Operator: Simply Raffle | Contact: [email protected]
Effective Date: February 28, 2026 | Last Updated: February 28, 2026
1. Who We Are
Simply Raffle is a web-based raffle administration platform developed and operated by Simply Raffle. We provide software to schools, parent-teacher groups (PTGs/PTAs), nonprofits, community organizations, and other groups for the purpose of managing fundraiser raffles.
Contact: [email protected]. We respond within 5 business days.
2. What Data We Collect
We collect only the minimum data necessary to administer a raffle on behalf of the Organization:
| Data | Why We Collect It |
|---|---|
| Participant first and last name | To identify raffle participants and record draw results |
| Grade level (school/educational orgs only) | To organize participants within the raffle |
| Email address (participant or parent/guardian) | To deliver magic-link portal access and draw result notifications |
| Raffle ticket allocation counts | To calculate weighted draw probability and maintain participation records |
| Administrator login credentials | To authenticate organization staff (stored as a one-way bcrypt hash — never readable) |
| Magic-link access tokens | To provide time-limited, password-free access to the participant portal |
We do not collect: payment information, social security numbers, government ID numbers, dates of birth, home addresses, phone numbers, health information, or disciplinary records.
3. How We Use This Data
Participant data is used only for administering the Organization's fundraiser raffle — displaying ticket allocations, calculating draw results, sending magic-link access emails, and allowing Organization administrators to manage participant records. We do not use your data for any commercial purpose.
4. What We Do Not Do
- ❌ We do not sell participant data — ever, to anyone, for any reason.
- ❌ We do not rent or trade participant data.
- ❌ We do not use participant data for advertising or marketing.
- ❌ We do not build behavioral profiles of participants or their families.
- ❌ We do not share data with third parties for any commercial purpose.
- ❌ We do not retain data indefinitely — participant data is deleted on a defined schedule.
5. Who Can Access Your Data
| Who | What they can see |
|---|---|
| Organization administrators | All participant data for their raffle |
| Participants / parents / guardians | Only their own family's ticket allocation and draw results |
| Developer (operator) | Access for system maintenance and security purposes only |
| Railway, Inc. (infrastructure) | Encrypted database storage only — see Section 8 |
6. Data Retention
- Active raffle season: Participant records are retained while the current raffle season is active.
- End of season: All participant PII is deleted within 30 days of the end of each raffle season, or upon Organization request, whichever comes first.
- Organization termination: All participant data is deleted within 30 days of a data export being provided to the Organization.
- Backups: Subject to the same deletion schedules — participant PII is not retained in backups beyond applicable deletion deadlines.
To request earlier deletion, contact us at [email protected] or ask your Organization's administrator.
7. Security
- Encryption in transit: All data is encrypted using HTTPS (TLS).
- Encryption at rest: Database hosted on Railway (Google Cloud), which provides encryption at rest by default.
- Password security: Administrator passwords stored using bcrypt hashing — never stored in readable form.
- Magic-link tokens: Time-limited (expire within 14 days) and single-use.
- Access controls: Role-based access enforced at the API level — participants see only their own records.
To report a security vulnerability, email [email protected].
8. Third-Party Subprocessors
We use one third-party infrastructure provider:
Railway, Inc.
Role: Cloud hosting and PostgreSQL database hosting
Privacy Policy: railway.com/legal/privacy
Data location: United States
We do not use advertising networks, analytics platforms, or social media trackers.
9. Children's Privacy (COPPA)
For Organizations that serve participants under the age of 13 (including schools and PTGs), we operate under the school consent pathway established by the FTC's COPPA Rule (16 C.F.R. Part 312). Where the Organization is a school, the school provides authorization on behalf of parents and guardians for the collection of participant information solely for the fundraising purpose described in this policy. Where the Organization is not a school, the Organization represents that it has obtained verifiable parental consent before submitting any participant under 13. We do not collect personal information from individuals under 13 for any commercial purpose.
10. Your Rights
Participants and their families may request access to, correction of, or deletion of their data at any time.
The Organization may request a full data export, deletion of all participant data, or an audit of our data handling practices at any time.
To exercise these rights, email [email protected]. We respond within 10 business days and fulfill verified requests within 30 days.
11. Data Breach Notification
In the event of a breach involving California residents' personal information, we will notify the Organization within 48 hours and notify affected individuals within 30 calendar days of discovery, consistent with California Civil Code § 1798.82 (as amended by SB 446, effective January 1, 2026).
12. Updates to This Policy
We will notify the Organization at least 30 days before making any material changes to this policy and obtain written consent before implementing such changes.