Privacy Notice
This Notice explains how ScirDom handles personal data for the website, platform, accounts, payments, support, draw execution, certificates, Evidence Packs, and verification materials.
Operational privacy notice: effective for current ScirDom use. Last updated: 24 April 2026.
AT A GLANCE
Controller processing
ScirDom acts as controller for website, account, billing, support, security, abuse-prevention, legal, and Platform-integrity processing.
AT A GLANCE
Processor processing
ScirDom usually acts as processor for Participant Data submitted by Clients to execute and verify Draws.
AT A GLANCE
No sale of Participant Data
ScirDom does not sell Participant Data and does not use it to train general-purpose artificial intelligence or machine-learning models.
Contents
1. Scope 2. Data protection roles 3. Personal data we process 4. Sources of personal data 5. Purposes and lawful bases 6. Participant Data 7. Evidence Packs and verification 8. Automated processing 9. Children's and sensitive data 10. Cookies 11. Marketing 12. Sharing and service providers 13. International transfers 14. Security and breaches 15. Retention 16. Rights and complaints 17. Updates to this Notice1. Scope
This Notice applies to personal data processed by ScirDom in connection with the website, Platform, Client accounts, enquiries, onboarding, support, contracts, billing, payment administration, draw execution, certificates, Evidence Packs, verification materials, security, abuse prevention, and Platform-integrity operations.
ScirDom is a business and organisational platform for verifiable prize-draw infrastructure. It is not intended for personal, household, or child-directed use.
This Notice does not replace a Client's own privacy notice. If you entered a Promotion run by a ScirDom Client, that Client is normally responsible for telling you how it uses your personal data for that Promotion.
This Notice should be read with the Terms of Service, Cookie Policy, and any written contract that applies to the relevant Client account.
2. Data protection roles
ScirDom acts as controller for personal data processed for its own purposes. This includes website operation, account administration, billing, authentication, access control, support, service communications, Platform security, fraud prevention, abuse prevention, legal compliance, legal claims, supplier relationships, business analytics, and service improvement.
ScirDom usually acts as processor for Participant Data submitted by a Client for draw execution and verification. In that context, the Client normally acts as controller, determines the lawful basis, provides privacy information to participants, controls Promotion design, and remains responsible for the legality of the Promotion and Participant List.
Some records connected with a Client Draw may have mixed purposes. Security logs, access logs, support records, billing records, abuse-prevention records, and legal-claims records may contain references to Client users, participants, or draw identifiers. Where ScirDom processes those records for its own security, legal, anti-abuse, service-integrity, or claims purposes, ScirDom acts as controller for that limited processing.
Payment providers, professional advisers, regulators, courts, law-enforcement bodies, and Clients may act as independent controllers where they decide their own purposes and means of processing.
3. Personal data we process
| Category | Examples |
|---|---|
| Account and contact data | Names, business email addresses, telephone numbers, organisation names, account roles, user IDs, login records, and preferences. |
| Organisation and billing data | Billing entity, business address where provided, contract records, payment references, invoices, purchase history, and payment status. |
| Authentication and security data | Login timestamps, IP addresses, browser and device information, authentication events, reset records, security alerts, and audit logs. |
| Client Content | Draw names, Promotion references, draw settings, instructions, uploaded files, Participant Lists, eligibility notes, and support attachments. |
| Participant Data | Participant names, entry references, account references, email addresses, customer IDs, postal addresses, telephone numbers, or other identifiers submitted by a Client. |
| Draw and Evidence Pack data | Submitted Participant Lists, locked participant registers, draw configuration, execution-order registers, entropy references, algorithm versions, timestamps, selected winners, reserve results, manifests, certificates, checksums, and verification metadata. |
| Support, legal, and complaints data | Emails, messages, support requests, privacy requests, complaint records, legal notices, regulator correspondence, and records needed for legal claims. |
Clients should submit only the personal data necessary for the relevant Draw. Where a stable entry reference or pseudonymous identifier is sufficient, Clients should avoid submitting unnecessary names, contact details, or other identifying data.
A hashed, salted, pseudonymised, or tokenised identifier may still be personal data if it can reasonably be linked back to an identifiable individual.
4. Sources of personal data
We may receive personal data directly from you, from a Client or the organisation you represent, from payment providers, from security or authentication providers, from hosting and infrastructure providers, from public sources where relevant to business due diligence, from regulators or advisers, and from automated technical collection through browsers, devices, servers, cookies, and similar technologies.
5. Purposes and lawful bases
Where ScirDom acts as controller, the lawful bases we may rely on include contract, legal obligation, legitimate interests, consent where required, and establishment, exercise, or defence of legal claims where relevant.
| Purpose | Role and lawful basis |
|---|---|
| Operating the website and Platform | Controller for website, account, and operational data. Legitimate interests in operating, securing, and improving the service; contract for account administration; consent where required for non-essential cookies. |
| Executing Client Draws | Usually processor for Participant Data, relying on the Client's lawful basis. Controller for limited security, legal, and integrity records where needed. |
| Producing certificates and Evidence Packs | Usually processor for Client-controlled draw records. Controller for limited records retained for service integrity, auditability, abuse prevention, dispute handling, or legal claims. |
| Billing and payment administration | Controller. Contract, legal obligation for tax/accounting records, and legitimate interests in payment administration and debt management. |
| Security, fraud prevention, and abuse prevention | Controller. Legitimate interests in protecting accounts, the Platform, Clients, participants, ScirDom, and third parties; legal obligation where applicable. |
| Privacy requests, complaints, and legal compliance | Controller for requests made to ScirDom as controller. Processor-assistance role for Client-controlled Participant Data. Legal obligation and legitimate interests in documenting and managing requests. |
Where ScirDom acts as processor for Participant Data, the Client determines the lawful basis. ScirDom does not determine the Client's lawful basis merely by providing the Platform.
6. Participant Data
Clients may submit Participant Data to the Platform so that a Draw can be executed and verified. The Client is normally the controller for that Participant Data and is responsible for lawful basis, transparency, accuracy, minimisation, Promotion legality, participant rights requests, complaints, eligibility disputes, prize fulfilment, and automated-decision-making safeguards where required.
ScirDom processes Participant Data as processor only on the Client's documented instructions, except where ScirDom is legally required to process it or where ScirDom processes limited related records for security, legal, service-integrity, or claims purposes.
ScirDom may reject, quarantine, delete, or require correction of Participant Data where it appears excessive, unlawful, technically unsafe, outside the agreed service scope, or inconsistent with the applicable contract.
7. Evidence Packs and verification
ScirDom is designed to support verifiable draw integrity. Evidence Packs may include personal data if the Client uploads personal data into the Participant List or if identifiers are needed to verify the draw result.
Evidence Packs can include the draw certificate, draw name, Client organisation identifier, timestamps, draw configuration, submitted Participant List, locked execution-order register, winner and reserve identifiers, algorithm version, entropy references, signed manifest, checksums, verification files, and audit metadata.
Evidence Pack downloads are owner-authenticated. Clients decide whether, when, and how to share Evidence Packs with participants, auditors, regulators, courts, advisers, or the public. Clients must not publish personal data from Evidence Packs unless they have a lawful basis and have complied with transparency, minimisation, and fairness requirements.
Public verification on the website currently focuses on entropy validation packages, algorithm materials, and signature checks. It is not a public draw-evidence page for every Client Draw.
After a Draw completes, working participant identity material is purged after successful Evidence Pack generation where possible. Submitted and locked participant registers remain within the Evidence Pack because deleting or altering them may compromise draw verification.
8. Automated processing
The ScirDom Platform uses automated technical processing to execute Draws from a locked Participant List and draw configuration. The draw process is not intended to profile participants or predict personal characteristics; it is intended to select one or more entries from a locked list using the applicable algorithm and entropy material.
For Client-controlled Promotions, the Client decides to run the Draw, sets the Promotion terms, determines the Participant List, chooses the draw configuration, and determines what legal effect the result has. The Client is therefore normally responsible for assessing whether the Draw involves automated decision-making with legal or similarly significant effects for participants.
ScirDom may use automated or semi-automated systems to detect suspicious activity, protect accounts, monitor security events, identify technical anomalies, block abuse, rate-limit requests, or protect Platform integrity. Where an automated security measure materially affects a Client account, the Client may contact ScirDom to request review unless urgent legal, security, or operational reasons prevent immediate review.
9. Children's and sensitive data
The Platform is not directed at children and is not designed for routine processing of special category data, criminal offence data, financial account data, government identifiers, or unnecessary children's data.
Clients must not submit such data unless ScirDom has expressly agreed this in writing, the processing is within the agreed service scope, the Client has identified a lawful basis and safeguards, and appropriate privacy information has been provided.
If a Client Promotion involves children or young people as participants, the Client is responsible for children's data rules, age-appropriate transparency, parental or guardian involvement where required, safeguarding duties, risk assessment, and special care when publishing or sharing winner information.
10. Cookies
ScirDom uses cookies and similar technologies for strictly necessary website and Platform functions, authentication, session management, security, fraud prevention, and remembering preferences. Non-essential cookies and similar technologies are used only where the applicable consent or legal requirements are satisfied.
The Cookie Policy explains that essential cookies remain available for core operation and optional cookies remain off unless the user chooses otherwise. The Cookie Policy is available at /cookies/.
Stripe and PayPal may set cookies or similar technologies during payment flows. Optional analytics or marketing technologies are not enabled by default.
11. Marketing
ScirDom may send service messages needed for Platform operation, account administration, security, support, billing, contract management, or legal notices. These are not optional marketing communications.
ScirDom may send marketing communications to business contacts where lawful. The lawful basis may be consent or legitimate interests, subject to PECR and opt-out rights. You can opt out by contacting [email protected].
Opting out of marketing does not prevent ScirDom from sending service, security, legal, billing, or account-administration messages.
12. Sharing and service providers
ScirDom may share personal data where lawful and necessary with hosting, infrastructure, database, cache, storage, backup, CDN, security, authentication, payment, billing, email, support, monitoring, logging, professional-adviser, regulator, court, law-enforcement, auditor, dispute-resolution, and Client recipients.
Current service-provider categories include hosting/database/cache infrastructure, Cloudflare security/CDN/Turnstile, Stripe, PayPal, email delivery, object storage for entropy intake where configured, backup/storage providers, and professional advisers.
ScirDom does not permit service providers to use personal data for their own independent purposes unless they act as independent controllers and have their own lawful basis.
Where service providers act as processors or sub-processors, ScirDom requires appropriate contractual protections. Where ScirDom acts as processor for Participant Data, sharing is governed by the Data Processing Terms, the Client's documented instructions, and applicable law.
13. International transfers
ScirDom is based in the United Kingdom. Personal data may be accessed from, stored in, or transferred to countries outside the United Kingdom where service providers, sub-processors, support personnel, payment providers, or other recipients are located outside the UK.
Where a restricted transfer occurs, ScirDom will use an appropriate transfer mechanism where required. This may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, another lawful Article 46 safeguard, or an applicable exception under Article 49 UK GDPR.
14. Security and breaches
ScirDom uses technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include access controls, authentication controls, role-based permissions, encryption in transit, stored-data protection where appropriate, logging, monitoring, vulnerability management, backup and recovery controls, supplier due diligence, incident response, audit trails, secure development practices, data minimisation, and retention controls.
No system can be guaranteed to be completely secure. Clients are responsible for strong credentials, protecting account access, managing authorised users, protecting API keys, and promptly notifying ScirDom of suspected unauthorised access.
Where ScirDom identifies a personal data breach affecting data for which it is controller, it will assess the breach and take steps required by data protection law. Where ScirDom identifies a personal data breach affecting Participant Data processed as processor, it will notify the relevant Client in accordance with the Data Processing Terms or written contract.
15. Retention
ScirDom retains personal data only for as long as necessary for the purposes described in this Notice, unless a longer retention period is required or permitted by law. Relevant operational records are normally retained for six years. Retention depends on the data type, processing role, Client instructions, contract requirements, tax and accounting duties, draw-integrity requirements, security needs, limitation periods, complaints, disputes, investigations, and backup cycles.
| Data type | Retention approach |
|---|---|
| Account data | Retained while the account is active and normally for six years afterwards where needed for legal, billing, security, audit, dispute, or service-integrity purposes. |
| Billing, receipt, and payment records | Normally retained for six years for tax, accounting, audit, contract, payment, and legal purposes. |
| Support, privacy, and complaint records | Normally retained for six years where needed to handle the matter, evidence compliance, resolve disputes, improve support, and protect legal rights. |
| Participant working data | Processed for draw execution and purged after successful Evidence Pack generation where possible, subject to Client instructions, Platform configuration, and lawful retention needs. |
| Completed draw records, Evidence Packs, and certificates | Normally retained for six years for verification, audit, dispute handling, legal claims, Client instructions, and Platform integrity. |
| Security logs and backups | Retained according to security, investigation, operational, and backup cycles. Some records may be retained longer where needed for security, fraud prevention, disputes, or legal claims. |
Records may be retained for longer than six years where needed for law, tax, accounting, disputes, fraud prevention, security, regulator correspondence, court proceedings, or verification integrity.
Where deletion is requested, ScirDom may not be able to delete data immediately from backups, archives, or integrity records. Where lawful, such data will be protected, put beyond ordinary use where appropriate, and deleted or overwritten according to the applicable cycle.
Aggregated or anonymised information that no longer identifies an individual may be retained for service improvement, statistics, audit, research, security, or business purposes.
16. Rights and complaints
Where UK data protection law applies, individuals may have rights to be informed, access personal data, rectify inaccurate data, request erasure in certain circumstances, restrict processing in certain circumstances, object in certain circumstances, data portability in certain circumstances, withdraw consent where processing is based on consent, safeguards relating to automated decision-making where applicable, and complain to the ICO.
These rights are not absolute. They may be subject to legal conditions, exemptions, identity verification, competing rights, legal-claims requirements, security requirements, or the role in which ScirDom processes the data.
To make a rights request or data protection complaint to ScirDom, contact [email protected]. ScirDom will acknowledge data protection complaints within 30 days of receipt and will respond without undue delay after making appropriate enquiries.
If a request or complaint concerns Participant Data for which a Client is controller, ScirDom may refer the request to that Client or assist the Client under the Data Processing Terms.
You may complain to the Information Commissioner's Office if you are unhappy with how personal data has been handled. ICO website: https://ico.org.uk/make-a-complaint/. ICO telephone: 0303 123 1113. ICO postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
17. Updates to this Notice
ScirDom may update this Notice when the service changes, the operator details change, service providers change, the law changes, or the way personal data is processed changes. The last-updated date at the top shows when this Notice was last materially updated.
Contact and controller
For privacy requests, security reports, or complaints about ScirDom's own processing, contact [email protected].