Privacy Policy

Version: 1.2 – effective

Effective date: 3 May 2026

Data Controller

Raffle Shop Ltd is the data controller responsible for determining how personal data is processed for users of the platform.
Raffle Shop Ltd determines the purposes and means of processing personal data in connection with the platform.
For all privacy-related enquiries, contact: gdpr@theraffle.shop

Scope

This Privacy Policy explains how the platform collects, uses, stores, and shares personal data when you create an account, enter prize competitions, submit free postal entries, or otherwise use the service in the United Kingdom.

Data Collected

  • Account data: name, email, phone number, address, and account settings.
  • ID verification data: identity documents, biometric data (such as facial images), date of birth, and verification outcomes.
  • Technical data: IP address, device identifiers, browser information, operating system, and session metadata.
  • Payment identifiers: transaction tokens, PSP references, bank account identifiers, and payment outcomes.
  • Competition-entry data: entries submitted, timestamps, and results.
  • Postal entries: information you provide by post and scanned images for verification, audit, and integrity checks.
  • Marketing measurement data (only with your consent): hashed email, name, phone number and date of birth, your IP address, browser type, pages you visit, Meta and TikTok click identifiers, and purchase information (amount, currency, items).

Why Data Is Collected

  • Fraud prevention, abuse detection, and security monitoring.
  • Eligibility checks, including age and residency verification.
  • Identity verification and compliance screening.
  • Prize fulfilment, including contacting winners and arranging delivery.
  • Compliance with UK law, including record-keeping and responding to lawful requests.
  • Platform security, service integrity, auditing, and incident response.
  • Accounting and financial record-keeping.
  • Measuring the effectiveness of our advertising on third-party platforms and reaching similar audiences, where you have given consent.

Lawful Bases for Processing

We process personal data under the following lawful bases under the UK GDPR:
Contract
To create and manage user accounts, process entries, operate competitions, and fulfil prizes.
Legitimate Interests
To protect the platform from fraud, prevent abuse, enforce account rules, maintain security, and ensure the integrity of competitions. These interests are balanced against user rights.
Legal Obligation
To comply with UK law, including accounting, record-keeping, fraud prevention, identity verification, sanctions screening, and responding to lawful requests.
Special Category Data
Where identity verification involves biometric data, such processing is carried out strictly for fraud prevention, identity verification, and compliance purposes in accordance with Article 9(2)(g) UK GDPR and applicable UK law.
Consent
For optional analytics cookies, advertising measurement technologies, and the sharing of hashed personal data with advertising partners such as Meta. Consent can be withdrawn at any time via the Cookie Preferences link in the site footer.

Automated Processing

Certain security, fraud-prevention, and compliance checks may involve automated processing. Users are not subject to decisions producing legal effects solely by automated means without appropriate safeguards.

Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes described, meet legal obligations, resolve disputes, and enforce rights.
  • Identity verification data is retained only as required to evidence verification decisions and compliance.
  • Transactional and accounting records are retained for the minimum statutory period required under UK law.
  • Postal entry records are retained for audit and integrity purposes for a defined operational period.

Data Sharing

  • Payment processors: to process payments and payouts.
  • Identity verification providers: to confirm age, identity, and address.
  • Delivery and courier services: only for prize winners.
  • Law enforcement or competent authorities: where required by law.
  • Advertising partners (only with your consent): Meta Platforms Ireland Limited and Meta Platforms Inc., and TikTok Information Technologies UK Limited and ByteDance Ltd, for measuring the effectiveness of our advertising and reaching similar audiences.
All processors are required to handle personal data securely and only for instructed purposes.

Publicly Visible Information

Certain personal data is publicly visible on the platform by default when you create an account:
  • Your display name (first name and last initial).
  • Your profile picture, if uploaded.
  • Your activity on the platform.
If you win a Competition, your display name and profile are displayed on the Competition page and verification page, and may appear in platform features such as winner listings.
This public display is necessary for the transparent operation of Competitions and is processed under our legitimate interest in maintaining trust and integrity on the platform.

User Rights

  • Access: request a copy of your personal data.
  • Correction: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your data, subject to lawful exceptions.
  • Restriction or objection: where permitted by law.
  • Portability: where applicable.
  • Complaints: lodge a complaint with the Information Commissioner’s Office (ICO).
Requests may be refused, limited, or delayed where permitted by law, including where necessary to prevent fraud, detect abuse, enforce platform rules, protect other users, or comply with legal or regulatory obligations.
This includes circumstances where multiple accounts, shared bank accounts, or other indicators of misuse or fraud are identified.

Cookies and Tracking

  • Essential cookies: required for platform operation and security.
  • Anonymous analytics: we collect anonymous, aggregated website usage data including pages visited, referrer URLs, browser type, and country. This data does not identify individual visitors, does not use cookies, and IP addresses are not stored.
  • Advertising measurement (optional, opt-in only): if you consent via our cookie banner, we place the Meta Pixel and TikTok Pixel on your browser and send hashed event data to Meta (including Facebook and Instagram) via the Meta Conversions API and to TikTok via the TikTok Events API. This allows us to measure the performance of our advertising, attribute conversions, and build audiences of similar users. The data shared is described in the Data Collected section above. Meta and TikTok each act as independent controllers for the processing they perform on their own systems and transfer data to the United States under the UK International Data Transfer Agreement and Standard Contractual Clauses.
  • Consent controls are available at any time via the Cookie Preferences link in the site footer and may be withdrawn without affecting access to the service. Withdrawing consent stops all future data sharing with Meta.

Security

  • Encryption is used for data in transit.
  • Access to personal data is restricted to authorised personnel and processors.
  • Appropriate technical and organisational measures are in place.
No system is completely secure. Users are responsible for protecting their credentials and devices.

Children

The platform is intended for users aged 18 and over. We do not knowingly collect data from children.

Data Processors

  • Hosting and infrastructure providers – application hosting, databases, caching, CDN, security, and object storage.
  • Transactional email providers – account, transactional, and notification emails.
  • Card payment processors – card payment processing and merchant settlement.
  • Open banking providers – payment initiation services.
  • Identity verification providers – identity verification and AML screening.
  • Analytics providers – privacy-focused, cookieless website analytics.
  • Advertising measurement providers – advertising measurement and conversion tracking via pixels and server-side events. Applies only where consent has been given.
International transfers are protected using appropriate safeguards, including the UK International Data Transfer Agreement and Standard Contractual Clauses where required.

Changes to This Policy

We may update this Privacy Policy from time to time. Continued use of the platform constitutes acceptance of the updated policy.

Contact

Data Protection
gdpr@theraffle.shop
Raffle Shop Ltd
86-90 Paul Street
London, EC2A 4NE
United Kingdom