Skip to main content

Regulatory compliance for competitions

Competition regulations vary by market, prize type, and promoter. Use this page as operational guidance for draw-based competitions in Spaaza, and confirm the final competition rules, oversight process, privacy handling, and record-retention obligations with the promoter's legal or compliance advisers before launch.

What Spaaza records

In a draw-based competition, customers receive entries during a defined competition period. The period is set by the campaign group and the active dates of the competition wallet and contributing campaigns. Eligible actions can include transactions, signups, profile actions, or any other campaign qualification that contributes entries into the competition wallet.

The campaign group, competition wallet, and contributing campaigns describe the configuration of the competition in Spaaza. Together, they define the competition period, entry wallet, routes to entry, and entry amounts used for the draw.

Eligibility is controlled by the campaign configuration. For example, contributing campaigns can restrict entry earning by product, store, channel, audience, date range, transaction value, or other campaign rules. Each qualifying action contributes the configured number of entries into the competition wallet. A customer can usually earn more than one entry when they qualify more than once, unless the competition rules and campaign configuration deliberately limit that behaviour.

Customer-facing messages, receipts, app screens, or Embed Elements can show that entries were earned, but the authoritative record for the draw is the entry data stored by Spaaza.

Eligibility and exclusions

The competition rules should define who may participate before the competition begins. Excluded groups often include promoter staff, store employees, cashiers, agencies, suppliers, or other parties who should not be eligible for prizes.

Where possible, exclusion lists should be prepared before the winner population is frozen. If a complete employee or cashier list is not available, anomaly detection or outlier review can help identify entries that need investigation. Detection alone should not automatically disqualify a participant. Any exclusion should be supported by documented evidence, meaningful human review, and the process described in the competition rules.

Before a draw is performed, the promoter should confirm:

  • the competition rules and eligibility criteria;
  • the campaign group, wallet, and contributing campaign configuration;
  • the eligible-entry period;
  • the exclusion list;
  • the number of winners and backup winners;
  • the oversight or approval process required for the draw.

How the draw works

At draw time, Spaaza uses the eligible entries recorded in the competition wallet for the selected competition period. The entries can be understood as a numbered bar. If three qualifying actions created 2, 1, and 1 entries, the draw population contains four positions:

Entry 1  Entry 1  Entry 2  Entry 3

Each entry occupies one position. A customer who earned multiple entries can appear multiple times in the draw population, which gives them the weighted chance described by the competition rules.

For each winner required, the draw process selects a random position from the eligible-entry population, looks up the entry and customer for that position, and checks whether the customer is excluded or has already been selected. Spaaza uses a cryptographically secure random number generator implemented by the built-in crypto/rand package of Go v1.26. If the customer cannot be selected, that selection is skipped and another position is drawn. If the customer can be selected, the entry and customer are recorded in the winner list and the customer is added to the excluded set for the rest of that draw.

Backup winners are used when a confirmed winner cannot be validated, contacted, or awarded according to the competition rules. When backup winners are configured, they should be drawn and retained as alternates using the same eligibility and exclusion principles.

Draw integrity and audit artefacts

The draw should only be performed after the entry population, exclusion set, and relevant campaign configuration have been reconciled. The final draw should be treated as a controlled event: once the winner population has been frozen and the draw has run, the draw should not be repeated unless the promoter follows a documented incident process.

Spaaza provides the following standard draw artefacts:

  • a file with the winners and backup winners;
  • the draw process log file.

These draw artefacts are stored securely in Spaaza for three years. They cannot be edited or deleted once the files have been created by the automated draw process.

The following additional records are useful for audit and regulatory review:

  • the competition configuration, as described by the campaign group, competition wallet, and contributing campaigns;
  • the final eligible-entry set;
  • the draw configuration, including winner and backup counts;
  • the exclusion set used for the draw;
  • the competition wallet report and contributing campaign reports;
  • the competition terms, eligibility rules, approval records, and any required oversight documents.

For regulated draws, agree the audit pack before the competition starts. Depending on the promoter's requirements, this may include timestamps, software or configuration identifiers, generated values, selected candidates, skipped candidates, final determinations, or hashes of frozen datasets.

The promoter should keep the downloaded winner file together with the competition terms and other records required by the applicable competition rules.

Privacy and retention

Competition draws use personal information because entries must be tied back to customers and transactions or other qualifying actions. Personal information should be processed only for defined competition purposes, with appropriate access controls, security controls, retention periods, and deletion or de-identification processes when records are no longer lawfully required.

Spaaza handles and retains customer data for competitions in line with the privacy and data-protection legislation that applies in the relevant markets, such as GDPR in the EU, POPIA in South Africa, and comparable local privacy laws. The applicable processor obligations, retention periods, security controls, transfer safeguards, and deletion or de-identification requirements are typically also covered in the data processing agreement between Spaaza and the promoter or retailer.

Independent oversight

Some competitions require independent oversight or certification. Where required by the competition rules or local regulations, an independent accountant, registered auditor, attorney, advocate, or other approved reviewer can be given appropriate access to Spaaza Console or exported draw artefacts so they can review the competition data and draw records.

Agree the oversight model before the competition starts. The reviewer should know which records will be available, when the entry population will be frozen, how the draw will be performed, and how winner files and process logs will be shared.