Privacy Policy

Last updated: 17 April 2026

1. Who We Are

Rafli, Inc. ("Rafli", "we", "us") is the data controller for personal information collected through the Rafli platform. Contact: privacy@rafli.win.

2. What We Collect

  • Account data: name, email, avatar, authentication identifiers.
  • Checkout data: paid entry purchases, payment method identifiers (no card numbers — Stripe holds those), promo codes, entry counts.
  • Winner identity verification (KYC): government ID, date of birth, address — collected only when you win a prize that triggers verification.
  • On-chain identity commitment: a one-way SHA-256 hash of your account plus raffle ID, written to IPFS. The hash cannot be reversed to identify you.
  • Device & usage data: IP address, browser, pages viewed, clicks — collected via our analytics provider and only with your consent (see Cookies below).

3. Lawful Basis (GDPR Art. 6)

  • Performance of contract — processing purchase, entry, prize-fulfillment, and support requests.
  • Legal obligation — tax reporting, AML/KYC, records retention.
  • Legitimate interest — fraud prevention, security logs, service improvement.
  • Consent — marketing emails and non-essential analytics cookies. You can withdraw consent at any time.

4. Your Rights

Subject to local law (GDPR, UK GDPR, CCPA, LGPD), you have the right to:

  • access the personal data we hold about you;
  • request correction or deletion;
  • restrict or object to processing;
  • portability — receive your data in a machine-readable format;
  • withdraw consent for marketing or analytics without affecting past processing;
  • lodge a complaint with your local data protection authority.

Submit requests to privacy@rafli.win. We respond within 30 days.

5. Cookies & Analytics

The first time you visit Rafli, you will see a cookie consent banner. Essential cookies (authentication, session, mode preference) are required to run the service and are set without consent. Analytics and marketing cookies are set only after you accept.

We use Mixpanel for product analytics. Mixpanel receives page views, clicks, and a hashed user identifier — never raw personal data from form fields. You can reject analytics cookies at any time by clearing browser storage or revoking consent on request.

6. Sharing

We share data only with: (a) infrastructure and payment processors who run Rafli (Stripe, Vercel, Sentry, Mixpanel); (b) raffle hosts to enable prize fulfillment to winners; (c) government agencies where legally compelled. We do not sell personal data.

7. Retention

Entry records, draw manifests, VRF proofs, winner KYC, and tax forms are retained for 7 years — the longest applicable statutory minimum. Account profile data is purged 30 days after account deletion. Identity commitments on IPFS are not deletable by design (they are the public verification signal) but contain no personal data by construction.

8. International Transfers

Rafli is operated from the United States. If you access the Platform from the EEA, UK, Switzerland, or another region with data-transfer restrictions, your data is transferred under Standard Contractual Clauses (EU 2021/914) or their UK addendum equivalent.

9. Children

Rafli is not intended for users under 18 and we do not knowingly collect data from them. If you believe a child has provided data, contact privacy@rafli.win and we will delete it.

10. Changes

Material changes to this policy are surfaced in-app at least 14 days before taking effect. See Terms for the full agreement.