DrawTrust
Start your first drawing

Privacy Policy

Last updated: April 28, 2026

1. Who we are and our role

DrawTrust is a verification platform for drawings, giveaways, and prize selections, operated from Lebanon. We provide infrastructure that allows organizers to register a participant pool and allows participants to independently confirm their inclusion in the pool that was actually used.

DrawTrust acts as the data controller for account-holder information (organizers and verifiers who hold an account with us). For participant-pool data that an organizer uploads, pastes, or sources through a connected account, DrawTrust acts only as a processor on the organizer's instructions; the organizer is the controller of that data and is responsible for the lawful basis on which it is collected and for any notices owed to participants. This policy covers data we handle in either capacity.

2. Data we may collect

Categories of data we may collect or process include but are not limited to:

  • Account data. Your name, email address, a hashed version of your password, account identifier, and locale preference. If you sign in with Google, we receive your name and email from Google's identity service.
  • Authentication data. Email-verification codes, login event timestamps and methods, session token versions, and password-reset requests.
  • Drawing data. Drawing titles, sources (post links, spreadsheets), source references, closing dates, prize group configurations, pool hashes, winner identifiers, and visibility settings.
  • Participant identifiers. Identifiers an organizer registers as a participant pool — for example names, usernames, email addresses, serial codes, or comments fetched from a connected platform — together with normalized forms used for matching.
  • Social connections. Encrypted OAuth access and refresh tokens for Google, Meta (Instagram, Facebook), and X, granted scopes, expiration metadata, the external account identifier, and display name. We do not store your social platform password.
  • Public content. For post-link drawings, comments and metadata fetched from the linked public platform under that platform's public-data terms (for example via the YouTube Data API or Meta Graph API).
  • Operational metadata. IP address, user agent, request identifiers, timestamps, error and audit logs, and administrative notes — used for security, rate limiting, debugging, fraud detection, and integrity of the verification record.

3. How we may use your data

We may use the categories of data described above to:

  • Provide, operate, maintain, secure, and improve the DrawTrust platform.
  • Authenticate users, secure accounts, and verify identity for sensitive operations.
  • Register participant pools, conduct winner selections, generate verification artifacts, and serve participant-side verification queries.
  • Communicate with you about your account, drawings, security, and changes to the service.
  • Detect, investigate, and prevent abuse, fraud, security incidents, and violations of our Terms of Service.
  • Conduct internal analytics, research, debugging, and product development, including by creating and using anonymized or aggregated data without restriction.
  • Comply with legal obligations, respond to lawful requests from authorities, and assert or defend legal claims.
  • Plan and conduct corporate transactions, including any merger, acquisition, restructuring, financing, or sale of assets.
  • Any other purpose disclosed at the time of collection or with your consent.

4. Lawful bases for processing

Where Lebanese Law No. 81/2018 on Electronic Transactions and Personal Data, the EU General Data Protection Regulation (GDPR), or other applicable data-protection law applies, we rely on the following lawful bases:

  • Contract performance. Processing necessary to provide the DrawTrust service you signed up for (Art. 6(1)(b) GDPR).
  • Legitimate interest. Security, fraud prevention, integrity of the verification record, internal analytics and product development, defense of legal claims, and operating our business — balanced against your interests and rights (Art. 6(1)(f) GDPR).
  • Consent. Where we ask for explicit permission, for example connecting a social account or opting into optional features (Art. 6(1)(a) GDPR). You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation. Where processing is necessary to comply with a law that applies to us (Art. 6(1)(c) GDPR).

5. Organizer responsibilities — controller status for participant data

When you register a drawing as an organizer you act as the data controller for any participant identifiers and related data you upload, paste, or source through a connected social account. You represent and warrant that you have a lawful basis under applicable law to collect that data and to disclose it to DrawTrust as a processor; that you have provided participants with any notices required by law; and that the drawing is lawful in every jurisdiction in which participants reside.

You agree to defend, indemnify, and hold DrawTrust harmless against claims arising from the participant data you provide or the conduct of the drawing, on the terms set out in our Terms of Service.

6. Sharing and sub-processors

We may share data with service providers and sub-processors that help us operate the platform, including but not limited to email-delivery providers, hosting and infrastructure providers, OAuth identity providers (Google, Meta, X), and the public APIs of platforms we ingest content from (for example YouTube). These providers process data only on our instructions and under appropriate confidentiality and security commitments.

We may disclose data to courts, regulators, law-enforcement agencies, or other authorities where we believe in good faith that disclosure is required by law or necessary to protect our rights, safety, or property, or those of our users or the public.

Business transfers: in the event of a merger, acquisition, restructuring, financing, sale of assets, or insolvency, your data may be transferred as part of that transaction, subject to the surviving entity continuing to honor the commitments in this policy.

7. International transfers

DrawTrust is operated from Lebanon, and your data may be processed and stored in Lebanon and in other jurisdictions where our service providers operate. Where personal data of users in the European Economic Area is transferred outside the EEA to a country without an adequacy decision, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses. By using the service you acknowledge that data may be transferred to jurisdictions whose data-protection standards may differ from those of your home jurisdiction.

8. Retention

We retain account data for as long as your account is active, plus a reasonable post-closure period for legal, security, accounting, audit, and dispute-resolution purposes.

Pool hashes, participant identifiers in pools that have been drawn, winner records, and other verification artifacts are retained indefinitely. Indefinite retention is necessary to honor the core promise of the service: any participant must be able to return at any future time and verify their inclusion in the pool that was actually used. This is a legitimate interest and a contractual expectation participants relied on at the time of the drawing.

Anonymized or aggregated data that no longer identifies an individual may be retained without time limit. Backups follow standard rotation schedules. Any retention period may be extended by legal hold, regulatory request, or pending litigation.

9. Security

We implement reasonable technical and organizational measures appropriate to the risks of the processing, including bcrypt password hashing, AES-256-GCM encryption of OAuth tokens at rest, TLS for connections in transit, versioned key rotation, encrypted prize-image storage, audit logging, and rate limiting.

No system or transmission over the internet is perfectly secure, and we cannot guarantee absolute security. You acknowledge that you provide your data at your own risk. To the maximum extent permitted by applicable law, DrawTrust disclaims liability for unauthorized access to, or loss, alteration, or breach of, your data, except where caused by our gross negligence or willful misconduct.

10. Your rights

Depending on the law that applies to you, you may have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Request erasure of your data ("right to be forgotten"), subject to the retention exceptions described above.
  • Restrict or object to certain processing.
  • Data portability — receive your data in a structured, commonly used format.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with the competent data-protection authority — for users in Lebanon, the Ministry of Economy and Trade under Law No. 81/2018; for users in the EEA, your national supervisory authority.

To exercise any of these rights, contact us in writing at the address below. To protect your data we will verify your identity before acting on a request. We will respond within thirty days; for complex or numerous requests we may extend this by up to sixty additional days and will notify you. We may decline or charge a reasonable fee for requests that are manifestly unfounded, repetitive, or excessive. Erasure does not extend to verification artifacts whose retention is necessary for the integrity of a drawing that participants relied on, to the extent permitted by applicable law.

11. Cookies and similar technologies

DrawTrust currently does not use tracking cookies or third-party analytics. We use browser local storage to persist your authentication token for session continuity. The Google Identity Services script may set its own cookies as described in Google's privacy policy.

We may introduce analytics, measurement, or other cookie-based technologies in the future, in which case we will update this policy. We do not honor "Do Not Track" browser signals, because no consensus standard exists for how to interpret them.

12. Children

The service is intended for users aged 18 or older (or the age of majority in your jurisdiction, whichever is greater). We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it. If you believe a minor has provided us with personal data, contact us at the address below.

13. Third-party services

We integrate with third-party services including but not limited to:

  • Google Identity Services. For Google sign-in. Subject to Google's Privacy Policy at policies.google.com/privacy.
  • YouTube Data API. To fetch publicly available comments and metadata for post-link drawings.
  • Meta Graph API. To fetch comments and metadata from connected Instagram and Facebook accounts.
  • X (Twitter) API. To fetch comments and metadata from connected X accounts.

Your use of those third-party platforms remains subject to their own terms and privacy policies. We do not sell your personal data to any third party.

14. Changes to this policy

We may update this policy from time to time. For material changes we will post the updated policy on this page with a new "Last updated" date and provide reasonable in-app notice. Immaterial changes — clarifications, formatting, or contact updates — may take effect immediately on posting. Updates required for legal or regulatory compliance take effect immediately. Your continued use of DrawTrust after the effective date constitutes acceptance of the revised policy.

15. Contact

For privacy-related inquiries, including to exercise the rights described above, contact us at:

[email protected]