Privacy Policy

Last updated: 21 April 2026 · Governed by the NDPR 2019

1. Data Controller2. Data We Collect3. How We Use Your Data4. Legal Basis for Processing5. BVN & NIN Encryption6. Data Sharing7. International Data Transfers8. Security Measures9. Data Breach Notification10. Your NDPR Rights11. Data Retention12. Cookies13. Children's Privacy14. Changes to This Policy15. Contact & Complaints

1. Data Controller

RaffleProp Ltd, 36 Minfa Crescent, Karu, Nasarawa, Nigeria (RC9484205) is the Data Controller for all personal data collected through this platform. Our Data Protection Officer can be reached at privacy@raffleprop.com.

2. Data We Collect

We collect the following categories of personal data:

  • Identity: full name, date of birth
  • Contact: email address, phone number
  • Government ID: BVN (encrypted), NIN (encrypted)
  • Technical: IP address, device, browser, OS
  • Transaction: ticket history, payment references
  • Usage: pages visited, campaign interactions

We never collect or store raw card numbers. All card payments are processed directly on Paystack or Flutterwave's PCI-DSS compliant hosted pages.

3. How We Use Your Data

We use your personal data for the following purposes:

  • Process ticket purchases and issue FCCPA §118 receipts
  • Verify your identity when you win (BVN + NIN matching)
  • Send campaign receipts, draw notifications, and account alerts
  • Send marketing communications (with your consent only)
  • Comply with AML/KYC obligations under SCUML regulations
  • Respond to NDPR data subject requests
  • Detect and prevent fraud and multiple accounts
  • Report draw results to the FCCPC per FCCPA §124

4. Legal Basis for Processing

Under the NDPR 2019, we process your data on the following lawful bases:

Contract

Processing necessary to deliver the ticket purchase and competition service you have entered into.

Legal Obligation

KYC/AML verification, FCCPA §118 record-keeping, and FCCPC reporting.

Consent

Marketing communications only — withdraw at any time via account settings or by emailing privacy@raffleprop.com.

Legitimate Interest

Fraud prevention and platform security, where our interests do not override your fundamental rights.

5. BVN & NIN Encryption

BVN and NIN data are encrypted at rest using AES-256-GCM before storage. Decryption occurs only during KYC verification for winner identity confirmation. These fields are never logged, displayed, or transmitted in plain text. Encryption keys are stored separately from the encrypted data and are rotated periodically.

6. Data Sharing

We share your data only where strictly necessary:

Escrow bank
Winner identity verification only (BVN/NIN matching).
Identity verification provider (Dojah)
Your BVN/NIN and name are checked against official records to verify your identity at KYC. They receive only the data required for that verification.
Payment gateways (Paystack, Flutterwave)
Transaction processing — they receive only the minimum data required to process payment.
FCCPC
Draw results and winner details as required by FCCPA §124.
Property lawyers
Winner contact details for Deed of Assignment preparation.
Cloud infrastructure providers
Hosting and storage services used to operate the platform. See Section 7 for details on international transfers.

We never sell, rent, or trade your personal data to any third party for commercial purposes.

7. International Data Transfers

Some of our service providers — including Paystack, Flutterwave, and our cloud infrastructure provider — may process personal data outside of Nigeria. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with NDPR Article 43, including:

  • Contractual data processing agreements requiring the recipient to apply data protection standards equivalent to the NDPR
  • Transfers only to processors who are certified or regulated under recognised data protection frameworks
  • Transfers of the minimum data necessary for the specific processing purpose

Raw BVN and NIN data are never transmitted internationally. These fields are decrypted only within our Nigerian-hosted infrastructure during winner verification.

8. Security Measures

We apply the following technical and organisational security measures:

  • All data in transit encrypted via TLS 1.3
  • BVN/NIN encrypted at rest with AES-256-GCM
  • Regulatory documents stored in WORM (write-once) storage
  • Access to personal data restricted on a need-to-know basis
  • Admin accounts require two-factor authentication (TOTP)
  • No PII written to application logs in plain text
  • All data access events recorded in an append-only audit log

9. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, RaffleProp will:

Regulatory Authority (NITDA)Within 72 hours
Notify the National Information Technology Development Agency (NITDA) of the breach, as required by NDPR Article 40.
Affected UsersWithout undue delay
Notify affected data subjects where the breach is likely to result in high risk to their rights and freedoms.
Internal Breach RegisterAll breaches
Document all breaches — including those not meeting the notification threshold — in our internal breach register.
What breach notifications to you will include
  • The nature of the breach
  • The categories of data affected
  • The likely consequences
  • The steps we are taking to address it

To report a suspected breach, email privacy@raffleprop.com immediately.

10. Your NDPR Rights

Under the Nigeria Data Protection Regulation 2019, you have the following rights:

Access
Request a full export of your personal data.
Rectification
Correct inaccurate or incomplete data we hold.
Erasure
Request anonymisation — subject to FCCPA §118 retention for ticket records.
Withdraw Consent
Opt out of marketing at any time via account settings.
Portability
Receive your data in a machine-readable format.
Object
Object to processing carried out under legitimate interest.
Complaint
Lodge a complaint with NITDA, the NDPR supervisory authority.

Exercise your rights at the NDPR / Data Rights page or by emailing privacy@raffleprop.com. We respond within 30 days as required by NDPR.

11. Data Retention

We retain personal data for the following periods:

Account data
name, email, phone
Active account lifetime, then anonymised within 30 days of a verified deletion request
BVN / NIN
AES-256-GCM encrypted
Active account lifetime only — deleted on account anonymisation
Ticket & transaction records
FCCPA §118
Retained permanently — legal obligation overrides NDPR erasure right for regulatory records
Financial & audit records
tax & audit
7 years
Marketing consent records
proof of consent
Indefinitely, even after consent is withdrawn

12. Cookies

We use only essential session cookies required for authentication and security. We do not use advertising, tracking, or analytics cookies. No third-party scripts (Google Analytics, Meta Pixel, etc.) are loaded without your explicit consent.

13. Children's Privacy

RaffleProp is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@raffleprop.com and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email at least 7 days before the changes take effect. The date at the top of this page always reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

15. Contact & Complaints

For any privacy-related enquiries or to exercise your data rights, contact our Data Protection Officer at privacy@raffleprop.com.

If you are not satisfied with our response, you have the right to lodge a complaint with NITDA (National Information Technology Development Agency), the NDPR supervisory authority, at nitda.gov.ng.

Terms & ConditionsNDPR / Data RightsRegulatory ComplianceContact Us