to protect your data.
We may rely on any lawful data transfer mechanism available under applicable data protection laws to ensure that your Personal Data remains protected in accordance with legal and regulatory standards.
DATA SECURITY
WinIt takes the security of your Personal Data seriously. We implement a combination of technical, organizational, and physical safeguards to protect your data against unauthorized access, alteration, disclosure, misuse, or loss.
We adopt industry best practices to ensure that your data is processed and stored securely, whether in transit or at rest.
Technical Measures
Encryption: We use Transport Layer Security (TLS 1.3) to encrypt the transmission of Personal Data between your device and our servers. Sensitive data at rest, such as payment credentials and passwords, is encrypted using strong cryptographic algorithms.
Firewalls: Our systems are protected by robust firewalls configured to detect and block unauthorized access and monitor for suspicious activity.
Access Controls: Access to Personal Data is strictly role-based and granted only on a need-to-know basis. Strong password policies, regular access reviews, and authentication controls are enforced internally.
Security Patching: We apply software and operating system patches proactively to remediate known vulnerabilities and maintain the security of our systems.
Intrusion Detection and Prevention Systems (IDPS): We use real-time monitoring systems to detect, flag, and respond to potential security threats and suspicious behaviour.
Organizational Measures
Employee Training: All team members receive periodic training on data security, incident reporting, and privacy responsibilities, including phishing prevention and data handling protocols, ensuring our team understands their responsibilities in protecting Personal Data.
Incident Response Plan: We maintain a detailed incident response plan to identify, contain, and mitigate any data breach, including notification procedures aligned with legal requirements.
Security Audits: We conduct regular internal and third-party audits to evaluate the integrity of our systems and the adequacy of our controls.
Data Minimization: We limit data collection and retention to only what is necessary for our specific business purposes. Reviews are conducted periodically to ensure data is not retained longer than needed.
Data Backups and Disaster Recovery: We maintain regular encrypted backups of essential data and operate a disaster recovery plan to ensure business continuity in the event of a system failure or emergency.
Third-Party Risk Management: Before engaging external service providers who may access or process Personal Data, we assess their security posture and require binding contractual obligations that uphold data protection standards.
Access to your Personal Data is restricted to authorized personnel and service providers who are bound by strict confidentiality obligations and are only permitted to process such data under our instructions.
DATA RETENTION
WinIt retains your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law, regulation, or legitimate business interest. Once those purposes have been achieved, your data will be securely deleted or anonymized.
Retention Periods
The duration of data retention depends on:
The specific purpose for which the data was collected
The applicable legal, tax, and regulatory requirements (e.g., for prize administration or audit)
The nature of your interaction with WinIt (e.g., active user, prize winner, job applicant)
Where no legal basis or legitimate interest for continued retention exists, we securely delete or anonymize (so that it can no longer be associated with you) your Personal Data in accordance with applicable data protection laws.
You may request the deletion of your data at any time at any time by contacting us at info@winitnaija.com. If we do not have a legal basis for retaining your information, we will delete it as required by the Applicable Data Protection Law and where we retain your Personal Data, we do so in compliance with limitation periods or retention obligations imposed by the Applicable Data Protection Law.
YOUR RIGHTS AS A DATA SUBJECT AND HOW TO EXERCISE THEM
As a user of the WinIt platform, you have specific rights in relation to your Personal Data under the Nigeria Data Protection Act 2023 and other applicable data protection laws. We are committed to respecting and facilitating the exercise of these rights.
You have the following rights:
Right of Access to your Personal Data
You have the right to request confirmation of whether we process your Personal Data and, where applicable, to receive a copy of that data and relevant details of its use.
To process your request, we may need to collect specific information from you as a security measure to help us confirm your identity and ensure that your Personal Data is not disclosed to any person who has no right to receive it.
You will not be required to pay any fees for us to process your subject access request. However, we may charge a reasonable fee where processing your request will impose unreasonable cost on us or refuse to comply with your request if you fail to do so. We try to respond to all legitimate requests within one month.
Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Right to Request Correction of the Personal Data that we hold about you
If your Personal Data is inaccurate or incomplete, you have the right to request that we correct or update it.
Right to Request Deletion or Removal of your Personal Data
You may request that we delete your Personal Data where:
The data is no longer necessary for the purposes for which it was collected
You withdraw your consent to the processing of your Personal Data (where applicable)
You object to the processing and we have no overriding legal basis to retain it
Note however, that the exception to this right is:
Where the Applicable Data Protection Law requires us to retain a historical archive of your Personal Data to fulfil regulatory requirements; or
Where you object to your data being used for marketing purposes and we have retained a set of your Personal Data to ensure we do not inadvertently contact you in future.
We may not always be able to comply with your request of erasure for specific legal reasons. Where we are unable to do so, you will be notified, if applicable, at the time of your request.
Right to Withdraw Consent
If we are processing your data based on consent, you may withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of any data processed before you withdrew your consent.
Right to Object to Processing of your Personal Data
You may object to our use of your Personal Data for direct marketing or where we rely on legitimate interest, and you believe it infringes on your rights. We will assess and respond in accordance with legal requirements.
In some cases, we may demonstrate that we have compelling legitimate interest or public interest grounds to continue to process your information which override your right to object.
Right to Restrict Processing
You may request that we temporarily suspend processing of your data in certain circumstances (e.g. while we verify its accuracy or consider an objection).
Right to Data Portability
You may request a copy of your Personal Data in a structured, commonly used, and machine-readable format, where the processing is based on consent or contract and carried out by automated means.
Right to Complain
If you believe that we have violated your privacy rights or mishandled your data, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC)
How to Exercise Your Rights
To make a request regarding any of your rights, please contact us at:
Email: info@winitnaija.com
For your security, we may request additional information to verify your identity before acting on your request.
We aim to respond to all requests within 30 days. Where additional time is required, we will inform you of the reason and the expected timeframe for resolution.
Lodge a complaint with the Nigeria Data Protection Commission (NDPC) via https://ndpc.gov.ng
CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the “Last Updated” date of this Policy.
Changes will be posted on all platforms where we display our Privacy Policy. It is your responsibility to review the amended Privacy Policy. This Privacy Policy governs the use of Personal Data by us, unless otherwise agreed through a written contract. The revised version will be effective immediately after publication.
Your continued use of the WinIt Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.
THIRD-PARTY LINKS
Our Platform may offer links to third-party websites, plug-ins, or applications for your convenience or in connection with certain features or promotions. Clicking on these links or enabling such connections may allow third parties to collect or share Personal Data about you.
We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites you visit, especially before submitting any Personal Data.
CHILDREN AND PERSONS WITH LEGAL DISABILITIES
We do not knowingly or intentionally collect Personal Data from individuals under the age of 18 or from persons with legal disabilities. Where required by law, or in exceptional cases, such data may be collected through a parent, legal guardian, or authorized representative.
If you believe that we have mistakenly or unknowingly collected such information, please contact us immediately. We will promptly investigate and take the appropriate steps to restrict, delete, or anonymize the data, as required by applicable law.
CONTACTING US
If you wish to exercise any of the rights set out above or have any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us via:
Email: info@winitnaija.com
Address: No 32 Tunis Street Wuse Zone 6, Abuja, Nigeria
You also have the right to contact the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.
GLOSSARY OF TERMS
Adequate Level of Data Protection: A standard of protection for Personal Data that is considered equivalent to, or not less protective than, what is required under applicable Nigerian data protection law. This determination may be made by the Nigeria Data Protection Commission (NDPC) or other competent authority. It ensures that Personal Data transferred to another country will be subject to appropriate safeguards to maintain its confidentiality, integrity, and security.
Anonymization: The irreversible process of transforming Personal Data so that the individual can no longer be identified, directly or indirectly. Anonymized data is no longer considered Personal Data.
Applicable Data Protection Law: Refers to all legislation, regulations, directives, and policies governing the collection, use, storage, transfer, and processing of Personal Data, including the Nigeria Data Protection Act 2023, the General Administrative and Implementation Directive (GAID 2025), and any other applicable laws
Automated Decision-Making: The use of technology to make decisions without human involvement. In WinIt’s context, this includes randomized winner selection through secure algorithms.
Consent: Freely given, specific, informed, and unambiguous indication by a Data Subject that they agree to the processing of their Personal Data, typically via affirmative action such as ticking a box or clicking “Accept”.
Data Controller: An individual or legal entity that determines the purposes and means of processing Personal Data. In this Privacy Policy, ZNL Gaming Limited (WinIt) is the Controller.
Cookie ID : A unique identifier associated with a cookie, used to distinguish a user or device across browsing sessions or interactions.
Cookies: Small data files stored on a user’s device when visiting a website. Cookies may collect information such as user preferences, device identifiers, and session activity to enhance functionality and user experience.
Data Processor: A third party that processes Personal Data on behalf of the Data Controller, under contract and instruction, such as email providers, analytics platforms, or payment gateways.
Data Subject: The individual to whom Personal Data relates. In the context of WinIt, this includes users, prize winners, applicants, visitors to the Platform.
Legitimate Interest: A lawful basis for processing Personal Data where the Controller has a genuine and valid reason to process data, provided it does not override the rights and freedoms of the Data Subject.
Personal Data: Any information relating to an identified or identifiable individual (Data Subject), including but not limited to name, email address, phone number, device ID, IP address, wallet history, and photo ID.
Platform: The digital ecosystem operated by WinIt, including its website, mobile applications, backend systems, and third-party integrations used to deliver our services.
Processing: Any operation or set of operations performed on Personal Data, whether by automated or manual means, such as collection, recording, organization, storage, modification, retrieval, use, disclosure, deletion, or destruction.
Profiling: A form of automated processing of Personal Data used to evaluate, analyze, or predict aspects relating to a user’s preferences, interests, or behaviour. WinIt uses limited profiling techniques to personalize user experience and recommend raffles that are likely to be of interest. This profiling does not produce decisions with legal or similarly significant effects and is carried out in accordance with applicable data protection laws.
Third Party: Any individual or organization that is not the Data Subject or the Controller. This may include service providers, marketing platforms, regulatory authorities, or payment processors.
Policy History: This Privacy Policy was last updated May 2025.