Sign inSign up

Privacy Policy

Last updated:

This policy explains how Magpie Raffle Ltd(“Magpie Raffle”, “we”) collects, uses, and protects your personal data. We act as the data controller for the personal data described below.

1. Who we are

Magpie Raffle Ltd, registered in England and Wales, [Companies House number TBC]. Registered office: [TBC]. ICO registration: [TBC]. You can contact us at [legal@magpieraffle.co.uk].

2. What data we collect

We collect the following personal data:

  • At signup: email address, password (hashed), date of birth, display name (optional).
  • At first paid entry: first line of address, city, postcode, and phone number for winner contact and prize delivery.
  • When you enter a competition: the skill question answer you submit (kept for audit), the result of that answer (correct/incorrect), the version of the terms you accepted, and the timestamp.
  • For free postal entries: the name, address, and date of birth you provide on the entry form.
  • Technical data: IP address and user-agent string, captured on entry submission to help detect fraud and to provide audit evidence.
  • Payment data: handled directly by Stripe. We never receive your card number; we receive a Stripe payment intent identifier and the amount paid.

3. Why we use it (lawful basis)

  • Performance of a contract— to administer your account, process your competition entries, run the draw, contact winners, and deliver prizes.
  • Legitimate interests— to prevent fraud and abuse of the competition (multiple accounts, automation, age circumvention), to provide audit evidence of fair operation, and to keep the Site secure.
  • Legal obligation— where retention or disclosure is required by law (for example, tax, anti-money-laundering, or response to a lawful regulator request).
  • Consent— for marketing email, where you explicitly opt in at signup or later. You can withdraw consent at any time without affecting the lawfulness of any prior processing.

4. How long we keep it

We retain personal data tied to a competition entry for six years after the competition closes. This matches the limitation period for contract claims under English law and lets us defend disputes and demonstrate fair operation. After that period, we anonymise the records.

Account-level data we don't need for the six-year window (for example, your phone number) is deleted when you close your account.

5. Account deletion = anonymisation

When you ask us to delete your account, we anonymiserather than hard- delete your records. We clear your display name, email, address, postcode, phone, date of birth, IP address, and user-agent from our database. We retain the underlying entry record — skill answer submitted, ticket numbers, payment intent reference, and terms version accepted — in an anonymised form for the six-year window, to defend disputes and prove the competition ran fairly.

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Have inaccurate data corrected;
  • Have your account anonymised (the “right to erasure”, as described above);
  • Receive your data in a portable format;
  • Restrict or object to certain processing;
  • Withdraw consent for marketing at any time;
  • Complain to the Information Commissioner's Office (ICO) — ico.org.uk.

To exercise any of these rights, email [legal@magpieraffle.co.uk]. We will respond within 30 days.

7. Who we share data with

We share only what is necessary to run the Site, with carefully selected processors:

  • Stripe— payment processing. Your card details go directly to Stripe; we only see references and amounts. Stripe's privacy policy applies to their handling.
  • Resend— transactional email (confirmation, winner notification, password reset). Resend processes your email address and the contents of the messages we send.
  • Supabase— our database and authentication provider. Supabase hosts our application data on AWS infrastructure inside the European Union.
  • Vercel— web hosting. Vercel handles request routing and may retain access logs containing IP addresses for a short period for operational reasons.

We do not sell your data. We do not share it for advertising purposes.

8. International transfers

Our primary infrastructure is hosted in the European Union (Supabase, Ireland). Some processors (notably Resend) operate in the United States. Transfers outside the UK / EEA rely on the UK's International Data Transfer Agreement, the EU's Standard Contractual Clauses, or an adequacy decision — whichever applies to the specific transfer.

9. Cookies

We use a small set of strictly necessary cookies to keep you signed in and to operate the checkout. See our Cookies Policy for details.

10. Children

The Site is not for anyone under 18. We do not knowingly collect personal data from under-18s. If you believe a child has provided us with personal data, email us and we will delete it.

11. Security

We hash passwords using industry-standard algorithms (handled by Supabase Auth), we hash skill answers in the database so they are not exposed to administrators, and we use TLS in transit. No system is perfect; please use a strong, unique password and report suspected security issues to us.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or by a notice on the Site.