Privacy Policy

Lucky Hour is operated by Guided Intelligence Pty Ltd (ABN 77 659 307 690), an Australian company. This Privacy Policy describes how we collect, use, store, and disclose personal information in connection with the Lucky Hour website and mobile app, consistent with the Australian Privacy Principles (APP 1–13) under the Privacy Act 1988 (Cth).

• Account: email, username, country, age confirmation.
• Play data: button-press timestamps, entries, streaks, referral activity.
• Device: push-notification token, approximate IP address (for abuse prevention and rate-limiting).
• Contact form: name, email, subject, message — retained so we can reply.
• Winner records: if you win, we record your username, country, entry count, prize amount, and the payment method/reference used to disburse the prize.

To run the game (track entries, run weekly draws, notify winners, disburse prizes), to prevent fraud and abuse, to comply with legal obligations including sweepstakes record-keeping, and to reply to enquiries. We do not sell your personal information. We do not run third-party advertising trackers on this site. If and when in-app ads are introduced (via AppLovin MAX), we will update this policy and provide an opt-out before any ad SDK is enabled.

We use the following processors to provide the service. Each receives only the data needed for its function:

• Supabase Inc. (US-East-1) — hosts our database, authentication, and file storage.
• Google LLC (Firebase Cloud Messaging) — delivers push notifications. Only your device token is shared; we do not transmit the content of your activity.
• Vercel Inc. (US) — hosts the luckyhour.com.au website.
• Google LLC (Gmail) — used by the founder to reply to contact-form submissions.
• AppLovin Corporation — will be used in a future release to serve in-app rewarded and interstitial ads. This policy will be updated, and you will be given an opt-out, before any AppLovin SDK is enabled.

Personal information is stored on Supabase (US-East-1) with row-level security enforced per user. Auth sessions are signed JWTs stored as httpOnly cookies. Push tokens are stored only on your profile row and cleared when you sign out or when a token is reported invalid by the push provider. Data is transferred from Australia to the United States for hosting; by using the service you consent to this transfer. We rely on Supabase’s SOC 2 Type II and ISO 27001 controls to protect your data in transit and at rest.

• Profile & play data — kept while your account is active.
• Winner records — kept permanently as a legal record of each sweepstakes draw (required by Australian trade-promotion rules and US IRS/state equivalents).
• Contact-form messages — kept two (2) years, then deleted.
• Button-press and entry history — kept for the duration of the account plus 90 days for audit purposes.
• Push tokens & IP hashes — rotated continuously; stale tokens cleared on every failed delivery.

On account deletion, personal identifiers (email, username, push token, IP hash) are removed within thirty (30) days. De-identified entry counts and winner records may be retained longer to satisfy compliance.

You may request a data export, correction, or account deletion at any time. Email primitiveproductions1@gmail.com or use the contact form. We will action requests within thirty (30) days. If you believe we have breached our obligations under the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au). If you are a resident of the EEA or UK, you may additionally have rights under the GDPR or UK GDPR (access, rectification, erasure, portability, objection); we honour these requests on the same 30-day timeline.

Lucky Hour is strictly for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has submitted data to us, contact us using the details above and we will delete it promptly. Accounts found to belong to minors are terminated and any associated entries void.

Strictly necessary only: session cookie (Supabase auth) and CSRF token. No analytics, advertising, or cross-site tracking cookies are set by Lucky Hour.

We may update this Privacy Policy from time to time. Material changes will be notified via email to the address on file at least seven (7) days before taking effect. The “Effective” date at the top of this page reflects the current version.

Questions about this Privacy Policy? Email primitiveproductions1@gmail.com or use the contact form. Submissions are routed directly to the founder for a personal reply.