Fairness, Transparency & Security
Online competitions rely entirely on trust. We built this system because we believe every entrant deserves to know that their entry is real, their tickets are protected, and every draw is genuinely fair — not just because we say so, but because every step is recorded and verifiable.
When you enter a competition, you’re putting your trust in us. We take that seriously. From payments, to random ticket allocation, to ticket confirmation, to drawing winners, every stage produces a complete, tamper-proof record that nobody can alter. If a result is ever questioned, the answer is always there. Fairness isn’t just a promise — it’s something we’ve built into every part of how Win A Bundle works.
Site Security & Secure Payments
All pages on the Win A Bundle website are served over HTTPS, secured by an SSL certificate issued by Let’s Encrypt. This means all data passing between your browser and our website is encrypted in transit at all times — not just at checkout.
We do not store any card or payment details on our systems. All payment data is handled entirely by our payment providers — Cashflows, TrustPayments, and PayPal — each of whom operate secure, PCI DSS compliant payment infrastructure. PCI DSS (Payment Card Industry Data Security Standard) is the globally recognised security standard for organisations that handle card payments, ensuring that your payment details are processed and stored to the highest level of security.
Your Tickets Are Protected From the Moment You Enter
When you complete your entry, your ticket numbers are automatically assigned and sent to you by email. Every ticket is also visible in your account at any time.
Within minutes of your order being placed, your ticket confirmation is automatically cryptographically timestamped by an independent third party — FreeTSA.org — using their own private key. This creates a permanent external record proving that your specific tickets existed at that exact date and time.
This record exists entirely outside our systems. It cannot be altered, backdated, or deleted by anyone — including us. If your entry was ever called into question, this timestamp is independently verifiable proof that your tickets were issued exactly as confirmed.
You can verify your own token at any time directly through your account. We can also verify it on your behalf if you ever need support.
Every Draw Has a Full Audit Trail
Every competition generates a complete, multi-layered record that together forms an unbreakable audit trail. These records cover:
- Order records — every entry placed, linked to your account
- Ticket allocation logs — which ticket numbers were issued, to whom, and when
- Entry timestamps — the exact date and time each entry was placed
- Cryptographic verification tokens — independently timestamped proof of every ticket issued
- Payment processor confirmations — independently recorded by Cashflows, TrustPayments, or PayPal
- Email confirmation logs — permanently archived on both our internal systems and with Amazon SES
- Draw logs — a full record of how the winning ticket was selected
Whether an entry is placed online or by post, every order flows through the same system. Postal entries are created manually by a member of staff, but once entered, they follow exactly the same process — tickets are assigned automatically, a cryptographic verification token is generated, and a confirmation email is dispatched and archived. Postal entries are only accepted and entered into the system prior to the competition closing. Once the competition locks, no further entries of any kind can be added. The audit trail is identical regardless of how the entry was placed.
Our internal systems hold the primary records. Because we also hold external verification at every critical point — cryptographic timestamps via FreeTSA, payment records via Cashflows, TrustPayments, or PayPal, and email archives via Amazon SES — no single system failure or dispute can undermine the integrity of the trail.
If a draw ever needed to be independently reviewed, every step can be verified.
Confirmation Emails & Email Archives
Confirmation emails are sent automatically at the point of entry and permanently archived on both our internal systems and with Amazon SES.
Once recorded, these logs cannot be edited or amended by anyone. They capture:
- The exact email sent
- The ticket numbers issued
- The time and date the email was delivered
In the event of any dispute, these records are used for verification purposes alongside the cryptographic entry tokens. They are not accessible externally.
Payment Processing
All payments are processed by one of three fully regulated payment providers — Cashflows, TrustPayments, or PayPal — depending on the method used at checkout.
Cashflows – Cashflows Europe Limited is authorised and regulated by the Financial Conduct Authority (register reference 900006) under the Electronic Money Regulations 2011 for the issuing of electronic money and the provision of payment services. Cashflows is a principal member of Mastercard® and Visa®, and holds licence agreements with American Express®, Discover®, UnionPay International®, and JCB®. Registered in England and Wales, company number 05428358.
TrustPayments – Trust Payments Ltd and TrustUK Payments Ltd are authorised and regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (register reference 932557) for the provision of payment services. Registered in England and Wales, company numbers 11976895 and 12283499 respectively. Trust Payments (Malta) Limited is authorised and regulated by the Malta Financial Services Authority for the provision of payment services.
PayPal – PayPal is one of the world’s most recognised and regulated payment platforms, authorised as an electronic money institution across multiple jurisdictions including the UK and EU.
Every transaction — regardless of provider — generates an independent record held entirely outside our systems, confirming the payment amount, reference, and timestamp. This forms part of the permanent audit trail for every competition.
How Winners Are Chosen
Every valid ticket has an equal chance of being selected. Depending on the competition, draws are conducted either live or automatically.
Live Draws
Live draws are conducted using ANGIE — our dedicated electronic raffle draw machine, the Thomas Spin Electronic Raffle & Tote Machine, supplied by Thomas & Anca.
ANGIE is a purpose-built, robust metal random number selector capable of generating numbers across a range of up to 999,999. For each live draw:
- The start and finish ticket numbers for the competition are entered into the device
- ANGIE randomly selects a number within that range
- The selected number is matched against the entrant list to identify the winner
All live draws are broadcast in real time on Facebook and YouTube. Every completed draw is permanently archived, unedited, on our YouTube channel, meaning any previous draw can be watched back at any time. This gives our community full visibility of every result, exactly as it happened.
In circumstances where ANGIE is unavailable, draws are conducted using the Google Random Number Generator as a backup. The same process applies — a number is selected within the range of valid ticket numbers and matched against the entrant list to identify the winner. All draws conducted using the Google Random Number Generator are conducted live and archived in the same way.
Automated Draws
Automated draws follow a precise, documented process:
1. The competition locks – At the scheduled end date and time — or when the final ticket sells out, if sold-out closing is enabled — the competition is automatically locked. No further entries are accepted.
2. The eligible ticket pool is built -The system collects every valid ticket associated with the competition. Each individual ticket represents one entry.
3. Random selection – PHP’s array_rand() function selects the winning ticket ID from the eligible pool. This uses PHP’s built-in Mersenne Twister random number generator, a widely trusted algorithm used across millions of applications worldwide. Every eligible ticket has an equal and independent probability of selection.
4. The winner is recorded – For each winning ticket, the system:
- Creates a winner order record in WooCommerce
- Logs the win against the winning ticket and customer account
5. Notifications are dispatched – Winner and non-winner notification emails are sent automatically once the draw completes.
Instant Wins
Some competitions include instant-win prizes alongside an end draw. Before a competition opens, instant win prizes are attached to specific ticket numbers, which are visible on the competition page so entrants can see exactly which tickets carry a prize before they enter.
When an entry is made, a ticket number is assigned using PHP’s array_rand() function and PHP’s built-in Mersenne Twister random number generator — a widely trusted algorithm used across millions of applications worldwide. Every entry has an equal and independent probability of being assigned any available ticket number. If the assigned ticket number carries an instant win prize, the prize is triggered automatically.
The winner is notified immediately by email, the prize details are displayed on the entry confirmation page, and a record of the win is permanently visible in their account. Where the prize is a discount or store credit, a unique coupon code is generated and issued specifically to the winner, locked to their email address and valid for a single use.
As with every other part of the system, each instant win is logged as part of the full audit trail for that competition.
Draw Results
The results of every competition are published after each draw completes. Winners are notified directly by email, and results are made publicly available on our Winners page so that anyone can verify the outcome.
Refunds
If an order is refunded for any reason, the refund is recorded and timestamped by the relevant payment processor — Cashflows, TrustPayments, or PayPal — creating an independent record of the amount, the time, and the payment reference.
When a refund is issued, the associated tickets are immediately recorded as refunded, removed from the entrant list, and returned to the pool of available tickets.
This ensures the audit trail remains complete end-to-end, from entry through to any payment or refund event, and that every active ticket in the draw is valid and accounted for.
Fair Play
We take the integrity of our competitions seriously. If we ever identify suspicious activity or behaviour contrary to the spirit of a competition, we reserve the right to remove affected entries and issue a full refund — always before the draw takes place, so only valid entries are included in the final draw.
Any such action is logged as part of the audit trail for that competition.
Verifying Your Own Entry
You don’t have to take our word for it. Every entrant has access to independent proof of their tickets:
- Your account — all tickets are visible in your account dashboard at any time
- Your confirmation email — issued immediately after entry, confirming your ticket numbers
- Your verification token — a cryptographic receipt automatically timestamped by FreeTSA.org, independently proving your tickets existed at the exact moment they were issued
You can verify your token yourself at any time, or contact us and we’ll verify it with you.
We take an active approach to fairness. Our systems are continually monitored and reviewed, and we are always looking for ways to strengthen the protections we put in place for our entrants.
Every entry protected. Every draw recorded. Every result verifiable. That’s the standard we hold ourselves to, every single time.
Questions
If you’d like to know more about how our competitions work, we’re happy to help. Get in touch with our team any time by emailing info@winabundle.co.uk.
