Data Processing Addendum
(Last updated: April 28, 2026)
1. Introduction and scope
1.1. This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (“Agreement”) between VeroMotion s.r.o., a company registered in the Czech Republic under registration number 27170730, with its registered address at Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic (“VeroMotion”, “Processor”) and the Customer (the “Controller”) for the RandomPicker platform (the “Service”).
1.2. This DPA applies to the processing of Personal Data by VeroMotion on behalf of the Customer in connection with the provision of the Service. It does not apply to Personal Data that VeroMotion processes as a Data Controller for its own operational purposes (such as account management, billing, and direct communication with the Customer), which is described in our Privacy Policy.
1.3. This DPA is incorporated into the Agreement by reference and takes effect when the Customer accepts the Agreement. No separate signature is required.
1.4. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
2. Definitions
Terms not defined in this DPA have the meanings given in the Agreement. In addition:
“Data Protection Laws” means the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and any other applicable data protection or privacy legislation.
“Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, “processing”, and “Personal Data breach” have the meanings given in the GDPR.
“Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries, as set out in the Annex to Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means a third party engaged by VeroMotion to process Personal Data on behalf of the Customer.
“Drawing” means any random selection, raffle, sweepstake, lottery, or winner-selection activity conducted by the Customer through the Service.
“Entry” means a record submitted to a Drawing by or on behalf of a Participant, including any Personal Data contained in that record.
“Participant” means a natural person whose Personal Data is included in an Entry.
3. Roles of the parties
3.1. The Customer acts as the Data Controller and VeroMotion acts as the Data Processor with respect to Personal Data uploaded to or processed through the Service by the Customer or its authorized users.
3.2. Where the Customer itself acts as a Data Processor on behalf of a third party (for example, when running a Drawing on behalf of a client), VeroMotion acts as a Sub-processor. The Customer warrants that it has obtained all necessary authorizations from the relevant Data Controller to engage VeroMotion as a Sub-processor.
3.3. VeroMotion acts as an independent Data Controller for Personal Data it processes for its own purposes, such as Customer account management, billing, security, fraud prevention, and service improvement. Such processing is described in our Privacy Policy and is not subject to this DPA.
4. Processing instructions
4.1. VeroMotion shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Agreement, this DPA, and the Customer’s use of the Service through its standard configuration options constitute the Customer’s initial instructions. Additional instructions may be agreed in writing.
4.2. VeroMotion shall inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. VeroMotion is not obligated to independently assess the legality of the Customer’s instructions.
4.3. The details of processing (subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects) are described in Annex A.
5. Customer obligations
5.1. The Customer is responsible for:
(a) ensuring it has a lawful basis under Data Protection Laws for processing Personal Data and for any instructions given to VeroMotion;
(b) providing all required notices to, and obtaining all necessary consents from, Participants before submitting their Personal Data to the Service;
(c) the accuracy, quality, and legality of Personal Data provided to the Service, including Entries;
(d) ensuring that any Drawing conducted via the Service complies with applicable laws (including those relating to lotteries, raffles, gambling, sweepstakes, and promotional contests);
(e) configuring the Service appropriately for its use case, including decisions about public versus private result publication, retention settings, and Participant communications;
(f) complying with all applicable Data Protection Laws in connection with its use of the Service.
6. Confidentiality
6.1. VeroMotion shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Security measures
7.1. VeroMotion shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
7.2. A description of the key security measures is set out in Annex B. VeroMotion may update these measures from time to time, provided that the overall level of security is not materially reduced.
8. Personal Data breach notification
8.1. VeroMotion shall notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA, to enable the Customer to comply with its own notification obligations under applicable Data Protection Laws.
8.2. The notification shall include reasonable details about the nature of the breach to the extent known at the time of notification, including the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
8.3. VeroMotion’s obligation to notify does not constitute an acknowledgment of fault or liability.
9. Sub-processors
9.1. The Customer provides general written authorization for VeroMotion to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is available at https://www.randompicker.com/subprocessors/.
9.2. VeroMotion shall notify the Customer of any intended changes to its Sub-processors at least 30 days in advance by email to the address associated with the Customer’s Account, or by another reasonable means of notification.
9.3. The Customer may object to a new Sub-processor by notifying VeroMotion in writing within 30 days of receiving the notification, on reasonable data protection grounds. Following an objection, VeroMotion shall use commercially reasonable efforts to provide an alternative arrangement that addresses the Customer’s concerns. If VeroMotion cannot reasonably accommodate the objection, the Customer may terminate the affected part of the Service upon written notice. Previously accrued rights and obligations survive such termination.
9.4. VeroMotion shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
10. International transfers
10.1. Personal Data is primarily stored within the European Union.
10.2. Where VeroMotion transfers Personal Data to a Sub-processor located outside the European Economic Area (“EEA”), VeroMotion shall ensure that the transfer is protected by appropriate safeguards in accordance with GDPR Chapter V, including:
(a) an EU adequacy decision covering the recipient country;
(b) the EU-US Data Privacy Framework (where applicable); or
(c) Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Sub-processor, as applicable).
10.3. Where Standard Contractual Clauses apply, the information in Annex A and Annex B of this DPA shall serve as the annexes to the SCCs. VeroMotion is deemed the “data importer” and the Customer the “data exporter.”
11. Data Subject rights
11.1. VeroMotion shall, to the extent technically feasible, assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including access, rectification, erasure, portability, restriction, and objection).
11.2. The Service provides self-service features that allow the Customer to access, correct, export, and delete Personal Data, including individual Entries and entire Drawing records. The Customer shall use these features as the primary means of responding to Data Subject requests.
11.3. If the Customer is unable to fulfill a Data Subject request through the Service, the Customer may contact VeroMotion at dataprotection@randompicker.com for additional assistance.
11.4. If a Data Subject request is made directly to VeroMotion concerning a Drawing run by a Customer, VeroMotion shall promptly inform the Customer and direct the Data Subject to contact the Customer.
12. Audit
12.1. VeroMotion shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
12.2. To minimise disruption and protect the confidentiality of other customers’ data, audits and inspections are subject to the following reasonable conditions: (a) no more than once per calendar year, except where required by applicable law or following a Personal Data breach; (b) at least 30 days’ written notice; (c) conducted during normal business hours; (d) auditors bound by appropriate confidentiality obligations; and (e) the Customer bears its own audit costs.
12.3. VeroMotion may satisfy its obligations under this Section 12 by responding to the Customer’s reasonable written questions or industry-standard security questionnaires, where this provides sufficient assurance of compliance.
13. Data retention and deletion
13.1. VeroMotion shall process Personal Data for the duration of the Agreement and as necessary to provide the Service.
13.2. Specific retention periods applicable to Personal Data are:
(a) User records (Lists): deleted 30 days after Account closure;
(b) Subscriber records (Drawing data, Entries): retained for 12 months in active form, then archived (soft delete) for up to 5 years, then hard deleted;
(c) System logs: retained for up to 5 years for security, audit, and verification purposes, including fraud prevention, dispute resolution, and the establishment, exercise, or defence of legal claims. Longer retention reflects RandomPicker’s role as a verification platform: system logs serve as a proof-of-selection audit trail that Customers and their participants may rely on years after a Drawing has been concluded.
13.3. Upon termination or expiration of the Agreement, the Customer may request an export of its data through the Service’s standard export functionality. After the periods set out in Section 13.2, VeroMotion shall delete Personal Data from its systems, except where retention is required by applicable law.
13.4. VeroMotion may retain Personal Data in backup systems for a reasonable period following deletion from production systems. Such backup data shall remain subject to this DPA until permanently deleted in accordance with VeroMotion’s backup rotation schedule.
13.5. Where the Customer has published a public record page (drawing certificate) for a Drawing, that page may remain publicly accessible for as long as the Customer’s Account is active and the Customer has not deleted the record. The Customer is responsible for managing the visibility and lifecycle of such public records.
14. Liability
14.1. The liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement.
14.2. Nothing in this DPA or the Agreement excludes or limits liability where such exclusion or limitation is not permitted under applicable Data Protection Laws, including liability arising under Article 82 GDPR.
15. Governing law
15.1. This DPA is governed by the laws of the Czech Republic, consistent with the governing law provisions of the Agreement.
15.2. Where Standard Contractual Clauses apply, the SCCs shall be governed by the law of the EU Member State in which the data exporter is established, or if the data exporter is not established in the EU, by Czech law.
16. Term and termination
16.1. This DPA takes effect when the Customer accepts the Agreement and terminates automatically upon termination or expiration of the Agreement.
16.2. Obligations relating to confidentiality, data deletion, and ongoing data protection survive termination of this DPA.
Annex A — Processing details
A.1. List of parties
| Data Exporter (Controller) | Data Importer (Processor) | |
|---|---|---|
| Entity | The Customer, as identified in the Account | VeroMotion s.r.o. |
| Address | As provided during Account registration | Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic |
| Contact | Email address associated with the Account | dataprotection@randompicker.com |
| Role | Data Controller (or Data Processor, where applicable) | Data Processor (or Sub-processor, where applicable) |
A.2. Description of processing
| Details | |
|---|---|
| Subject matter | Processing of Personal Data in connection with the provision of the RandomPicker online drawing and winner-selection platform |
| Duration | For the term of the Agreement, plus any applicable data retention period (see Section 13) |
| Nature of processing | Storage, retrieval, organization, random selection, display, transmission, certificate generation, and deletion of Drawing data and associated Entries; optional features include weighted entries, registration form widgets, public record publication, and import from third-party sources (such as Instagram) |
| Purpose | To provide the Service as described in the Agreement, including conducting random Drawings, selecting winners, generating verification certificates, and supporting Customer-Participant communications where enabled |
| Frequency | Continuous, for the duration of the Agreement |
A.3. Categories of Data Subjects
- The Customer’s employees, staff, and authorized account users
- Participants whose Personal Data is included in Entries submitted to a Drawing
- Winners selected through a Drawing
- Visitors to public record pages (drawing certificates) published by the Customer
A.4. Types of Personal Data
Depending on the configuration of each Drawing and the Entries submitted by the Customer, Personal Data processed may include:
- Identity data: names, usernames, social media handles
- Contact data: email addresses, phone numbers, postal addresses (where included by the Customer in Entries)
- Authentication data: email addresses and basic profile information used to access the Service (including via Google or Facebook OAuth login)
- Technical data: IP addresses, browser type, access timestamps, activity logs
- Entry content: any Personal Data contained within Entries submitted to the Service, the extent of which is determined by the Customer (this may include custom fields, ticket numbers, weights, or other Customer-defined attributes)
- Billing data: name, email, billing address, and payment-related identifiers (processed for VeroMotion’s own controller purposes — see Section 3.3)
A.5. Sensitive data
VeroMotion does not require or request special categories of Personal Data (as defined in GDPR Article 9). If such data is present in Entries submitted by the Customer, the Customer is solely responsible for ensuring a lawful basis and appropriate safeguards under GDPR Article 9.
A.6. Retention
Personal Data is retained in accordance with Section 13 of this DPA. The Customer can export or delete data at any time through the Service. Following Account closure, retention follows the schedule in Section 13.2.
Annex B — Technical and organizational measures
VeroMotion implements and maintains the following categories of security measures. These measures may be updated from time to time to reflect changes in technology and best practices, provided the overall level of protection is not materially reduced.
B.1. Access control
- Role-based access control for all system components
- Unique user accounts with strong password requirements
- OAuth-based authentication via Google and Facebook (where chosen by the Customer)
- Automatic session expiry after a period of inactivity
- Principle of least privilege for internal access to Personal Data
B.2. Data encryption
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest where supported by the underlying infrastructure
- Encrypted database connections
B.3. Infrastructure security
- Hosting primarily within European Union data centers
- Network firewalls
- Regular security updates and patch management
- Self-hosted analytics (Matomo) on EU infrastructure — no third-party analytics data sharing
- Self-hosted email delivery (Sendy) on EU infrastructure for transactional and notification emails
B.4. Data separation
- Application-level access control ensures that Customers can only access data within their own Account
- Authorization checks on every data access operation
B.5. Backup and recovery
- Regular automated backups of databases and stored files
- Backups stored in encrypted form in a separate storage location within the EU
- Periodic backup restoration testing
B.6. Logging and monitoring
- Audit logging of access to Personal Data
- Monitoring of system availability and performance
- Alerting for security-relevant events
B.7. Personnel measures
- Confidentiality obligations for all personnel and contractors with access to Personal Data
- Access to production systems limited to authorized personnel only
Annex C — Sub-processor list
The current list of Sub-processors authorized to process Personal Data on behalf of the Customer is maintained at https://www.randompicker.com/subprocessors/.
This list may be updated in accordance with Section 9 of this DPA. The Customer will be notified of any additions or changes at least 30 days in advance.
Contact
For questions about this DPA or data protection matters:
VeroMotion s.r.o. Karla Engliše 3208/5 Prague 5, 150 00 Czech Republic
Email: dataprotection@randompicker.com Web: https://www.randompicker.com
< back to Legal documents
