GDPR Compliance Statement

Effective Date: 01 January Last Updated: 20 May 2026

1. Our Position on GDPR

Rafflery operates under the General Data Protection Regulation (EU) 2016/679 and, where it applies, the UK GDPR. This isn’t a box-ticking exercise. Rafflery processes personal data on behalf of Campaign Organisers who may themselves serve EU-based audiences, and we take the responsibilities that come with that seriously.

This document explains our role under GDPR, how we’ve structured our compliance, and what it means practically for anyone using the platform.

2. How GDPR Applies to Rafflery — Two Distinct Roles

The distinction between data controller and data processor matters here, because Rafflery operates as both — depending on whose data is being processed.

As a data controller: Rafflery controls the personal data of Campaign Organisers. When you create an account, use the platform, contact support, or receive service communications from us, we’re the controller — we determine why and how that data is processed.

As a data processor: When Campaign Organisers run campaigns and participants enter them, Rafflery processes Entrant Data on behalf of the organiser, who is the data controller in that relationship. We act strictly on the organiser’s instructions (as expressed through their campaign configuration) and for defined purposes: recording entries, verifying actions, deduplication, and fraud detection.

The practical implication of this split: Campaign Organisers are legally responsible for the data they collect from participants. That includes having a lawful basis for collection, giving participants adequate notice through their own privacy policy and campaign terms, and ensuring their downstream use of that data complies with GDPR. Rafflery’s role is to process it accurately and securely on their behalf — nothing more.

3. Data Processing Agreements

Campaign Organisers who need a formal Data Processing Agreement (DPA) for their own GDPR compliance can request one. Our standard DPA covers all the required ground: the scope of processing activities, data categories, instruction-based processing limits, confidentiality and security obligations, sub-processor disclosure, data subject rights assistance, breach notification, and provisions for data return or deletion at contract end.

Request a DPA at: [email protected]

4. Lawful Basis for Processing

Processing Activity	Lawful Basis
Account management and service delivery	Art. 6(1)(b) — Contract performance
Billing and payments	Art. 6(1)(b) — Contract performance
Platform security and fraud prevention	Art. 6(1)(f) — Legitimate interests
Platform analytics and improvement	Art. 6(1)(f) — Legitimate interests
Email marketing (opt-in only)	Art. 6(1)(a) — Consent
Processing campaign entries on behalf of organisers	Art. 6(1)(f) — Legitimate interests
Legal obligations	Art. 6(1)(c) — Legal obligation

Where we rely on legitimate interests, we’ve conducted legitimate interest assessments confirming the processing is necessary and proportionate and doesn’t override individuals’ rights. Those assessments are documented and available to regulators on request.

5. Data Subject Rights

If you want to exercise any right under GDPR, send a request to [email protected]. We’ll respond within 30 days and may need to verify your identity first.

Right	How to use it
Access (Art. 15)	Email [email protected]
Rectification (Art. 16)	Update in account settings or email us
Erasure (Art. 17)	See Data Deletion Policy
Restriction (Art. 18)	Email [email protected]
Portability (Art. 20)	Request from account settings or email us
Object (Art. 21)	Email [email protected]
Withdraw consent	Use unsubscribe link or email us

If you’re a Campaign Participant and the data in question was collected by and passed to a Campaign Organiser, we’ll redirect your request to them where we’re able to.

6. International Transfers

Any transfer of personal data outside the EEA is done under an appropriate mechanism: Standard Contractual Clauses (SCCs, European Commission Decision 2021/914), EC adequacy decisions, or UK International Data Transfer Agreements (IDTAs) for UK transfers. We don’t move data across borders without a compliant basis.

7. Sub-Processors

We use a small number of carefully vetted sub-processors to deliver the Service. All are under data processing agreements. If we add or replace a material sub-processor, we’ll give Campaign Organisers advance notice. Full list available on request: [email protected].

8. Privacy by Design

GDPR Article 25 requires data protection to be built in rather than bolted on. In practice, that means we collect only what’s necessary for each processing purpose, privacy settings are on by default, personal data is pseudonymised or encrypted where appropriate, new features go through privacy impact assessments before launch, and access to personal data within our team is limited strictly to those who need it.

9. Breach Response

If we detect a personal data breach, we assess risk within 24 hours. Where a breach is likely to create a risk to individuals’ rights and freedoms, we notify the supervisory authority within 72 hours of discovery — the GDPR hard deadline. Where the risk to individuals is high, we also notify affected people directly, without undue delay. Every breach, whether reported or not, is documented in our internal breach register.

10. Supervisory Authority

Rafflery’s lead supervisory authority will be disclosed separately on our Legal pages once formally registered. In the meantime, data subjects have the right to lodge a complaint with any competent data protection supervisory authority in their country of residence or place of work — you do not need to contact Rafflery’s authority specifically to exercise that right.

Campaign Organisers are additionally responsible for identifying the relevant supervisory authority for their own data processing activities, which may differ from Rafflery’s depending on where their business is established and where their participants are located.

11. Contact

GDPR enquiries: [email protected]