Privacy Policy

RaffleProp Ltd, 36 Minfa Crescent, Karu, Nigeria (RC 9484205) is the Data Controller for all personal data collected through this platform. Our Data Protection Officer can be reached at privacy@raffleprop.com.

We collect the following categories of personal data:

• Identity: full name, date of birth
• Contact: email address, phone number
• Government ID: BVN (encrypted), NIN (encrypted)
• Technical: IP address, device, browser, OS
• Transaction: ticket history, payment references
• Usage: pages visited, campaign interactions

We never collect or store raw card numbers. All card payments are processed directly on Paystack or Flutterwave's PCI-DSS compliant hosted pages.

We use your personal data for the following purposes:

• Process ticket purchases and issue FCCPA §118 receipts
• Verify your identity when you win (BVN + NIN matching)
• Send campaign receipts, draw notifications, and account alerts
• Send marketing communications (with your consent only)
• Comply with AML/KYC obligations under SCUML regulations
• Respond to NDPR data subject requests
• Detect and prevent fraud and multiple accounts
• Report draw results to the FCCPC per FCCPA §124

Under the NDPR 2019, we process your data on the following lawful bases:

• Contract: processing necessary to deliver the ticket purchase and competition service you have entered into
• Legal obligation: KYC/AML verification, FCCPA §118 record-keeping, and FCCPC reporting
• Consent: marketing communications — withdraw at any time via account settings or by emailing privacy@raffleprop.com
• Legitimate interest: fraud prevention and platform security, where our interests do not override your rights

BVN and NIN data are encrypted at rest using AES-256-GCM before storage. Decryption occurs only during KYC verification for winner identity confirmation. These fields are never logged, displayed, or transmitted in plain text. Encryption keys are stored separately from the encrypted data and are rotated periodically.

We share your data only where strictly necessary:

• Escrow bank: winner identity verification only (BVN/NIN matching)
• Payment gateways (Paystack, Flutterwave): transaction processing — they receive only the data required to process payment
• FCCPC: draw results and winner details as required by FCCPA §124
• Property lawyers: winner contact details for Deed of Assignment preparation

We never sell, rent, or trade your personal data to any third party for commercial purposes.

We apply the following technical and organisational security measures:

• All data in transit encrypted via TLS 1.3
• BVN/NIN encrypted at rest with AES-256-GCM
• Regulatory documents stored in WORM (write-once) storage
• Access to personal data restricted on a need-to-know basis
• Admin accounts require two-factor authentication (TOTP)
• No PII written to application logs in plain text
• All data access events recorded in an append-only audit log

Under the Nigeria Data Protection Regulation 2019, you have the following rights:

• Access: request a full export of your data
• Rectification: correct inaccurate or incomplete data
• Erasure: request anonymisation (subject to FCCPA §118 retention for ticket records)
• Withdraw consent: opt out of marketing at any time
• Portability: receive your data in a machine-readable format
• Complaint: lodge a complaint with NITDA

Exercise your rights at the NDPR / Data Rights page or by emailing privacy@raffleprop.com. We respond within 30 days as required by NDPR.

We retain personal data for the following periods:

• Account data (name, email, phone): retained while your account is active, then anonymised within 30 days of a verified deletion request
• BVN/NIN (encrypted): retained only while your account is active; deleted upon account anonymisation
• Ticket and transaction records: retained permanently as required by FCCPA §118 — this legal obligation overrides the NDPR right to erasure for regulatory records
• Financial/audit records: retained for 7 years for tax and audit purposes
• Marketing consent records: retained indefinitely as proof of consent, even after withdrawal

We use only essential session cookies required for authentication and security. We do not use advertising, tracking, or analytics cookies. No third-party scripts (Google Analytics, Meta Pixel, etc.) are loaded without your explicit consent.

RaffleProp is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@raffleprop.com and we will delete it promptly.

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email at least 7 days before the changes take effect. The date at the top of this page always reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For any privacy-related enquiries or to exercise your data rights, contact our Data Protection Officer at privacy@raffleprop.com.

If you are not satisfied with our response, you have the right to lodge a complaint with NITDA (National Information Technology Development Agency), the NDPR supervisory authority, at nitda.gov.ng.