CertifiedDraw Ltd is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
CertifiedDraw Ltd is the data controller for personal data processed through the Platform. If you have questions about this policy or our data practices, please use our Contact form or see section 12 below.
2. Data We Collect
We collect the following categories of personal data:
Account & Registration Data
- Name and email address
- Organisation name (optional)
- Password (stored as a cryptographic hash — never in plain text)
- Billing information (processed by our payment provider; we do not store full card details)
Draw & Usage Data
- Draw parameters and entrant lists uploaded by account holders
- Draw outcomes and certificate records
- Platform usage logs (page visits, feature interactions)
- IP address and device/browser information
Communications Data
- Messages sent via our contact form
- Support correspondence
Entrant lists you upload for draws may contain personal data belonging to third parties. You are the data controller for that entrant data; CertifiedDraw acts as data processor. See our Data Protection page for details.
3. How We Use Your Data
We use personal data for the following purposes:
- Service delivery: Account management, draw processing, certificate generation, and public verification
- Billing & payments: Processing subscriptions and per-draw purchases
- Communications: Responding to support and contact enquiries
- Platform improvement: Analysing usage patterns to improve features and performance (aggregated or anonymised where possible)
- Legal compliance: Maintaining records to meet our regulatory obligations
- Security: Detecting and preventing fraud, abuse, and security incidents
4. Legal Basis for Processing
We rely on the following legal bases under UK GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account registration & service delivery | Contractual necessity (Art. 6(1)(b)) |
| Billing & payment processing | Contractual necessity (Art. 6(1)(b)) |
| Platform analytics & improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance & record-keeping | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (if opted-in) | Consent (Art. 6(1)(a)) |
6. Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this policy:
- Account data: For the duration of your account plus 2 years after closure
- Draw & certificate records: Minimum 5 years from draw date (for audit and verification purposes)
- Billing records: 7 years (UK tax law requirements)
- Support correspondence: 3 years
After retention periods expire, data is securely deleted or anonymised.
7. Your Rights
Under UK GDPR you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data (subject to legal retention obligations)
- Right to restrict processing: Request we limit how we use your data in certain circumstances
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us via our Contact form. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Cryptographic hashing for passwords
- Access controls and least-privilege principles
- Regular security assessments
See our Security overview for further details.
9. International Transfers
Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) as approved by the ICO.
11. Policy Changes
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.
12. Contact
For privacy enquiries, data subject access requests, or complaints: