Privacy Policy

Last updated: 19 April 2026

This privacy policy explains how VeriDraw collects, uses, and protects your personal data when you use the VeriDraw platform, website, and related services (the “Service”). We are committed to protecting your privacy and handling your data in a transparent manner.

1. Who we are

VeriDraw is a prize draw certification platform operated from the United Kingdom. For the purposes of data protection law, VeriDraw is the data controller for the personal data described in this policy. Our ICO registration number is ZC127560. You can contact us at hello@veridraw.co.uk.

2. Data we collect

Account data (Operators)

When you create an account we collect your email address, organisation name, and password (stored as a salted hash, never in plain text). If you upload an organisation logo, we store that image.

Draw data

When you create and run draws, we store the draw name, prize details, ticket count, draw dates, commitment hash, secret key, Bitcoin block hash, and the calculated winning ticket number(s). This data is necessary to issue and verify certificates.

Certificate data (public)

Certificates are published at permanent public URLs. Certificate data includes the draw name, organisation name, winning ticket number(s), Bitcoin block hash, secret key, and draw date. This data is public by design and necessary for independent verification.

Entrant data

VeriDraw does not collect personal data from entrants. Entrants can view and verify certificates without creating an account, logging in, or providing any personal information. Certificate verification runs entirely in the entrant’s browser.

Usage data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security, performance monitoring, and abuse prevention. If you opt into analytics cookies, we use Google Analytics to collect anonymised usage data (such as pages visited, session duration, and general geographic region) to help us understand how the Service is used and where it can be improved. IP addresses sent to Google Analytics are anonymised before storage.

3. How we use your data

We use your data to:

  • Provide, maintain, and improve the Service
  • Authenticate your account and manage your subscription
  • Issue and host certificates and commitment pages
  • Generate compliance reports you request
  • Send transactional emails (account confirmation, draw notifications)
  • Respond to support requests
  • Detect, prevent, and address security issues and abuse

4. Legal basis for processing

We process your data on the following legal bases under UK GDPR: performance of a contract (providing the Service you signed up for), legitimate interests (security, fraud prevention, service improvement), and consent (analytics cookies, where applicable).

5. Data sharing

We do not sell your personal data. We may share data with:

  • Infrastructure providers — hosting (Vercel), database (Supabase), email delivery (Resend) — who process data on our behalf under data processing agreements
  • Analytics — Google Analytics, if you have consented to analytics cookies. Google’s privacy policy applies to data processed by Google Analytics
  • Payment processors — Stripe, for subscription billing (Stripe’s own privacy policy applies to payment data)
  • Law enforcement — if required by law, regulation, or valid legal process

Certificate data is public by design. Anyone with the certificate URL can view the draw data it contains.

6. Operators as data controllers

Operators who use VeriDraw to certify draws may process personal data belonging to their own entrants (for example, ticket holder lists) as part of their draw management activities. In this context, the Operator is an independent data controller and is responsible for ensuring their own compliance with UK GDPR and any applicable data protection laws. VeriDraw does not receive or store entrant personal data on behalf of Operators. If you are an Operator and require a Data Processing Agreement, please contact us at hello@veridraw.co.uk.

7. Data retention

Account data is retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

Certificates and draw data are retained indefinitely as they form the permanent public record of a certified draw. This is a core feature of the Service: certificates are designed to be permanent and independently verifiable.

8. Your rights

Under UK GDPR, you have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise any of these rights, email us at hello@veridraw.co.uk.

Please note that certificate data is public and cannot be deleted once issued, as it is necessary for the ongoing verification of draw results. If you have concerns about specific certificate data, contact us and we will work with you to find a resolution.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Data security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted database connections, hashed passwords, and access controls. No system is perfectly secure, and we cannot guarantee absolute security.

10. International transfers

Your data may be processed in countries outside the UK where our infrastructure providers operate. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK data protection law.

11. Cookies

We use cookies as described in our Cookie Policy. Essential cookies are necessary for the Service to function. Analytics cookies are only set with your consent.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

13. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service. The date at the top of this page indicates when the policy was last updated.

14. Contact

For any privacy-related questions or requests, contact us at hello@veridraw.co.uk.