Privacy Policy · Lottra

TL;DR. We collect what we need to run a fair sweepstakes — your Telegram identity, gameplay data, and (only at payout) ID details. We don't sell your data. We store identity documents encrypted, and you can request deletion at any time.

1. Who is the data controller

Lottra ("Lottra", "we", "us") is the data controller for personal data processed in connection with your use of the Lottra Telegram Mini App ("Service"). For privacy questions, contact privacy@lottra.app.

2. Data we collect

From Telegram

When you open Lottra via the Telegram Mini App, the Telegram client provides us a signed payload ("initData") which includes your Telegram user ID, first name, optional last name, optional username, optional language code, and optional profile photo URL. We verify the signature against the Telegram bot secret to confirm authenticity. We do not receive your phone number, contacts, or message history from Telegram.

From your gameplay

Tap, energy, daily-login, and quest activity.
Currency balances and transaction history (Gold Coins, Sweep Stars).
Raffle entries and outcomes.
Telegram Stars purchase events (we receive the transaction ID and amount; we do not receive your payment card or bank details).
Approximate country code derived from your network connection (used for legal eligibility).
Referral relationships (who referred you).

For identity verification (KYC) and payouts

Only collected when you initiate verification or request a payout:

Full legal name.
Date of birth.
Country of residence.
Government-issued ID type and number.
Mobile money phone number and network (or other payout details).
(From Day 12 onward) optional photographs of identity documents and a selfie for biometric matching.

Technical / device data

IP address (used to derive country code and detect fraud; not displayed to other users).
User-agent string and basic Telegram WebApp environment fields.
Server logs of API requests (request path, status, and timing) for security and debugging.

3. How we use your data

To run the game — track your balance, energy, raffle entries, daily streak, and quest progress.
To pay prizes — verify your identity, validate eligibility, and disburse cash via your chosen mobile money provider.
To prevent fraud and cheating — detect bots, multi-accounting, prohibited geographies, and other abuse.
To comply with law — anti-money-laundering, sanctions screening, and sweepstakes regulation.
To communicate — send transactional messages via the Telegram bot (winner notifications, KYC outcomes, payout confirmations). You can mute the bot at any time in Telegram.
To improve the service — aggregate analytics on which features are used, error monitoring, and performance.

4. Legal bases for processing

Where the GDPR or analogous laws apply, we rely on:

Contract — to deliver the Service you signed up for.
Legal obligation — KYC and AML record-keeping.
Legitimate interest — fraud prevention, service security, and improving the product.
Consent — for any processing that requires it (we will ask explicitly).

5. Who we share data with

We don't sell your personal data. We share limited data with the following categories of processors, each bound by data-processing agreements:

Supabase — primary database and storage (PostgreSQL, encrypted at rest).
Telegram — Mini App platform and bot delivery (we send notifications via the Telegram Bot API).
Upstash — Redis for rate limiting and ephemeral state.
Vercel — application hosting and edge networking.
Mobile money providers — to disburse payouts (we share only the data needed to complete a transfer: name, mobile number, amount).
Identity verification partners — where applicable, for document and biometric checks.
Sentry (or equivalent) — error monitoring (we strip PII from error reports).
Authorities — when required by law, court order, or to investigate fraud.

6. International transfers

Some of our processors are located outside your country. Where the GDPR or analogous laws apply, we rely on Standard Contractual Clauses or equivalent safeguards for international transfers.

7. Retention

Account and gameplay data — kept while your account is active and for up to 7 years thereafter (sweepstakes record-keeping requirements).
Identity documents — kept for the regulatory minimum and deleted promptly after.
Server logs — typically 30–90 days.
Marketing data — until you unsubscribe.

8. Security

All connections use HTTPS/TLS.
The database is encrypted at rest. Identity documents and KYC fields are encrypted with column-level encryption.
JWT-signed sessions, with cryptographic verification of every Telegram initData payload.
Rate limiting and bot detection on hot endpoints.
Access to production data is restricted to a small, audited set of staff.

No system is perfect; if we ever experience a data breach affecting you, we will notify you in line with applicable law (typically within 72 hours).

9. Your rights

Subject to applicable law, you have the right to:

Access — request a copy of the personal data we hold on you.
Correct — fix inaccurate data (most fields are editable in-app).
Delete — close your account and request deletion. We may retain limited data to comply with legal obligations (e.g., AML records).
Restrict / object — to certain types of processing.
Data portability — receive your data in a machine-readable format.
Withdraw consent — where consent is the legal basis.
Lodge a complaint — with your local data-protection authority.

To exercise any of these rights, email privacy@lottra.app from the email associated with your account, or message @LottraSupportBot. We aim to respond within 30 days.

10. Children

Lottra is strictly for users 18+ (or the legal age of majority in your jurisdiction). We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will remove the account.

11. Cookies and tracking

Lottra runs as a Telegram Mini App and stores a small JWT session token in browser cookie storage to keep you logged in. We do not use third-party advertising trackers. Aggregate analytics may be enabled in the future and will be disclosed here before activation.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app and via the Telegram bot at least 14 days before taking effect.

13. Contact

Privacy questions: privacy@lottra.app. General support: support@lottra.app or @LottraSupportBot.