Your data, explained.

One100s is operated by [ONE100S OPERATING ENTITY], a company registered in the United Arab Emirates, with a correspondence office at Block B, Johar Town, Lahore, Pakistan (referred to as “we”, “us”, or “One100s” in this policy).

This Privacy Policy explains what personal information we collect when you use https://www.one100s.com (the “Service”), why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to everyone who visits the site, creates an account, votes, submits a list or item, or uses our payout system.

We collect the minimum we need to make voting work, keep accounts safe, pay you when you earn, and improve the Service. The categories below are exhaustive — if it isn’t listed here, we don’t collect it.

Account information

When you sign up — by email/password or by Google sign-in — we store your display name, email address, a hashed password (never the plaintext) or your linked Google account ID, and a unique account identifier. If you set an avatar, we store the image URL.

Voting, submission & comment data

Every vote, list submission, item submission, and comment you create is associated with your account and timestamped. This is the data that powers ranking and earning — it is core to how the Service works.

Wallet, points & payout data

We track points earned, points spent, payout requests, and payout method (e.g. PayPal address, bank-routing details). When you request a payout above our threshold, we collect identity-verification (KYC) data — typically a government-issued ID, a selfie, and proof of address — through our verification subprocessor. We retain only what we are legally required to keep for tax and anti-fraud purposes.

Technical & usage data

Our servers automatically receive your IP address, user-agent string, request paths, response codes, and timing data. We use these for security (rate-limiting, fraud detection), billing (counting requests for paid tools), and aggregate analytics. We do not build advertising profiles.

Cookies & similar storage

See § 04 Cookies & similar tech for the full list and purpose of every cookie we set.

Communications

If you email us at marketing@fepy.ae, we keep a copy of the message and your reply chain for support and recordkeeping.

What we do NOT collect: tracking pixels for advertisers, fingerprinting libraries, third-party social trackers, microphone or camera input, location beyond country-level IP geolocation, or anything from people who never visit the site.

Under data-protection regimes that require a stated legal basis (GDPR, UK GDPR, similar UAE PDP frameworks), we rely on the following:

• Performance of a contract — to deliver the core Service (your account, your votes, your submissions, your wallet) under our Terms of Service.
• Legitimate interests— to keep the Service secure, prevent fraud and abuse, run aggregate analytics, and improve features. We balance our interests against your rights and only act where it’s reasonable.
• Legal obligation — for tax, KYC, anti-money- laundering, and lawful requests from authorities.
• Consent — for non-essential cookies, marketing emails (if any), and any newly-introduced processing that goes beyond the above. You can withdraw consent at any time.

We use a small number of cookies — only what the Service needs to function. We do not use third-party advertising or cross-site tracking cookies.

• __Host-authjs.csrf-token / __Secure-authjs.callback-url — Auth.js sign-in security tokens. Required for sign-in to work. HttpOnly, Secure, SameSite=Lax. Session-scoped.
• authjs.session-token — your signed session, set after you sign in. HttpOnly, Secure. Expires when you sign out or when the session expires.
• NEXT_LOCALE — remembers your language preference. No personal data.
• earn_cta_dismissed— remembers that you dismissed the “earn while you vote” banner so we don’t keep showing it. 30-day TTL. No personal data.

You can clear these at any time from your browser. Clearing sign-in cookies will sign you out.

We do not sell your personal information. We share it only with service providers who help us run One100s, only for the limited purposes listed below, and only under written agreements that require them to protect it.

• Vercel — application hosting and the global CDN. Receives request metadata (IP, user-agent, path) for the duration of your visit.
• Database hosting(e.g. DigitalOcean Managed Postgres or equivalent) — stores accounts, votes, submissions, wallet ledger.
• Object storage (DigitalOcean Spaces / compatible S3) — stores avatars, list cover images, KYC documents (encrypted at rest).
• Google Sign-In— when you choose “Continue with Google,” Google authenticates you and shares your email and name with us. Their handling is governed by Google’s privacy policy.
• Email delivery (transactional email provider) — sends sign-up verification, password reset, and submission- status emails. Sees your email address and the message body.
• Payout / KYC providers— when you request a payout above our threshold, the verification subprocessor processes your ID and the payout rail (e.g. PayPal, bank) processes the transfer.
• Analytics — privacy-preserving, aggregate-only. We do not run client-side trackers that build cross-site profiles.
• Authorities — when compelled by valid legal process, or to protect the rights, property, or safety of One100s, our users, or the public.

We will keep this list current. The most up-to-date version of our subprocessor list is always on this page.

One100s operates globally. Some of our subprocessors store or process data outside the country where you live — for example, in the European Union, United States, or other regions where our providers maintain infrastructure. Where required (e.g. EEA ↔ third-country transfers), we rely on standard contractual clauses or equivalent safeguards.

If you have specific requirements about where your data sits, email us — we’ll tell you exactly where it lives.

• Account & profile data: for as long as your account is active, plus 30 days after deletion (to handle accidental deletes and abuse-investigation tail).
• Votes, comments, submissions:retained as long as the underlying list/item exists, even if you later delete your account, in anonymized form (your username replaced with “[deleted]”).
• Wallet ledger: retained for at least 7 years to comply with financial recordkeeping obligations.
• KYC documents: retained only for the legal minimum required by anti-money-laundering rules in our jurisdiction, then securely deleted.
• Server logs: 30 days for security, then aggregated.

Depending on where you live, you have some or all of the following rights:

• Access — ask for a copy of the personal data we hold about you.
• Correction— fix anything that’s wrong. Most profile fields you can edit yourself in your account settings.
• Deletion— close your account and have your personal data deleted, subject to retention rules in § 07. Public contributions (votes, submissions, comments) remain attributed to “[deleted]”.
• Portability — export your account data and your contributions in a machine-readable format.
• Object / restrict — object to processing based on legitimate interests, or ask us to restrict it.
• Withdraw consent — for anything we process on consent.
• Lodge a complaint— with your local data- protection authority. We’d appreciate the chance to fix it first.

To exercise any of these, email marketing@fepy.ae. We reply within 30 days. We may need to verify your identity before we act on a request, especially deletion or export.

One100s is not for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, email us at marketing@fepy.ae and we will delete the account and the data we hold.

Payouts require KYC verification, which requires being 18 or older.

We protect your data with industry-standard measures:

• HTTPS everywhere, with HSTS and modern TLS.
• Passwords are hashed with bcrypt — we never see the plaintext.
• Database backups are encrypted at rest.
• Sign-in cookies are HttpOnly, Secure, and SameSite=Lax to defend against XSS and CSRF.
• Admin access requires re-verification on every page load — a stale JWT can’t escalate.
• KYC documents live in a separate, encrypted bucket with restricted access.

No system is bulletproof. If we detect a breach that affects you, we will notify you and the relevant regulator within the legally required timeframe.

When we change this policy, we update the “Last updated” date at the top of the page. For material changes — anything that affects what we collect, how we use it, or who we share it with — we will notify registered users by email and post a banner on the site for at least 14 days.

Continuing to use the Service after a change means you accept the updated policy. If you don’t agree, close your account.

For privacy questions, data-subject requests, or to report a concern:

• Email: marketing@fepy.ae
• Postal: [ONE100S OPERATING ENTITY], Block B, Johar Town, Lahore, Pakistan

We aim to respond within 5 business days for general questions and within 30 days for formal data-subject requests.