Back to Home

Privacy Policy

Last updated: 4 July 2026

GDPR Compliant
Full EU data protection
Your Data Rights
Access, edit, or delete
Transparent
Clear data practices

1. Introduction

MC2 NB Energy Limited trading as TrustDraw, a company registered in Ireland ("we", "us", or "our"), is committed to protecting your privacy and personal data.

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, services, and API (collectively, the "Service"). This policy applies to all users of TrustDraw.

We comply with the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, and other applicable data protection laws. As a data controller, we determine how and why your personal data is processed.

Contact for Data Protection Inquiries:info@trustdraw.com

2. Personal Data We Collect

We collect different types of personal data depending on how you interact with our Service:

2.1 Account and Identity Data

  • Name: Your full name
  • Email Address: Used for account access, verification, and communication
  • Password: Stored in hashed (encrypted) form only
  • Two-Factor Authentication Data: If enabled, encrypted 2FA secret and recovery codes

2.2 Business Profile Data (Optional)

If you create a public profile, we collect:

  • Business name and description
  • Industry category (e.g., charity, retail, gaming)
  • Company location
  • Social media links (Facebook, Twitter, Instagram, website)
  • Profile banner image URL
  • Verification badge status (admin-approved only)

Note: Public profile data is visible to other TrustDraw users and may be displayed on public audit pages.

2.3 Subscription and Usage Data

  • Subscription tier (Free, Starter, Pro, Enterprise)
  • Number of draws used in current billing period
  • Plan limits and quotas
  • Billing period start and end dates
  • Payment information: Processed and stored by Paddle (our payment processor) – we do not store credit card details

2.4 Draw and Technical Data

  • Draw parameters: Range, number of winners, title, description
  • Draw results: Random numbers generated, blockchain transaction hashes
  • Blockchain data: VRF seed, transaction hash, block number, contract address
  • Draw metadata: Timestamps, execution time, draw type (demo/test/live)
  • Draw location: City and country derived from IP address for transparency purposes
  • Public visibility settings: Whether draws are public or private

2.5 Technical and Usage Data

  • IP address: Collected for security, fraud prevention, and geolocation
  • Browser information: User agent, browser type and version
  • Device information: Operating system, device type
  • Session data: Login times, last activity timestamps
  • API usage: API tokens, webhook URLs, integration settings
  • Log data: Error logs, security events (stored temporarily)

2.6 Communication Data

  • Messages sent through our contact form
  • Email correspondence with our support team
  • Feedback and survey responses

3. How We Collect Your Data

  • Directly from you: When you register, update your profile, create draws, or contact us
  • Automatically: Through cookies, server logs, and analytics when you use our Service
  • From third parties: IP geolocation services (ipapi.co) to determine your approximate location
  • From blockchain networks: Public blockchain data from Polygon and Base networks

4. Legal Basis for Processing (GDPR)

Under GDPR, we must have a legal basis to process your personal data. We rely on the following:

  • Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide our Service, including account management, draw execution, and blockchain recording
  • Legitimate Interests (GDPR Art. 6(1)(f)): Fraud prevention, security monitoring, service improvement, and business analytics – balanced against your privacy rights
  • Consent (GDPR Art. 6(1)(a)): For optional features like public profiles, marketing communications, or non-essential cookies (when implemented)
  • Legal Obligation (GDPR Art. 6(1)(c)): Compliance with tax laws, financial regulations, and law enforcement requests

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Service Delivery: Provide random number generation, blockchain recording, and audit functionality
  • Account Management: Create and maintain your account, authenticate logins, enable password resets
  • Billing and Payments: Process subscriptions, calculate usage, apply pricing tiers
  • Communication: Send service updates, security alerts, billing notices, and respond to inquiries
  • Security and Fraud Prevention: Detect unauthorized access, prevent abuse, investigate violations
  • Compliance: Meet legal obligations, respond to legal requests, enforce our Terms
  • Service Improvement: Analyze usage patterns, diagnose technical issues, develop new features
  • Transparency and Auditability: Display draw location and metadata to enhance trust and verifiability

We do not: Sell your personal data, use it for advertising targeting, or share it for marketing purposes without your consent.

6. Data Sharing and Third-Party Processors

We share your personal data with trusted third-party service providers who assist us in operating our Service. All processors are contractually bound to protect your data and use it only for specified purposes.

Third-Party Processors:

  • Paddle.com Market Limited (UK): Payment processing, subscription management, VAT/tax compliance. Paddle acts as our Merchant of Record and processes billing information according to their Privacy Policy.
  • Chainlink Labs: Verifiable Random Function (VRF) for cryptographic randomness. No personal data is shared; only draw parameters.
  • Polygon and Base Networks: Public blockchain networks where draw results are recorded. Draw data recorded on-chain is permanently public and immutable.
  • ipapi.co: IP geolocation service to determine city and country for draw transparency. Your IP address is sent to their service and processed according to their privacy policy.
  • Cloud Hosting Provider: Infrastructure hosting (e.g., AWS, DigitalOcean) for servers and databases. Data stored in encrypted form when at rest.
  • Email Service Provider: For transactional emails (password resets, notifications). Your email address and name may be processed by our email provider.

Public Blockchain Data:

Important: Draw results, blockchain transaction hashes, and associated metadata are permanently recorded on public blockchains (Polygon, Base). This data cannot be deleted or modified once recorded. By using our Service, you acknowledge that draw data you mark as "public" will be accessible to anyone with blockchain access.

Other Disclosures:

We may disclose your personal data:

  • To comply with legal obligations, court orders, or law enforcement requests
  • To protect our rights, property, or safety, or that of our users or the public
  • In connection with a business transfer, merger, or acquisition (with advance notice)

7. International Data Transfers

TrustDraw is based in Ireland (EU). However, some of our service providers may process data outside the European Economic Area (EEA), including in the United States.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions recognizing equivalent data protection standards
  • Other legally approved transfer mechanisms under GDPR

Paddle (UK-based) and blockchain networks operate internationally. By using the Service, you consent to these international data transfers under the safeguards described.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law.

  • Account data: Retained while your account is active and for up to 12 months after account deletion (for legal and accounting purposes)
  • Demo draws: Automatically deleted after 24 hours
  • Live draws: Retained indefinitely in our database; blockchain data is permanent
  • Session and log data: Retained for 90 days, then automatically deleted
  • Billing records: Retained for 7 years to comply with tax and accounting regulations
  • Communication records: Retained for up to 3 years for customer service purposes

Note on blockchain data: Data recorded on public blockchains (Polygon, Base) is immutable and cannot be deleted. This is a fundamental characteristic of blockchain technology.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service and enhance your experience.

Essential Cookies (Strictly Necessary):

  • laravel_session: Session management and authentication (expires after 2 hours of inactivity)
  • XSRF-TOKEN: Security protection against cross-site request forgery attacks
  • remember_token: "Remember me" functionality for persistent logins (if enabled)

These cookies are essential for the Service to function and cannot be disabled.

Analytics and Marketing Cookies: We do not currently use analytics or marketing cookies. If we introduce them in the future, we will request your consent and provide the option to opt out.

Managing Cookies: You can control cookie settings through your browser. However, disabling essential cookies will prevent you from using key features of the Service.

10. Your Data Protection Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data (you can update most data through your account settings)
  • Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data (subject to legal retention requirements and blockchain immutability)
  • Right to Restriction of Processing (Art. 18): Limit how we use your data in certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a machine-readable format and transfer it to another service
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with the Irish Data Protection Commission (DPC) or your local supervisory authority

Exercising Your Rights: To exercise any of these rights, contact us at info@trustdraw.com. We will respond within 30 days of your request.

Identity Verification: To protect your privacy, we may request proof of identity before fulfilling data subject requests.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Secure password hashing using industry-standard algorithms
  • Two-factor authentication (2FA) available for account security
  • Regular security audits and vulnerability assessments
  • Access controls and authentication for staff accessing systems
  • Secure API token management
  • Monitoring and logging of security events

Data Breach Notification: In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

While we take security seriously, no method of transmission or storage is 100% secure. You are responsible for keeping your account credentials confidential.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at info@trustdraw.com, and we will delete it promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

Material changes will be communicated via email or prominent notice on our website at least 30 days before taking effect. We encourage you to review this Privacy Policy periodically.

Continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

14. Supervisory Authority

As we are based in Ireland, our lead supervisory authority is the Irish Data Protection Commission (DPC):

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)761 104 800

If you are located in another EU/EEA country, you also have the right to lodge a complaint with your local supervisory authority.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

MC2 NB Energy Limited trading as TrustDraw

Data Protection Inquiries: info@trustdraw.com

Website: trustdraw.com

We will respond to your inquiry within 30 days as required by GDPR.

© 2026 MC2 NB Energy Limited t/a TrustDraw. All rights reserved.