Section 01

Our Approach to Data Protection

We are committed to handling personal data responsibly, securely, and transparently — processing only what is necessary for the platform to function.

Data Processing Purposes
  • Recording Draw Outcomes
    Draw results, winner identifiers, and timestamps are recorded to generate verifiable, certified records.
  • Generating Certificates
    Draw data is used to produce tamper-evident certificates of completion for each adjudicated draw.
  • Enabling Public Verification
    Limited draw outcome data is made accessible via the public verification page so results can be independently confirmed.
  • Supporting Account Access & Platform Functionality
    Account data is processed to authenticate users and maintain platform security and session management.
We do not sell personal data. Data processed on this platform is not shared for commercial, advertising, or third-party profiling purposes.
Section 02

Types of Data Processed

Depending on how the platform is used, the following categories of data may be processed.

Account Information
Name
Email address
Organisation details
Draw Information
Draw name
Prize description
Entry count
Winner and reserve winner identifiers
Uploaded Entry Data
Entrant names (where provided by organiser)
Ticket or reference numbers
Country (if included)
Technical Data
Login timestamps
IP addresses (for security monitoring)
System activity logs
Section 03

Lawful Basis for Processing

All processing of personal data on this platform is conducted under one of the following recognised lawful bases.

Processing Bases
Contractual Necessity
To Provide the Adjudication Service
Processing is necessary to fulfil the service agreement with organising entities — including recording draw outcomes, issuing certificates, and enabling verification.
Legitimate Interest
Platform Security & Integrity
Technical data such as login timestamps and IP addresses is processed to maintain security, detect anomalies, and ensure the platform operates reliably.
Legal Obligation
Where Required by Law
Data may be retained or disclosed where required by applicable law or a lawful authority, in accordance with legal obligations.
Organisations using the platform are responsible for ensuring they have lawful authority to upload and process entrant data on participants' behalf.
Section 04

Public vs Private Data

A clear boundary separates what is publicly accessible from what remains strictly private.

Publicly Displayed (Verification Page)
  • Draw name
  • Organisation name
  • Completion timestamp (UTC)
  • Winner and reserve winner status
  • Certificate ID
Never Publicly Displayed
  • Full entry lists
  • Personal contact details
  • Uploaded CSV or entry files
  • Internal administrative notes
  • Account or authentication data
Sensitive personal data is not exposed via public verification. The verification page confirms the draw outcome only — it does not reveal participant lists or contact information.
Section 05

Data Retention

Different categories of data are held for different reasons. Retention periods reflect operational and legal requirements.

Draw Records
Retained for verification and audit purposes. These records support the public verification function and any legitimate dispute review processes.
Uploaded Entry Files
May be retained for a limited period necessary to support dispute review and maintain record integrity. Not retained beyond operational necessity.
Account Data
Retained while an account is active and for a reasonable period thereafter, in accordance with legal requirements and platform policy.
Technical Logs
System activity and security logs are retained for a limited period for platform security, anomaly detection, and operational purposes.
Section 06

Security Safeguards

We implement reasonable and appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, or disclosure.

Encrypted Transmission
All data transmitted between users and the platform uses HTTPS/TLS encryption. No plaintext transmission.
Role-based Access Controls
Users are granted access only to the data their role requires. Cross-organisation data access is prevented.
Restricted Administrative Access
Backend systems are accessible only to authorised personnel. Admin access is logged and monitored.
Activity Logging
Key system events and administrative actions are logged internally to support accountability and review.
Infrastructure Monitoring
Platform infrastructure is continuously monitored for availability, performance, and security anomalies.
Ongoing Security Review
Security controls and data handling procedures are reviewed regularly. Updates are applied as required.
No system can guarantee absolute security. We take reasonable and appropriate measures to protect stored and transmitted data and respond promptly to identified vulnerabilities. See our Security Overview for full details.
Section 07

Organiser Responsibilities

Organisations using this platform act as data controllers for participant data. Specific obligations rest with them, not with CertifiedDraw.

Organiser Obligations
  • Lawful Collection of Entrant Data
    Organisations must have a lawful basis for collecting participant data before uploading it to the platform.
  • Providing Privacy Notices to Participants
    Entrants must be informed of how their data will be used, including that it will be processed by an adjudication service.
  • Local Data Protection Compliance
    Organisations are responsible for ensuring their use of the platform complies with applicable data protection laws in their jurisdiction.
  • Managing Participant Rights Requests
    Requests from participants to access, correct, or delete their data should be directed to — and handled by — the organising entity in the first instance.
We act as a service provider for adjudication and record generation. Organisations act as the data controller for participant data submitted to the platform.
Section 08

International Access

The platform may be accessed globally. Cross-border data considerations are the responsibility of the organising entity.

The platform may be accessed by organisations and participants in multiple jurisdictions. We do not restrict access by geography.

Organisations are responsible for ensuring that their use of the platform complies with applicable cross-border data transfer laws — including any requirements that apply when participant data originates in or is transferred across jurisdictions with specific data protection regulations (such as the European Economic Area, the United Kingdom, or other regulated regions).

We do not provide legal advice on cross-border transfer requirements. Organisations with questions should seek guidance from a qualified legal professional in their jurisdiction.
Section 09

Individual Rights

Depending on jurisdiction, individuals may have data protection rights. The correct route for exercising them depends on the data involved.

Right of Access
You may have the right to request access to personal data held about you. For entrant data, direct requests to the organising entity first.
Right to Correction
Inaccurate personal data may be corrected. Contact the organising entity for entrant data; contact us for account data held directly.
Deletion Requests
Where legally permissible, you may request deletion of your data. Note: draw records may need to be retained for audit and verification purposes.
Right to Object
Where processing is based on legitimate interest, you may have the right to object. The applicability of this right depends on your jurisdiction.
Requests relating to entrant data should first be directed to the organising entity, as they act as the data controller for participant information submitted to the platform.
Section 10

Updates to This Policy

This page may be updated to reflect changes in law, security practices, or platform functionality.

We may update this page periodically to reflect changes in applicable data protection law, our security practices, or how the platform processes data.

Material updates will be reflected with a revised effective date, shown in the sidebar. Continued use of the platform following a material update constitutes acknowledgement of the revised policy.

Our Commitment
Data protection supports integrity.
Integrity supports trust.