Privacy Policy
Privacy Policy — Rafflery.io
Effective Date: 01 January 2026 Last updated: 11 December 2025
1. The Short Version
Rafflery collects personal data to operate its platform. We use it to run the Service, keep it secure, and make it better. We don’t sell it. We don’t share it with third parties except where that’s necessary to deliver what we’ve described here.
The longer version follows — and it’s worth reading, because this platform involves two different types of people (those who build campaigns and those who enter them), and what we do with data depends on which you are.
2. Who This Covers
Campaign Organisers are individuals, agencies, project teams, or companies that register for a Rafflery account and use it to build and run campaigns.
Campaign Participants are people who enter a campaign published through Rafflery — by submitting an email address or logging in via Facebook.
The data we collect and the reasons we collect it differ between these two groups. Both are addressed here.
3. What We Collect
From Campaign Organisers
When you register and use Rafflery as an organiser, here’s what we have on you:
Your name, email address, company or project name, and account password — which is hashed and never stored as plain text. Billing information, though the actual payment details are handled by our payment processor; we only see transaction records and the last four digits. All the campaign content and settings you create: prize descriptions, entry action configurations, rules, deadlines. Standard usage data — log files, session info, browser type, operating system, IP address. Any messages you send our support team. And OAuth tokens for connected email platforms, stored encrypted. We never see your third-party passwords.
From Campaign Participants
When someone enters a campaign through Rafflery:
Their email address, or Facebook profile ID and public name if they entered via Facebook Login. Entry data — which actions were completed, timestamps, total entry count. Technical data: IP address, browser type, device, referral source. If they used a referral link, we record the referring participant ID so bonus entries credit correctly. And where social actions are verified via API, we store a record of that verification.
We don’t collect financial information, government ID, precise geolocation, or sensitive personal data from participants.
4. Why We Use It
For Campaign Organisers
We use account and billing data to run your subscription and the platform features you’ve paid for. Usage data helps us identify bugs, understand which features are working, and improve things over time. Security and fraud monitoring is a legitimate interest — the platform needs to be protected from abuse. If you’ve opted into marketing communications from us, we’ll send those with your consent and you can unsubscribe any time.
For Campaign Participants
Your entry data is used to record, verify, and process your participation in a campaign. Fraud detection and deduplication protect the integrity of draws. Entry confirmation emails let you know you’re in and how to earn more entries. And your data flows to the Campaign Organiser who created the campaign — that’s the whole point of the platform.
A note that matters: once your data reaches a Campaign Organiser, they become the data controller for it. What they do with your email address — including how they market to you after the campaign — is governed by their own privacy policy, not ours. Rafflery is not responsible for how Campaign Organisers use data once it’s in their systems. You should look at the campaign organiser’s privacy policy before entering any campaign.
5. Who We Share Data With
We don’t sell data, full stop.
Entrant Data goes to Campaign Organisers — that’s the core function of the Service. We share data with service providers who help us operate: hosting infrastructure, payment processing, email delivery, analytics, fraud detection. All of them are under contract and restricted to using data only as instructed by us. A list of current sub-processors is available on request at [email protected].
Verifying social entry actions involves querying third-party APIs. That may require passing a social handle or user ID to confirm an action was completed. It’s used for verification only.
Beyond that, we’d disclose data if required by law, a court order, or a lawful request from an authority — or where we have genuine grounds to believe disclosure is needed to prevent fraud or protect someone’s safety.
If Rafflery is ever acquired or merges with another entity, data would transfer as part of that transaction. We’d give notice before anything like that happened.
6. How Long We Keep It
| Data | Retention |
|---|---|
| Organiser account data | Duration of account + 24 months after closure |
| Billing and transaction records | 7 years |
| Campaign content and settings | 24 months after campaign end |
| Entrant Data | 12 months after campaign end |
| Support communications | 24 months from last message |
| Usage and analytics logs | 12 months |
| Fraud detection records | 36 months |
When data hits its retention limit, it gets deleted or anonymised through our scheduled hygiene processes. Deletion requests outside those schedules are handled as described in our Data Deletion Policy.
7. Security
We use TLS encryption in transit and encryption at rest, hashed and salted passwords, role-based access controls, and regular security reviews. No system is completely immune — but we take this seriously and have incident response procedures in place.
If we ever experience a breach that’s likely to affect your rights and freedoms, we’ll notify you and the relevant supervisory authority within 72 hours of becoming aware, as required under GDPR.
8. Your Rights
Depending on where you are, you have rights over your personal data. For EU and UK residents, those rights are substantial under GDPR. For California residents, CCPA applies. Other jurisdictions have their own frameworks.
In general, you can request access to data we hold about you, ask us to correct inaccurate information, request deletion, ask us to stop or limit certain processing, or request a portable copy of your data. Where we process data based on consent, you can withdraw that consent at any time.
Send requests to [email protected]. We’ll respond within 30 days and may ask you to verify your identity first.
If you’re a Campaign Participant and the data you’re asking about is held by a Campaign Organiser rather than us directly, we’ll redirect your request to them where possible.
9. International Transfers
Rafflery may transfer personal data outside the EEA. When we do, we use Standard Contractual Clauses approved by the European Commission, adequacy decisions, UK IDTAs, or other recognised mechanisms. We don’t transfer data outside the EEA without appropriate safeguards in place.
10. Minors
Rafflery is not for people under 16. We don’t knowingly collect data from minors. Campaign Organisers whose campaigns might reach younger audiences are responsible for implementing their own age verification and consent mechanisms. If we discover we’ve collected data from someone under 16 without appropriate consent, we’ll delete it.
11. Contact
Privacy queries: [email protected] Legal queries: [email protected]
© 2025 Rafflery.io · All rights reserved Legal Center: Terms of Service · Privacy Policy · Data Deletion Policy · GDPR Statement · Cookie Policy · [email protected]
