Privacy Policy / Datenschutzerklärung
Last updated: [DATE]
1. Data Controller
[COMPANY_NAME]
[ADDRESS]
Email: [EMAIL]
2. Overview
Randomify is a tool for running legally compliant Instagram giveaways. We take the protection of your personal data seriously. This policy explains what data we collect, why, and how long we keep it.
3. Data We Process
| Data | Source | Legal Basis | Retention |
|---|---|---|---|
| Email & password hash | Registration | Art. 6(1)(b) GDPR — contract | Until account deletion |
| Instagram username | Meta API | Art. 6(1)(b) GDPR — contract | Until account deletion |
| Instagram access token | Meta OAuth | Art. 6(1)(b) GDPR — contract | Encrypted at rest; expires per Meta policy |
| Post metadata (ID, caption, thumbnail) | Meta API | Art. 6(1)(b) GDPR — contract | Fetched on demand, not permanently stored |
| Comment usernames & text | Meta API | Art. 6(1)(f) GDPR — legitimate interest | Deleted immediately after the draw |
| Draw results | Generated | Art. 6(1)(b) GDPR — contract | Stored as non-reversible SHA-256 hash only |
4. Data Minimization
- Comments are ephemeral. Participant data is fetched, used for the draw, and then deleted. Only a SHA-256 hash of the participant list is retained for audit purposes.
- No analytics or third-party tracking pixels are used.
- Participant data is never shared with third parties.
- Access tokens are encrypted at rest (AES-256-GCM) and never logged.
5. Recipients & Sub-Processors
- Meta Platforms, Inc. — We use the official Instagram Graph API (v21.0) to fetch posts and comments. Meta acts as a separate controller for the data on their platform.
- Hosting provider — [HOSTING_PROVIDER], located in [EU LOCATION]. Data is stored on servers within the EU.
6. International Data Transfers
When we communicate with the Meta API, data may be processed on Meta servers outside the EU. This transfer is covered by Meta's Standard Contractual Clauses (SCCs) as required by Art. 46 GDPR.
7. Your Rights (GDPR Art. 15–22)
- Access (Art. 15): View all your data in the dashboard.
- Rectification (Art. 16): Profile data comes from Meta — correct it on Instagram directly.
- Erasure (Art. 17): Delete your account at any time. All associated data will be removed.
- Data Portability (Art. 20): Export your giveaway history via the dashboard.
- Objection (Art. 21): You may object to processing at any time by deleting your account.
8. Automated Decision-Making
Randomify uses a cryptographic random number generator (seeded PRNG with Fisher-Yates shuffle) to select giveaway winners. This constitutes automated decision-making. The process is fully transparent: the seed, algorithm, and participant hash are documented in the audit trail.
9. Right to Lodge a Complaint
[RELEVANT STATE DATA PROTECTION AUTHORITY]
10. Cookies & Local Storage
Randomify uses only strictly necessary session cookies for authentication. No marketing or analytics cookies are used.
11. Changes to This Policy
We may update this policy from time to time. The most current version will always be available at this URL. Significant changes will be communicated via email to registered users.