Privacy Policy
Raflia – Contest & giveaway platform
(Last updated: July 6, 2026)
1. Who we are and our role
This Privacy Policy explains how VeroMotion s.r.o., a company registered in the Czech Republic under registration number 27170730, with its registered address at Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic (“VeroMotion”, “we”, “us”, or “our”), collects and processes personal data when you use the Raflia platform at raflia.com and related websites and applications (the “Service”).
Raflia is a platform for running contests, giveaways, raffles, and similar promotions, with verifiable draw results.
We act in two different roles depending on the data:
- As Data Controller — for the data we collect for our own purposes to operate the Service: organizer account registration, billing, authentication, security and fraud prevention, draw integrity, and analytics. This policy covers that role.
- As Data Processor — when a contest organizer (“Customer”) collects entries and participant data through the Service to run their promotion, we process that data on the organizer’s behalf and on their instructions. For that data, the organizer is the Data Controller and their own privacy notice applies. The terms are set out in our Data Processing Addendum (DPA).
One important overlap: to keep draws fair and prevent fraud, we process some participant-derived data (for example, protected identifier values and technical data) for our own integrity and fraud-prevention purposes. For that specific processing we act as Controller, on the legal basis described in Sections 3 and 9.
2. What data we collect
2.1 Data organizers provide
- Account data: name, email address, company name, contact name, address, phone number (if provided).
- Billing data: subscription plan, invoicing details, VAT number (if applicable). Payment card details are processed directly by our payment provider and are not stored on our servers.
- Support communications: messages you send us by email or through the Service.
- Profile and preferences: language, time zone, notification settings, and other preferences you configure.
2.2 Participant and entry data
When someone enters a contest run on Raflia, we process the entry data the organizer chooses to collect. Depending on the organizer’s setup this may include:
- A participant identifier: name, email address, phone number, social handle, or another identifier the organizer uses.
- Entry details and any form fields the organizer adds.
- Technical data recorded with the entry (see 2.3).
For most of this data we act as Processor for the organizer (Section 1). Winners, and where the organizer enables it entries, may appear on a public results page. The organizer chooses how much information is shown, from full details down to fully hidden (see Section 9). Because that is the organizer’s choice, the organizer is responsible for having a lawful basis for it and for informing participants; we act on their instructions and provide privacy-protective options and defaults. By default, the public page shows the winners and aggregate information about the draw (such as the total number of entries and an anonymized breakdown of entry counts using non-identifying labels), not a list of participants. Publishing an identifiable list of entrants is an option the organizer must turn on.
2.3 Data we collect automatically
- Technical data: IP address, browser type and version, operating system, device type.
- Usage data: pages visited, features used, time and date of access, referring URL.
- Authentication and security logs: login timestamps, session identifiers, failed login attempts, and a limited history of the IP addresses used to sign in.
- Fraud-prevention data: the IP address and browser recorded at registration; technical signals used to detect account abuse and draw manipulation. See Section 9.
- Operational logs: system logs that may reference entries or user actions, processed for security, audit, and Service integrity.
2.4 Data from third parties
- Payment provider: transaction confirmation and billing status from Stripe.
- Workspace invitations: if an organizer invites you to their workspace, we receive your email address from the inviting organizer.
3. How we use your data
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Managing your account and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (notifications, invitations, password resets) | Performance of contract (Art. 6(1)(b)) |
| Responding to support requests | Performance of contract (Art. 6(1)(b)) |
| Security, fraud prevention, and draw integrity (see Section 9) | Legitimate interest (Art. 6(1)(f)) |
| Maintaining audit and security logs | Legitimate interest (Art. 6(1)(f)) |
| Monitoring Service performance and fixing errors | Legitimate interest (Art. 6(1)(f)) |
| Analyzing usage to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations (e.g. accounting) | Legal obligation (Art. 6(1)(c)) |
| Sending product updates and service announcements | Legitimate interest (Art. 6(1)(f)) |
We do not make automated decisions that produce legal or similarly significant effects about you. Fraud and abuse signals are reviewed by a person before any action is taken (see Section 9).
We do not sell your personal data, and we do not place advertising trackers or third-party marketing pixels on participants.
4. Cookies and similar technologies
4.1 What cookies are
Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies to operate the Service, keep it secure, and understand how it is used.
4.2 Cookies we use
| Type | Purpose | Legal basis |
|---|---|---|
| Strictly necessary | Authentication, session management, security (e.g. session cookies, CSRF tokens) | Not required (exempt under the ePrivacy Directive / Act No. 127/2005 Coll. §89(3)) |
| Functional | Remembering your preferences (language, settings) | Consent |
| Security (anti-bot) | Protecting sign-up and forms from bots and automated abuse (CAPTCHA) | Legitimate interest — we use a privacy-preserving CAPTCHA that avoids storing identifiers on your device where possible |
| Analytics | Understanding how the Service is used | Self-hosted, cookieless analytics — no consent needed under normal use |
We do not currently store fraud-prevention identifiers on your device. If we introduce device-based fraud checks in the future, we will update this policy and apply the correct legal basis before doing so.
4.3 Third-party cookies
The following third-party services may set cookies or receive your IP address:
- CAPTCHA / anti-bot provider — used to protect sign-up and forms from automated abuse; the provider may receive your IP address and limited technical data.
- Cookie consent tool — used to manage your cookie preferences.
Fonts are served from our own infrastructure (self-hosted or via our content delivery network), so no third-party font provider receives your data. The current providers are listed at https://raflia.com/subprocessors.
4.4 Managing cookies
When you first visit the Service, you can accept or decline non-essential cookies. You can change your choice at any time through the cookie settings link in the Service footer, or through your browser settings. Disabling strictly necessary cookies may stop the Service working properly.
5. Who we share your data with
We share personal data only as needed to run the Service:
- Sub-processors — service providers who process data on our behalf (hosting, storage, content delivery, payments, email, error monitoring). The full list is at https://raflia.com/subprocessors.
- Payment provider — Stripe processes your payment data directly under its own privacy policy.
- Other workspace members — your name and email are visible to other members of workspaces you belong to, where needed to run shared contests.
- Legal authorities — we may disclose data where required by law, court order, or regulator, or to protect the rights, safety, or property of VeroMotion, our users, or the public.
We do not share your data with advertisers or data brokers.
6. International transfers
Your data is primarily stored within the European Union. Where a sub-processor is located outside the EEA, we rely on appropriate safeguards, including EU adequacy decisions, the EU-US Data Privacy Framework, or Standard Contractual Clauses. Sub-processor locations are listed at https://raflia.com/subprocessors.
7. How long we keep your data
| Data type | Retention period |
|---|---|
| Organizer account data | For the life of your account. Deleted within 30 days of account deletion, except where a longer period is stated below or required by law. |
| Billing and invoicing data | Up to 10 years after the end of the contractual relationship (Czech accounting and tax law). |
| Registration IP and browser | Up to 24 months. |
| Sign-in IP history | 12 months (rolling). |
| Fraud and integrity signals | Up to 12 months. Notes on a confirmed abuse case are kept while needed to enforce or defend the related decision. |
| Minimal fraud record after deletion | A one-way keyed hash of your email plus your account’s creation date, deletion date, and country, kept for up to 24 months after deletion, solely to detect a banned organizer re-registering (see Section 9). |
| Participant / entry data — live period | Kept in the live system for an active period after the contest ends: 12 months on paid plans, 3 months on free accounts. During this period the organizer has full access to their project data. Organizers can request an extension for their account (for example, for audit or grant records), on their own basis as controller. |
| Participant / entry data — archived | After the live period, the project is archived: entries are removed from the live database and stored as an encrypted archive file in secure storage, not accessible through the app and not searchable. The archive is kept for 5 years by default, extendable to a maximum of 10 years per account where the organizer has an audit or legal reason, then deleted. Erasure requests are honored against archived data. |
| Draw verification record | The project’s basic details (name, dates, winners, prizes) and the sealed cryptographic proof remain as a permanent public verification record (see Section 9). Full participant entries are not part of this record. |
| Support communications | For the life of your account, plus up to 12 months. |
| Analytics | Cookieless. IP and browser recorded with a contest entry are kept up to 12 months, then removed. |
8. Your rights
Under the GDPR and applicable data-protection laws, you have the right to access, rectification, erasure, restriction, data portability, objection (to processing based on legitimate interest), and to withdraw consent where processing is based on consent.
Two limits apply specifically to keeping draws fair, both explained in Section 9:
- A minimal fraud record survives account deletion. When you delete your account, we erase your data except for the minimal record described in Section 9, which we keep for a limited time to prevent a banned organizer from simply re-registering. We rely on Article 17(3) GDPR for this and delete the record when it is no longer needed.
- Public draw records are redacted rather than fully erased. A completed draw is a permanent, tamper-evident record that other people relied on. If you ask us to erase your data from one, we remove your details from the public page and from search, but we keep a sealed cryptographic token that proves the draw was not altered. That token is not publicly reversible to your identity.
For any other processing based on legitimate interest, if you object we will stop unless we have compelling grounds that override your interests (for example, an active fraud investigation), and we will explain our decision.
To exercise your rights, contact us at info@raflia.com. We respond within 30 days; if we need longer, we will tell you why. You may also lodge a complaint with a supervisory authority. The authority for VeroMotion is:
Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic — https://www.uoou.cz
You may also complain to the supervisory authority where you live.
9. Fair draws and fraud prevention
Raflia’s purpose is to run prize draws people can trust. To protect the integrity of draws and prevent fraud and abuse, we process some personal data specifically for security and anti-cheating purposes. Our legal basis is our legitimate interest (Article 6(1)(f) GDPR) in preventing fraud and keeping the platform trustworthy — an interest EU law expressly recognizes (Recital 47 GDPR).
What we process for this purpose:
- Sign-up and sign-in records — the IP address and browser used when an organizer registers, and a limited recent history of sign-in IP addresses. Kept as stated in Section 7.
- A minimal record kept after account deletion — if an account is closed or banned, we keep a minimal, protected record: a one-way keyed hash of the email address, plus the account’s creation date, deletion date, and country. This is used only to recognize whether a previously banned organizer is trying to register again. It is kept for up to 24 months and reviewed by a person — never an automated block — before anything happens.
- Cross-account integrity checks — we compare protected identifiers and technical signals across accounts to detect coordinated abuse, such as one operator running many accounts. These checks support human review; we do not make automated decisions with legal or similarly significant effects.
Public verification records. When a draw is completed, its result is published and permanently archived as a public verification record, so anyone can confirm the draw was fair. By default this shows the winners, aggregate figures (such as the total number of entries and an anonymized breakdown of entry counts using non-identifying labels), and a sealed cryptographic proof. An identifiable list of participants is shown only if the organizer chooses to publish it, at the visibility level they select. Participants can privately confirm their own entry through a self-check, without their details being made public. Erasure requests against these records are handled as described in Section 8.
Your rights here. You can object to this processing (Article 21 GDPR). Where we can, we will stop; but we may continue where we have compelling grounds to prevent fraud or to establish, exercise, or defend legal claims (Article 17(3) GDPR), keeping only the minimum data needed and deleting it when it is no longer required.
10. Children
The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If we learn we have, we will delete it promptly. Contest organizers are responsible for the eligibility rules of their own promotions.
11. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify account holders by email at least 30 days before the changes take effect. The “Last updated” date shows when it was last revised.
12. Contact
VeroMotion s.r.o., Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic
Email: info@raflia.com · Web: https://raflia.com