Privacy Policy

1. Who we are and how to contact us

Thrilla Digital Ltd (“THRILLA”, “we”, “our”, “us”) is the data controller responsible for your personal data collected through the THRILLA Platform — including the website, mobile application, APIs, and all associated services (the “Platform”). We are incorporated and registered in England and Wales.

ICO Registration Number: ZC124093

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time at ico.org.uk or 0303 123 1113.

2. Scope of this policy

This Privacy Policy applies to all personal data we collect and process in connection with:

• Your use of the Platform as a Viewer (a person who watches advertisements and earns Rewards) or as an Advertiser (a brand or person who runs campaigns on the Platform).
• Your registration on our waitlist or any pre-launch or marketing communication.
• Your communications with us including support requests, complaints, and formal enquiries.
• Any commercial data sharing arrangements you have consented to.
• Your participation in surveys, research, beta programmes, or other optional activities we may run.

This policy should be read alongside our Terms and Conditions. Additional privacy notices may be provided at the point of collecting specific categories of data and should be read together with this policy.

3. Personal data we collect

3.1 Data you provide directly

• Identity data: full name, date of birth, age confirmation, username, and gender if voluntarily provided.
• Contact data: email address, phone number if provided, and correspondence address.
• Account data: login credentials stored in encrypted form, account preferences, notification settings, and platform settings.
• Financial data: payment method details processed and tokenised by Stripe. We do not store full card numbers, sort codes, account numbers, or CVV codes on our own systems.
• Identity verification data: government-issued photo identification documents submitted for KYC verification, processed exclusively by Stripe Identity. We receive only the verification outcome.
• Advertiser data: business name, company registration details, billing information, advertising campaign content, targeting parameters, and budget information.
• Communications data: the full content of emails, in-platform messages, support tickets, complaint submissions, feedback, and any other communications you send to us.
• Consent records: records of marketing consents, data sharing consents, and any other consents you have given or withdrawn, including timestamp and consent version.
• Waitlist data: name and email address provided through our waitlist registration form.

3.2 Data collected automatically

• Device data: device type, make, model, operating system and version, browser type and version, screen resolution, device language, and device identifiers including advertising IDs.
• Network data: IP address, approximate geographic location derived from IP address, internet service provider, mobile carrier, and connection type.
• Usage data: screens and pages visited, features used, advertisements watched, completion rates, time spent on each advertisement, quiz questions presented, answers submitted, quiz response times, in-app navigation flows, session duration, and referring URLs.
• Device fingerprint data: a pseudonymous identifier generated from the combination of your device hardware characteristics, software configuration, browser attributes, and network properties. This identifier is used exclusively for fraud detection, bot prevention, and Platform security. It is not used for advertising targeting purposes.
• Behavioural data: interaction patterns including mouse movement trajectories, scroll velocity and depth, click coordinates, tap patterns, keystroke timing dynamics, and gyroscope or accelerometer data on mobile devices. This data is collected exclusively for fraud detection and to verify the authenticity of Verified Views. It is never used for advertising profiling.
• Transaction data: records of all Rewards earned, Rewards withdrawn, Rewards forfeited, campaign spend, payment processing events, and verification outcomes.
• Log data: server-side logs recording all Platform interactions including access timestamps, API calls, error events, authentication attempts, and system events.
• Cookie and tracking data: as described in Section 12.

3.3 Data received from third parties

• Stripe: payment transaction data, tokenised payment method details, identity verification outcomes, and fraud risk signals generated by Stripe’s own systems.
• Fraud and identity databases: where we conduct checks against industry fraud databases, we may receive indicators of whether a device, identity, or payment method has been associated with fraudulent activity.
• Analytics and attribution partners: where you have consented, we may receive data from marketing analytics partners about how you discovered THRILLA.
• Law enforcement and regulatory authorities: where legally required, we may receive data from authorities in connection with investigations or legal proceedings.
• Advertisers (limited): Advertisers may provide us with audience segment data for campaign targeting purposes. This data is used solely for delivering relevant advertisements within the Platform and is not combined with your personal profile for any other purpose.

3.4 Special categories of personal data

We do not intentionally collect special category personal data as defined under UK GDPR Article 9, which includes health data, biometric data for identification, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning sexual orientation or sex life. Identity verification documents processed by Stripe Identity may incidentally contain some such data but are processed by Stripe — not stored on our systems. We receive only the verification outcome.

If you believe you have inadvertently provided special category data, contact us at contact@thrilla.online immediately for secure deletion.

3.5 Data we do not collect

We do not collect the full text of any advertisement you watch. We do not collect audio from your device microphone. We do not access your camera except through Stripe Identity’s KYC process where you have explicitly consented. We do not access your device’s contact list, files, or messages.

4. How we use your personal data

The table below sets out every purpose for which we process your personal data, what data is used, the lawful basis we rely on under UK GDPR, and how long we retain it.

4.1 Legitimate interests assessments

Where we rely on legitimate interests as our lawful basis, we have conducted a legitimate interests assessment (LIA) confirming our interests are not overridden by yours. Our primary legitimate interests are:

• Fraud detection and prevention: essential to protect the financial integrity of the Platform, the interests of Advertisers paying for genuine views, and the interests of legitimate Viewers. The minimum data necessary is used and processing is proportionate.
• Platform security: detecting and preventing unauthorised access, abuse, and technical attacks.
• Commercial data insights: generating anonymised, aggregated market intelligence from Platform activity. No personal data identifiable to an individual is included in insights shared commercially. You have the right to object to this processing — see Section 10.
• Dispute resolution and enforcement: investigating complaints, resolving disputes, and enforcing our Terms and Conditions.

4.2 Automated decision making and profiling

Our fraud detection systems make automated decisions about Platform activity that may materially affect your Account. These include:

• Automatic flagging of accounts where unusual activity patterns are detected, resulting in a review hold.
• Automatic hold on withdrawal requests where fraud risk indicators are present.
• Automatic voiding of Rewards credits where activity patterns are inconsistent with genuine human viewing behaviour.
• Automatic account suspension where multiple prohibited activities are detected simultaneously.

These automated decisions are made under UK GDPR Article 22(2)(a) on the basis of contractual necessity — fraud prevention being integral to the Platform’s ability to perform the contract with both Viewers and Advertisers.

You have the right to request a human review of any automated decision that has significantly affected you. Contact contact@thrilla.online with the subject line “Automated Decision Review Request” and full details of the decision. A qualified member of our team will review the decision and provide a written outcome within 14 business days.

We do not carry out behavioural profiling for advertising targeting purposes. Behavioural data is used exclusively for fraud detection as described in Section 3.2.

5. Commercial data sharing and data monetisation

THRILLA may generate revenue from sharing data with third parties. This section explains exactly how, under what conditions, and what rights you have. We are committed to complete transparency about our commercial data practices.

5.1 Anonymised aggregate data — no consent required

We may share or sell aggregated, anonymised insights derived from Platform activity with third parties for commercial purposes. This includes market intelligence such as audience attention patterns, category-level engagement rates, quiz performance benchmarks, and viewability metrics.

This data does not identify you individually. It cannot be reverse-engineered to identify any specific person. No opt-out is required as this is not personal data under UK GDPR. However, we will always be transparent that this activity occurs.

Examples of what this looks like: “Viewers in the 18-34 age bracket spend an average of 28 seconds on supplement advertisements” or “Quiz pass rates on fashion ads exceed 87%.” No individual is identifiable from such insights.

5.2 Personal data sharing — explicit consent required

We will only share your personal data with third parties for commercial purposes if you have given us your explicit, specific, informed, and freely given consent to do so. This means:

• You will be presented with a clear, standalone consent request — separate from any other consent or terms acceptance — that identifies the specific third party or category of third party, specifies exactly what data will be shared, and explains the purpose.
• Consent is never bundled with the Terms and Conditions or any other agreement. You cannot be required to consent to personal data sharing as a condition of using the Platform.
• You can withdraw consent at any time with immediate effect by contacting contact@thrilla.online or through the consent management section of your account settings. Withdrawal of consent does not affect the lawfulness of sharing that took place before withdrawal.
• We maintain timestamped records of all consents given and withdrawn.

If we wish to share your personal data commercially in the future, you will receive a clear notification in the Platform or by email before any sharing begins, with full details and a simple opt-in mechanism.

5.3 What we never do regardless of consent

The following data sharing practices are prohibited under our internal data ethics policy and will never occur regardless of any commercial arrangement or consent:

• We will never share your identity verification documents or KYC data with any third party other than Stripe for the purpose of KYC processing.
• We will never share your financial data, bank details, or payment method information with any third party other than Stripe for the purpose of payment processing.
• We will never sell data to political organisations, data brokers operating in the surveillance economy, or any entity on a government sanctions list.
• We will never share data in a way that could be used to target you with content that discriminates on the basis of protected characteristics under the Equality Act 2010.
• We will never share individual-level data with Advertisers that could identify which specific person watched their advertisement.

6. Payments, earnings, and financial data

All payment processing on the Platform is handled by Stripe, Inc. (“Stripe”), a regulated payment service provider. When you provide payment information on the Platform, that information is transmitted directly to Stripe using industry-standard TLS encryption. We do not store your full card number, bank sort code, account number, or CVV on our own systems.

We receive from Stripe: transaction IDs, payment confirmation status, payment method type (e.g. “Visa ending 4242”), payout status, and fraud risk signals. We use this data to manage your Rewards balance, process withdrawals, and meet our legal compliance obligations.

Identity verification for KYC is conducted by Stripe Identity. You will be required to submit a government-issued photo identification document. This document is transmitted directly to Stripe and processed in accordance with Stripe’s Privacy Policy at stripe.com/gb/privacy. We receive only the verification outcome (verified or not verified). We do not retain a copy of your identification document.

We may be required by law to report earnings data to HMRC under the UK’s Digital Platform Reporting rules and under the Income Tax (Earnings and Pensions) Act 2003. We will report only what is legally required and will not report beyond our statutory obligations.

Tax obligations arising from Rewards are your sole responsibility. THRILLA does not provide tax advice. If you are uncertain about your obligations, consult a qualified tax adviser or visit gov.uk/hmrc.

7. Third parties we share your data with

We share personal data only with the following categories of recipients. All recipients who act as data processors are bound by contractual data processing agreements under UK GDPR Article 28.

Stripe, Inc. (USA)

Payment processing, identity verification, and fraud prevention. Data is transferred to the USA under UK Standard Contractual Clauses as approved by the ICO. Stripe’s privacy policy: stripe.com/gb/privacy.

Cloud infrastructure and hosting providers

Platform hosting, data storage, and content delivery. We use providers operating data centres within the UK and EEA. Specific provider details will be published on our website. All providers are bound by data processing agreements.

Fraud prevention and identity services

Specialist fraud detection and identity verification services may receive device fingerprint data, IP addresses, and behavioural signals for the sole purpose of fraud prevention. These providers are prohibited by contract from using this data for any other purpose.

Analytics and performance monitoring providers

We use technical analytics providers to monitor Platform performance and uptime. These providers receive aggregated, anonymised technical data only. No personal data identifying individual users is shared.

Legal and regulatory authorities

We will share personal data with law enforcement agencies, the National Crime Agency (NCA), HMRC, the Financial Conduct Authority, the ICO, or any other relevant authority where we are legally compelled to do so by a court order, regulatory requirement, or other legal obligation. We may also share data in good faith where necessary to prevent or detect serious crime, protect public safety, or protect the rights of Thrilla Digital Ltd or its users.

Professional advisers

Lawyers, accountants, auditors, and insurers who require access to data in connection with professional services. All are bound by professional duties of confidentiality.

Commercial data sharing partners (personal data — consent only)

Third parties with whom you have explicitly consented for us to share your personal data as described in Section 5.2. You will always be informed of the identity of such parties at the time of providing consent.

Business successors

In the event of a merger, acquisition, sale of assets, or corporate restructuring, your personal data may transfer to the acquiring entity. We will notify you by email before any such transfer and will ensure equivalent data protection obligations are in place.

We do not share your personal data with Advertisers for use outside the Platform. Advertisers receive only aggregated, anonymised campaign performance metrics. They never receive data that identifies individual Viewers.

8. International data transfers

Some of our service providers operate outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place under UK GDPR Chapter V and the UK International Data Transfer Agreement (IDTA) framework.

You may request a copy of the specific transfer safeguards in place for any recipient by contacting contact@thrilla.online.

9. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. The following retention schedule applies:

At the end of each retention period, personal data is securely deleted using industry-standard deletion procedures, or permanently anonymised where deletion is not technically feasible. Anonymised data is not personal data and may be retained indefinitely.

Where data is subject to a legal hold in connection with litigation, regulatory investigation, or law enforcement request, retention may be extended beyond the standard period for the duration of the hold.

10. Your data protection rights

Under UK GDPR you have the following rights. These rights are not absolute and are subject to legal exemptions. We will respond to all valid requests within one calendar month. Where requests are complex or numerous, we may extend this by a further two months and will notify you. All rights requests should be sent to contact@thrilla.online with the subject line “Data Rights Request”.

Right of access (Subject Access Request)

You have the right to receive a copy of all personal data we hold about you, along with information about how we use it, who we share it with, how long we keep it, and the source of the data. We provide this free of charge in a commonly used electronic format within one calendar month.

Right to rectification

You have the right to request correction of inaccurate personal data and completion of incomplete personal data. We will act on valid requests within one month.

Right to erasure (“right to be forgotten”)

You have the right to request deletion of your personal data in certain circumstances including: where the data is no longer necessary for the purpose collected; where you withdraw consent and there is no other lawful basis; where you have successfully objected to processing; or where the data has been unlawfully processed. This right does not apply where retention is required by law, for the establishment or defence of legal claims, or in connection with a fraud investigation.

Right to restriction of processing

You have the right to request restriction of processing while we investigate the accuracy of data you have contested, while we assess a legitimate interests objection, or where processing is unlawful but you prefer restriction to erasure.

Right to data portability

Where we process your personal data by automated means on the basis of contract or consent, you have the right to receive that data in a structured, commonly used, machine-readable format and to have it transmitted directly to another controller where technically feasible.

Right to object

You have the right to object at any time to processing of your personal data based on legitimate interests, including processing for commercial data insights. Where you object, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for legal claims. To object to any specific processing, contact contact@thrilla.online with the subject line “Objection to Processing” and specify the processing you object to.

You have an absolute right to object to processing of your personal data for direct marketing purposes. We will always act on such objections immediately and without condition.

Right to withdraw consent

Where we process your data on the basis of consent — including consent to commercial data sharing — you may withdraw that consent at any time without detriment to your use of the Platform. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact contact@thrilla.online or use the consent management section in your account settings.

Right not to be subject to solely automated decisions

Where an automated decision has had a significant effect on you, you have the right to obtain human review of that decision, express your views, and contest the outcome. See Section 4.2 for how to exercise this right.

Right to lodge a complaint with the ICO

You have the right to lodge a complaint with the Information Commissioner’s Office at any time. ico.org.uk | 0303 123 1113 | Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to resolve your concern directly first.

11. Security measures

We apply appropriate technical and organisational security measures proportionate to the risk of processing, including:

• Encryption of all personal data in transit using TLS 1.3 or higher.
• Encryption of personal data at rest using AES-256 or equivalent industry-standard encryption.
• Role-based access control with the principle of least privilege applied across all systems.
• Multi-factor authentication mandatory for all staff and contractor access to systems containing personal data.
• Regular penetration testing, vulnerability scanning, and security audits by qualified third-party providers.
• Incident detection and response procedures enabling containment within defined timeframes.
• Staff training on data protection, information security, and secure development practices.
• Data minimisation principles applied at the point of collection — we collect only what is necessary.
• Pseudonymisation applied to analytics and fraud detection data wherever technically feasible.

In the event of a personal data breach that is likely to risk the rights and freedoms of natural persons, we will notify the ICO within 72 hours of becoming aware of the breach in accordance with UK GDPR Article 33. Where the breach creates a high risk to your rights and freedoms, we will notify you directly without undue delay in accordance with UK GDPR Article 34, providing: a description of the breach; the categories and approximate numbers of people affected; the likely consequences; and the measures we are taking to address it.

12. Cookies and tracking technologies

12.1 What we use

We use cookies, local storage, session storage, and similar tracking technologies on the Platform. These fall into four categories:

• Strictly necessary: essential to Platform operation and cannot be disabled. Includes session management cookies, authentication tokens, security tokens, and fraud detection identifiers. No consent is required for these as they are technically necessary.
• Functional: remember your preferences and settings to improve your experience. Set only with your consent.
• Analytics: collect anonymised data about Platform usage to help us understand and improve performance. No personal data identifying you individually is collected. Set only with your consent.
• Commercial and advertising: where you have consented to commercial data sharing under Section 5.2, we may use tracking technologies to facilitate that sharing. These are set only with your explicit separate consent.

12.2 Managing cookies

You can manage non-essential cookies through your browser settings or through the cookie preference centre available on the Platform. Disabling strictly necessary cookies will impair or prevent Platform operation. Withdrawing consent to analytics or commercial cookies does not affect your ability to use the core Platform. Your cookie preferences are stored in your account settings and in a cookie consent record maintained by Thrilla Digital Ltd.

For more information: allaboutcookies.org

13. Children’s privacy

The Platform is strictly for persons aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we discover that personal data has been collected from a person under 18, we will immediately delete it, terminate the associated Account, and forfeit any accumulated balance. If you believe we may have collected data from a person under 18, please contact contact@thrilla.online immediately.

We do not carry out any targeted advertising or profiling directed at persons under 18 and we do not include any content designed to appeal to persons under 18 on the Platform.

14. Third-party links and integrations

The Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to Thrilla Digital Ltd’s own processing. We have no control over and accept no responsibility for the privacy practices of any third party. We encourage you to read the privacy policy of any third-party service before providing personal data to it.

15. Changes to this privacy policy

We may update this policy from time to time to reflect changes in our data processing activities, legal requirements, or commercial practices. When we make material changes, including any new commercial data sharing arrangements, we will:

• Send an email notification to the address registered to your Account at least 14 days before the change takes effect.
• Display a prominent notice on the Platform.
• Where required by law, seek fresh consent before any new processing begins.

The version date at the top of this document indicates when it was last updated. Continued use of the Platform after the effective date of any change constitutes your acknowledgement of the updated policy, except where fresh consent is required. If you do not agree with any change, you should cease using the Platform and close your Account before the effective date.

The version history of this Privacy Policy is available on request from contact@thrilla.online.

16. Contact and complaints

For any question, rights request, objection, or complaint relating to this Privacy Policy or our data processing activities:

We will acknowledge all privacy enquiries within 3 business days and provide a substantive response within the timeframes set out in this policy. If you are not satisfied with our response, you have the right to escalate your complaint to the ICO: