Plain answers for the people who ask hard questions — school administrators, parish councils, IT reviewers, and anyone who's been burned by “free” platforms. Everything below is verifiable in our Terms & Privacy.
Every page and form on every domain uses TLS encryption. No HTTP fallback. Modern ciphers only.
Stripe is PCI-DSS Level 1 certified and handles all payment data end-to-end. We can't leak what we don't have.
Each draw records the seed, timestamp, who initiated, which entries qualified, and the winner. Downloadable for the board, the diocese, or your state filing.
Default (auto-delete): event data kept for event date + 45 days, then deleted; backups overwritten 30 days after that. Retain mode (opt-in): data persists until you delete it or close your account — for orgs with long-term record-keeping needs. Inactive Community accounts: reminder, grace period, then permanent deletion regardless of mode. Request deletion any time.
All application data is hosted in the United States. Paid events run on Railway (us-east). Community (free) events run on SimplyRaffle-operated infrastructure in San Francisco, California, fronted by Cloudflare Tunnel. Both within the US. If you need cloud-hosted Community infrastructure specifically, ask before provisioning. EU residents: see our terms for the DPF / SCC transfer framework.
Participant email addresses are used solely for raffle communications — invitations, reminders, draw results. No newsletters, no promos, no follow-up sequences.
California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal data — though we never sell personal data. We respond within 45 days as required by law. Email [email protected] to exercise these rights.
EU residents have the right to access, rectify, or erase personal data, and to object to or restrict processing. SimplyRaffle is operated from the United States — data is transferred to and processed in the US. Data Processing Agreements (DPA) are available on request for institutional buyers (school districts, parish councils, EU-based organizations). Email [email protected] to request one.
SimplyRaffle is designed for use by adult event organizers. Participant fields ask for name and email — not age, school grade, or anything that identifies a child. When a raffle involves participants under 13 (typical of school events), the organizing adult is responsible for obtaining verifiable parental consent before submitting any child's information. If we learn that we have inadvertently collected personal information from a child under 13, we will promptly delete it. Email [email protected] if you believe we hold such data.
Each is bound by its own terms and privacy policy. We share the minimum data each needs to do its job.
Always engaged (every event)
Receives organizer name, email, billing details for paid-tier checkout and Community SetupIntent. Stores all card data. We never see it.
Stripe privacy →Receives organizer + participant email addresses to deliver raffle invitations, Magic Link entries, and draw results.
Resend privacy →Serves the marketing site, terminates TLS, runs the signup Worker, fronts tenant traffic via Tunnel. Receives IP addresses and HTTP metadata.
Cloudflare privacy →Stores prize images and organization logos for paid-tier tenants. Per-tenant key prefix; AES-256 at rest.
Cloudflare DPA →Hosting (depends on plan)
Hosts the raffle application backend for paid-tier events. Per-tenant Postgres. DPF certified.
Railway privacy →Operator-managed infrastructure at the San Francisco facility, fronted by Cloudflare Tunnel. Per-tenant Docker container with its own PostgreSQL. Data stays within the United States. Paid-tier tenants who specifically require this infrastructure may opt in at signup.
Ask about your event →AI subprocessors (only when you use the feature)
✨ Generate from photo: prize image → Gemini 2.5 Flash → 1–2 sentence description. Per-event caps: 20 (Community) / 500 (paid). ✨ Magic Setup Wizard: your event description → Gemini Pro/Flash → recommended preset + extracted config. No participant data sent. Not used for model training. DPF certified.
Google Cloud DPA →Magic Import: uploaded CSV / text / image → Claude Sonnet → structured participant list. Per-tenant cap: 100 lifetime. Magic Setup Wizard (fallback): when Google's Gemini is unavailable, Claude Sonnet 4.6 takes over — receives your event description, returns the recommended preset. No participant data sent. Not used for model training.
Anthropic commercial terms →SimplyRaffle is the drawing tool, not the payment processor. You pay us a one-time fee per event (or per year for repeat orgs) and that's the entire transaction. We don't take a percentage of your raffle. We don't show donor tip prompts at checkout. We don't add platform fees to ticket prices. If your supporters pay you $5 for a ticket, you receive $5.
However your organization already collects money — cash in a lockbox, check in the offering plate, Venmo, Zelle, Stripe Checkout, a card reader at the table, a Square terminal — that's how you keep collecting it. SimplyRaffle never touches the money, never sees the money, and isn't in the payment flow at all. You enter buyers into the drawing (via Magic Import, manual entry, or our walk-up Ticket Table in Kiosk Mode) and we run the drawing. Two separate operations.
Diocese IT, school district business manager, parish council finance review, corporate vendor security review, EU DPO — if you have a checklist to run and need a DPA, subprocessor list, or written answers to a security questionnaire, email Jason directly. Most replies same business day; complex requests within 3 business days.
Email [email protected] →Full legal text: Terms & Privacy