Privacy Policy
This Privacy Policy explains how draw.name ("draw.name", "we", "us", or "our") collects, uses, stores, and protects information when you use our website at https://www.draw.name and the services available through it (the "Service").
draw.name is operated from Australia. If you have questions about this policy or about your information, please contact us at hi@draw.name.
We have built draw.name to need as little information from you as possible. There are no user accounts, and we do not require an email address to use the Service.
1. Information we collect
1.1 Information you provide
When you create or take part in a draw, you may provide:
- Names of the people in your group.
- An optional group name.
- Optional exclusion rules (the names of people who should not be matched together).
- Optional wishlist items, including a title, an optional link, and an optional note.
If you contact us through our in-app feedback form or by email, we will receive whatever you choose to send, including your email address and the contents of your message.
1.2 Information generated by the Service
When you use draw.name, the Service generates and stores:
- A unique draw identifier that forms part of your draw's link.
- A claim token for each participant — a long, random value used to recognise your browser as the owner of a particular name in a draw, so you can return later and see your match. The token is stored in a secure, signed cookie on your device and in our database.
- Match results once your group draws names, including a timestamp recording when each participant first viewed their match.
1.3 Information collected automatically
When you visit draw.name, our infrastructure providers and we automatically receive certain technical information, including:
- The country your request comes from.
- The page or endpoint you accessed, the response status, and the time it took to respond.
- Standard request metadata such as the request method, a request identifier, and a Cloudflare trace identifier.
We do not store your IP address in our application logs or in our database. It is processed by Cloudflare for routing and security purposes.
We do not log the contents of requests you send to the Service (for example, the names you type into a draw).
2. How we use your information
We use the information described above to:
- Provide the Service — that is, to create draws, perform matches, store wishlists, recognise returning participants, and let you and your group access your draw via its link.
- Operate, secure, and improve the Service, including diagnosing errors, preventing abuse, and understanding which features are used.
- Comply with our legal obligations and respond to lawful requests.
- Communicate with you if you contact us for support.
We do not use your information for advertising. We do not sell or rent your information to anyone. We do not share your information with data brokers.
3. Legal bases (for users in the EU, UK, and similar jurisdictions)
If you are in the European Union, the United Kingdom, or another jurisdiction with similar data protection laws, our legal bases for processing your information are:
- Performance of a contract — to provide the Service you have asked us to provide (for example, running your draw).
- Legitimate interests — to keep the Service secure, prevent abuse, fix errors, and understand aggregate usage. We have considered these interests against your rights and freedoms and believe our processing is proportionate, given the limited and non-sensitive nature of the data involved.
- Consent — where consent is required by law for a particular activity (for example, certain analytics cookies in some jurisdictions). Where you have given consent, you may withdraw it at any time.
- Legal obligation — where we are required to process information by applicable law.
4. Third parties we use to run the Service
We rely on a small number of third-party providers ("sub-processors") to operate draw.name. We have chosen them to keep the data they receive to a minimum.
| Provider | Details |
|---|---|
| Cloudflare | Edge network, request routing, and DDoS protection. All requests pass through Cloudflare, which sees your IP address and request metadata. Processes globally. |
| Google Cloud Platform | Application hosting and log storage. Our backend runs on Google Cloud Run. Application logs (without IP addresses or request bodies) are stored in Google Cloud Logging. Processes in the United States. |
| PostHog | Product analytics. Receives anonymous, aggregated event data about how the Service is used (for example, "a draw was created"). Processes in the United States. |
| Sentry | Error monitoring and in-app feedback. Receives technical error reports with personal data scrubbed (no email, IP, username, or precise location). If you use the in-app feedback form, Sentry also receives the email and message you provide. Processes in the European Union and the United States. |
We may change sub-processors over time. We will update this list when that happens.
5. Cookies and on-device storage
draw.name uses a small number of cookies and on-device storage items.
- Claim cookie — a secure, signed cookie set by us when you claim a name in a draw. It contains a random token that lets your browser return to your match. It does not contain your name or any other personal detail. It expires after 60 weeks. This is a strictly necessary cookie; the Service cannot work without it.
- Analytics session storage — our analytics provider (PostHog) stores a short-lived session identifier in your browser's session storage. It is automatically deleted when you close the tab. It does not identify you and is not shared across browsers or devices.
We do not use advertising cookies, tracking pixels from third-party advertisers, or social media trackers.
6. International transfers
draw.name is operated from Australia. Your information may be transferred to and processed in other countries — including the United States, the European Union, and globally via Cloudflare's edge network (see Section 4). Where transfers occur, we rely on the safeguards our providers have in place, such as the European Commission's Standard Contractual Clauses and equivalent frameworks.
7. How long we keep your information
We keep your information only for as long as necessary.
- Draw and participant data is permanently deleted 60 weeks after the draw was created.
- Server logs (request metadata, country codes, error events) are retained for 30 days in Google Cloud Logging and then deleted automatically.
- Database backups taken for disaster recovery purposes are retained for up to 3 months and are then overwritten in the normal course of operations.
- Analytics events in PostHog are retained according to PostHog's retention settings for our plan.
- Error reports in Sentry are retained according to Sentry's default retention period (typically 90 days).
8. Information about children
draw.name is intended for use by people aged 13 and over. We do not knowingly collect information from children under 13. The Service has no age verification. If you are a parent or guardian and you believe a child under 13 has provided information through the Service, please contact us at hi@draw.name and we will take reasonable steps to delete it.
If you are under the age of digital consent in your country, please use the Service only with the involvement of a parent or guardian.
9. Your rights
Depending on where you live, you may have rights in relation to your information. These can include the right to:
- Access the information we hold about you.
- Correct information that is inaccurate.
- Delete your information.
- Object to or restrict certain processing.
- Withdraw consent where we are relying on it.
- Receive a copy of your information in a portable format.
- Lodge a complaint with a data protection authority.
You can clear our cookies and on-device storage at any time using your browser settings.
To make a request, please contact us at hi@draw.name. We may need to ask you for information to verify your request. Because we do not collect identifying information by default, there are situations where we will not be able to locate or verify your information; in those cases we will explain why.
If you are in Australia, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If you are in the European Union, you can lodge a complaint with your local data protection authority.
If you are in the United Kingdom, you can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Affiliate links
Wishlist items can include links to retailers. Some of those links may be affiliate links. If you click an affiliate link and make a purchase, we may receive a small commission from the retailer at no extra cost to you.
We do not share your personal information with affiliate networks or retailers. When you click a link, your browser is sent to the retailer's website in the normal way, and the retailer may set its own cookies and apply its own privacy practices, which we do not control.
11. Security
We take reasonable steps to protect your information, including:
- Encrypting all traffic to and from the Service using HTTPS.
- Storing claim tokens in signed, HTTP-only, secure cookies.
- Validating and limiting the size of all data you submit.
- Restricting access to our infrastructure to a small number of authorised people.
- Regularly updating our software and dependencies.
No method of transmitting or storing information over the internet is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.
12. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in our Service, our providers, or applicable law. When we do, we will update the "Effective date" at the top of this page. If the changes are significant, we will take reasonable steps to make them more visible — for example, by posting a notice on the Service.
13. Contact
If you have any questions about this Privacy Policy or about how we handle your information, please contact us at: