Privacy Policy.

Win in Range is a service operated by Around The Hoop Holdings, LLC, a Massachusetts limited liability company located at 888 Worcester St, Suite 130, Wellesley, MA 02482 (“we,” “us,” “our,” or “Sponsor”). For purposes of applicable U.S. state privacy laws, we act as the “controller” or “business” with respect to personal information collected through the Win in Range website, emails, and related services (collectively, the “Service”).

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, how we protect it, and the rights you have. It applies to anyone who interacts with the Service, whether you connect a continuous glucose monitor, submit a free entry form, or simply visit the website.

We collect only the information needed to operate the Service. The categories are:

What we do not collect: We do not ask for and do not store medical history, medication lists, insulin doses, food logs, A1c results, doctor information, insurance details, social-graph data, or any health information beyond what Dexcom provides via the API.

If you choose to play Method A (the CGM-based entry path), you authorize Win in Range to access a limited set of data from your Dexcom account through the Dexcom Developer API. The connection is read-only. We cannot write data to your Dexcom account, modify your sensor, change settings, or affect your medical care in any way.

The specific data we receive is limited to:

• Estimated Glucose Values (EGVs)— the stream of glucose readings produced by your sensor, generated approximately every five minutes (about 288 readings per day). Each reading includes the glucose value in mg/dL, a timestamp, and a status flag.
• Sensor session metadata— start time, end time, and whether a sensor was active during the day, used to determine whether a day's data is countable for entry purposes
• Dexcom account identifier— a unique ID assigned by Dexcom that we use to associate API responses with your Win in Range account
• OAuth refresh token— the credential that lets us pull your daily readings going forward, without you having to log in to Dexcom again

What we never receive from Dexcom, even though it exists in their system:

• Calibration history, sensor errors, or technical alerts
• Food, exercise, insulin, or note entries logged in Dexcom apps
• Any information about your healthcare providers or sharers

What we compute and store from your readings:

From the raw glucose readings, we compute and store only daily aggregate values:

• Your daily Time-in-Range (TIR)— % of readings between 70-180 mg/dL
• Your daily Time Below Range— % of readings below 70 mg/dL (split into Low 54-69 and Very Low <54)
• Your daily Time Above Range— % of readings above 180 mg/dL (split into High 181-250 and Very High >250)
• Your daily sensor-active percentage— what fraction of the day a sensor was actively reading
• Your baseline— the median daily TIR from up to 60 days of data prior to your enrollment, used as the threshold you beat to earn entries; may be periodically recalibrated as described in the Official Rules
• Your weekly entries earned— the count of days in a Sweepstakes Period on which your daily TIR exceeded your baseline, plus any Perfect Week bonus

Raw readings are retained briefly and then discarded. We hold the raw glucose readings only long enough to compute the daily aggregates above (typically less than 48 hours), then we delete them. Long-term, we store only the daily summaries, not the original 5-minute readings.

The daily aggregates are visible to you in the daily and Monday emails. They are not shared with anyone else.

We use the personal information described in Section 2 only for the following purposes:

• Operating the Service: calculating your baseline, awarding entries, running weekly drawings, selecting winners
• Communicating with you: sending the daily and Monday emails you've subscribed to, responding to support requests, notifying you if you win
• Verifying winners: confirming eligibility, processing tax forms, delivering prizes
• Complying with law: tax reporting (1099-MISC for prize winners), responding to lawful requests, defending legal claims
• Improving the Service: debugging issues, analyzing aggregate usage to make the product better — never using individual health data for any analytics
• Security: detecting and preventing fraud, abuse, or unauthorized access

What we do not do with your data:

• We do not generate behavioral profiles, ad-targeting segments, or “consumer health inferences” from your data
• We do not use your data to train artificial intelligence models, machine learning systems, or any third-party platform
• We do not analyze your CGM data to derive non-TIR insights (e.g., we don't try to infer when you eat, sleep, or take insulin)
• We do not enrich your data with information from data brokers or third parties
• We do not engage in “targeted advertising,” “sale of personal information,” or “sharing for cross-context behavioral advertising” as those terms are defined under U.S. state privacy laws

We share personal information only with the following categories of recipients, only for the purposes described, and only to the extent reasonably necessary:

We do not share your individual CGM data, glucose-derived metrics, baseline, daily TIR, entry counts, or any health information with any third party for any commercial purpose, ever. Sponsors do not receive your name, your individual data, or any data that could identify you. The only exception to this commitment is if we are legally compelled to disclose information by a valid subpoena, court order, or other lawful process — in which case we will, where lawful, give you advance notice and limit the disclosure to what is required.

All vendors above are bound by written agreements requiring them to use your data only for the purposes we direct, to maintain reasonable security, and to delete or return your data upon termination of our relationship. We do not allow vendors to use your data for their own marketing or to sell it onward.

Business transfers: If Around The Hoop Holdings, LLC is acquired, merges with another company, or sells substantially all of its assets, your data may be transferred to the acquirer subject to this Privacy Policy. We will notify players in advance of any such transfer that materially affects how your data is used, and give you a meaningful opportunity to delete your account first.

We retain personal information only for as long as reasonably necessary to operate the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

If you delete your account, we will revoke our Dexcom API authorization within 24 hours, and your account, baseline, entry history, and email subscription will be deleted from our active systems within 30 days. Backup copies are overwritten on a rolling 90-day cycle. Records we are legally required to retain (such as tax records for prize winners) are kept for the period required by law, then deleted.

We maintain a written information security program (WISP) and apply administrative, technical, and physical safeguards designed to protect your information. These include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using industry-standard methods
• Access controls limiting employee and contractor access to data on a need-to-know basis
• Regular review of access logs and security configurations
• Vendor due diligence and contractual safeguards with all service providers
• Multi-factor authentication for all administrative accounts
• Documented incident-response procedures, tested periodically

That said, no method of transmission or storage is perfectly secure. We cannot guarantee absolute security, and we encourage you to use a strong, unique password and to notify us immediately at security@wininrange.com if you suspect your account has been compromised.

If we learn of a security incident affecting your personal information, we will notify you in accordance with applicable law — including, where applicable, the FTC Health Breach Notification Rule (16 CFR Part 318). See Section 13 for details on how the FTC rule applies.

Regardless of where you live, every Win in Range player has the following rights:

• Access: View the data we have about you. The settings page shows your account, baseline, and entry history. To export a complete copy as a CSV, use the “Download my data” link in your account settings.
• Correction: Update inaccurate information. Most fields are directly editable in your settings. For anything else, email us.
• Deletion: Delete your account and erase your data. Use the “Delete my account” link in your settings, or email privacy@wininrange.com. We act on deletion requests within 30 days; backups are overwritten on a 90-day cycle.
• Disconnection: Revoke our access to your Dexcom data at any time, either through your Win in Range settings or directly in your Dexcom account. Disconnection takes effect within 24 hours.
• Email opt-out: Unsubscribe from emails using the link in any email's footer, or change preferences in your account settings.
• Portability: Receive a copy of your data in a portable, machine-readable format. The “Download my data” link delivers a CSV file.

To exercise any of these rights, use your account settings or email privacy@wininrange.com. We will respond within 30 days. We may need to verify your identity before acting on a request — typically by sending a confirmation link to the email address on your account.

We will not retaliate against you for exercising any of these rights. We will not require you to give up rights, change your prize odds, or pay anything as a condition of exercising them.

Depending on where you live, you may have additional rights under your state's privacy laws. We provide all of the rights listed in Section 8 to every Win in Range player nationwide, but the following state-specific notes may also apply.

California (CCPA / CPRA).California residents have the rights to: (a) know what personal information we collect, use, disclose, and sell or share; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information; and (e) limit the use of “sensitive personal information.” We do not sell or share your personal information for cross-context behavioral advertising. Your TIR data is sensitive personal information; we use it only for the purposes described in Section 4. To exercise your rights, email privacy@wininrange.com with the subject line “California Privacy Request.”

Washington (My Health My Data Act).Washington residents have specific rights regarding “consumer health data.” We have determined that, with respect to Washington residents, your CGM-derived TIR is “consumer health data” under the MHMDA. We collect and use this data only with your affirmative consent (which you provide by connecting Dexcom), only for the purposes you authorize, and we apply the MHMDA's restrictions on geofencing, data sale, and downstream sharing. To exercise your MHMDA rights — including the right to confirm what consumer health data we hold, withdraw consent, and request deletion — email privacy@wininrange.com with the subject line “Washington MHMDA Request.”

Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other comprehensive privacy law states. Residents of these states have rights similar to those described in Section 8, including access, deletion, correction, portability, and opt-out of targeted advertising and sale of personal information. We honor these rights nationwide regardless of residence.

Appeals.If we deny a privacy request you've submitted, you have the right to appeal. To appeal, reply to our denial email, and we will review the appeal within 60 days. If you remain dissatisfied, you may complain to your state attorney general.

Authorized agents.You may designate an authorized agent to make a privacy request on your behalf. We will require reasonable verification of the agent's authority and your identity before acting on the request.

By creating a Win in Range account, you agree to receive emails about the Service, which is the entire product. The default email schedule is one daily email and one Monday winner email per week, for a maximum of six emails per week.

Every email includes an unsubscribe link in the footer, as required by the federal CAN-SPAM Act. You can also adjust email preferences from your account settings. Unsubscribing from marketing or daily emails will not prevent you from receiving transactional or legally required emails (e.g., a winner notification, a security alert, or a notice that this Privacy Policy has changed).

We do not sell or share your email address with other companies. We do not use your email address for advertising on other platforms. We do not run sponsored emails from third-party brands; the only senders you will see are Win in Range itself.

The Win in Range website uses a small number of strictly necessary first-party cookies to keep you logged in, remember your preferences, and protect against fraud and abuse. We use a privacy-respecting analytics tool to count page views in aggregate; this tool does not set cookies, does not track individual users across sessions, and does not use IP addresses or other identifiers to build profiles.

We do not use:

• Google Analytics, Adobe Analytics, or similar comprehensive analytics platforms
• Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, or other social-media tracking
• Advertising networks, retargeting cookies, or programmatic ad infrastructure
• Session recording, heatmap, or behavioral analytics tools
• Cross-domain or cross-app tracking SDKs

Because we do not engage in cross-context behavioral advertising or sale of personal information, the “Do Not Track” and “Global Privacy Control” signals do not change our practices, but we honor any opt-out requests you submit through our settings page or by email.

The Service is intended for adults 18 years of age or older (or the age of majority in your state, whichever is greater). We do not knowingly collect personal information from children under 13 (or 16 in some states), and the eligibility requirements in the Official Rules prohibit minors from participating in the Sweepstakes.

If we learn that we have inadvertently collected personal information from a child, we will delete that information promptly. If you believe a minor has provided us with personal information, please email privacy@wininrange.com immediately.

Win in Range is not a HIPAA-covered entityand is not a “business associate” of any HIPAA-covered entity. The data we receive from Dexcom via API is not “protected health information” (PHI) in our hands under federal HIPAA regulations.

However, the federal FTC Health Breach Notification Rule(16 CFR Part 318) may apply to Win in Range as a “vendor of personal health records” because we collect identifiable health information from a consumer (you) and a non-HIPAA source (the Dexcom API). If we experience a breach of unsecured personally identifiable health information, we will notify affected players, the FTC, and where required, prominent media outlets, within the timelines specified by the rule (generally within 60 days of discovery).

This is in addition to any state breach-notification laws that may apply, including those of California, Massachusetts, Washington, and other states where players reside.

We may update this Privacy Policy from time to time. When we do, we will:

• Update the “Last updated” date at the bottom of the page
• Post the updated policy at wininrange.com/privacy
• For material changes— including any change that expands the categories of data we collect, the purposes for which we use it, or the third parties with whom we share it — notify you by email at least 30 days before the change takes effect, and where required by law, obtain your affirmative consent before applying the change to your data

If you don't agree to a material change, you can delete your account before the change takes effect, and we will treat your existing data under the prior policy through the deletion process.

For privacy questions, requests to exercise your rights, or any other privacy-related concern, contact us at:

Email: privacy@wininrange.com
Mail: Win in Range — Privacy
Around The Hoop Holdings, LLC
888 Worcester St, Suite 130, Wellesley, MA 02482

We aim to respond to all privacy emails within 5 business days, and to formal rights requests within 30 days as required by law.