Privacy Policy

1. Introduction

Kismetic (ABN pending registration) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our blockchain-verified raffle platform.

This policy complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using Kismetic, you consent to the data practices described in this policy.

2. Information We Collect

Account Information:

• Name and email address
• Organisation name (if applicable)
• Password (encrypted and never stored in plain text)
• Account creation date and last login

Draw Participant Data:

• Participant names, email addresses, and other data you upload via CSV files
• Entry counts and allocation details
• This data is provided by you and processed on your behalf to execute draws

Important: Kismetic does not collect participant data directly from individuals. All participant information is uploaded by raffle organisers, who are solely responsible for ensuring that they have obtained appropriate consent from participants for the collection, use, and disclosure of their personal information. Kismetic is a service provider that processes personal information on behalf of raffle organisers, who retain full responsibility for participant data compliance under the Australian Privacy Act 1988.

Technical Information:

• IP address and browser type (for security and authentication)
• Device information and operating system
• Usage data including pages visited and actions taken

3. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: To create and manage your account, execute draws, and deliver our core raffle platform services
• Transactional Communications: To send essential service emails including draw confirmations, execution notifications, and account security alerts
• Draw Execution: To process participant data through our blockchain infrastructure and generate cryptographic proofs
• Customer Support: To respond to inquiries and provide technical assistance
• Marketing (Opt-in Only): To send promotional emails about new features or updates, only if you have explicitly opted in
• Security & Fraud Prevention: To protect against unauthorised access, abuse, and fraudulent activity
• Service Improvement: To analyse usage patterns and improve our platform (aggregated, non-identifying data only)

4. Data Storage & Security

Storage Location: All personal data is stored on servers located in Australia via Supabase infrastructure. Draw records are also stored on the Polygon blockchain (a public, immutable ledger).

Blockchain Immutability:Information written to the Polygon blockchain is immutable and cannot be altered or deleted once published. This includes draw-related information containing winners' first names, last initials, and states.

Minimal Personal Information on Blockchain:Kismetic stores only minimal personal information on the blockchain to protect participant privacy while maintaining draw verifiability. When a draw is executed, only the following limited information is written to the Polygon blockchain: winners' first names, last initials (single letter only), and states. This applies to both primary winners and backup winners.

What is NOT Published On-Chain: For privacy protection, the following information is never written to the blockchain: email addresses, full surnames, full addresses, phone numbers, or any other identifying information beyond first name, last initial, and state.

Backup Winner Visibility: While backup winners are stored on-chain, they are not displayed on Kismetic's public winner announcement page unless activated by the raffle organiser. However, backup winner information is technically accessible to anyone who queries the smart contract directly, as all blockchain data is public by design. Raffle organisers are responsible for ensuring that participants have been informed about and have consented to this limited publication of their information on a public blockchain, consistent with section 5 of our Terms of Service.

Wallet Addresses and Transaction Metadata: Kismetic does not require users or raffle participants to provide cryptocurrency wallet addresses. All blockchain interactions, including VRF requests and draw proofs, are executed using Kismetic-operated service wallets. As part of blockchain execution, transaction metadata such as transaction IDs and smart contract interaction details are written to the Polygon blockchain. This information is publicly visible but does not contain any personal information about users or participants.

Security Measures:

• Industry-standard encryption for data in transit (TLS/SSL) and at rest
• Secure authentication with password hashing (bcrypt)
• Regular security audits and penetration testing
• Access controls and role-based permissions
• Monitoring and logging for suspicious activity

Data Breach Notification: In the event of an eligible data breach under the Privacy Act 1988 (Cth), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) Scheme.

While we implement robust security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but take all reasonable steps to protect your data.

5. Third-Party Services

We use the following trusted third-party services to operate our platform:

• Supabase: Database and authentication (data stored in Australia)
• Chainlink VRF: Verifiable random number generation for draw execution (on-chain only, no personal data shared)
• Zoho Mail: Transactional email delivery
• Polygon Blockchain: Draw execution and verification (public blockchain, pseudonymous)
• Vercel: Website hosting and content delivery

Overseas Disclosure: Some technical processing associated with blockchain operations may involve infrastructure located outside Australia. Chainlink VRF and Polygon blockchain operate on globally distributed networks. By using our service, you consent to the transfer of technical data necessary for on-chain execution to international blockchain nodes. This is required under Australian Privacy Principle 8 (APP 8) for cross-border disclosures. Any personal information involved in these cross-border disclosures is limited to the minimal winner information described in this policy, together with technical metadata necessary to execute and verify draws on-chain.

These third parties have contractual obligations to protect your data and use it only for providing services to Kismetic. We do not sell your personal information to third parties.

6. Marketing Communications

We will only send you marketing emails if you have explicitly opted in to receive them. You can opt out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your preferences in your account settings
• Contacting us at support@kismetic.app

Note: You cannot opt out of essential transactional emails (e.g., draw execution confirmations, password reset emails) as these are necessary for service delivery.

7. Your Rights

Under the Australian Privacy Act 1988 (Cth), you have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your account and associated personal data (subject to legal retention requirements)
• Portability: Request export of your data in a machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your data

To exercise these rights, contact us at support@kismetic.app. We will respond to requests within 30 days.

8. Data Retention

Account Data: Retained for as long as your account remains active. If you delete your account, personal information will be removed within 30 days (except where retention is required by law or technical limitations).

Draw Records: Retained indefinitely to maintain the integrity and verifiability of historical draws. This may include participant data associated with executed draws to the extent necessary to provide verification and auditability for you as the raffle organiser. Draw records are essential for cryptographic proof and cannot be deleted without compromising fairness verification.

Blockchain Data Retention Exception:Immutable on-chain records stored on the Polygon blockchain cannot be altered or deleted, even if you request deletion of personal information. This includes winners' first names, last initials, and states for both primary and backup winners. This is a technical limitation of blockchain technology. Where participant data is stored off-chain (in our database), it will be removed to the extent legally and technically possible upon request. However, data that has been written to the blockchain as part of draw execution (including all winner information) will remain permanently accessible to anyone who queries the blockchain.

9. Cookies & Tracking

We use essential cookies for authentication and session management. These cookies are necessary for the platform to function and cannot be disabled.

We do not use third-party advertising cookies or tracking pixels. We do not track your browsing activity across other websites.

10. Children's Privacy

Kismetic is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it immediately.

11. International Users

Kismetic is designed for Australian users and complies with Australian privacy laws. If you access our service from outside Australia, please be aware that:

• Your data will be transferred to and stored in Australia
• Australian privacy laws will apply to your personal information
• You may have different rights under your local privacy laws

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Notify you via email
• Update the "Last Updated" date at the top of this page
• Provide prominent notice on our website

Your continued use of Kismetic after changes are posted constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your personal information, please contact us:

If you have concerns about how we have handled your personal information and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.