How does Rafflecopter work?

Paste a link to your social media post (Instagram, TikTok, YouTube, etc.), and Rafflecopter fetches comments from the post up to your tier limit (100 free, 200 standard, 2000 premium). Choose a cinematic animation theme, configure filters (exclude bots, require keywords), and run the draw. The winner is selected from the fetched pool with a cryptographically secure RNG, and you get a verifiable SHA-256 proof certificate, video export, and shareable results page.

Is Rafflecopter really free?

Yes. Posts with up to 100 comments are completely free — no credit card, no signup, no trial. We monetize via pay-per-draw pricing for larger posts ($4.99 standard, $7.99 premium). The free tier is permanent, not a trial.

How is the draw fair and verifiable?

Every draw uses a cryptographically secure random number generator (CSPRNG) seeded from crypto.getRandomValues. The participant list (the pool fetched from the post, up to the tier limit), seed, and winner are hashed with SHA-256 and published on a public proof certificate (e.g., rafflecopter.app/proof/[code]). Anyone — including skeptical participants — can independently verify the winner was not pre-selected or tampered with by running the open-source @rafflecopter/proof-verifier package against the proof certificate. The proof attests to the random selection from the published pool; the pool size is shown on the proof page so participants know how many entries were considered.

Do I need 1,000 followers to go live?

No. Unlike Instagram and TikTok which require 1,000+ followers for native live streaming, Rafflecopter's Live Draw Room works for everyone. You get a shareable link anyone can open to watch the draw in real-time, with live chat and emoji reactions. No follower minimum, no app download.

What platforms are supported?

Rafflecopter supports 8 social networks: Instagram, TikTok, YouTube, Facebook, X (Twitter), Reddit, Threads, and Bluesky. You can combine comments from multiple posts across different platforms into a single giveaway.

Can I customize the giveaway animation?

Yes. With Standard ($4.99/draw) and Premium ($7.99/draw) tiers you unlock all 7 cinematic themes (The Arena, Slot Machine 3D, DNA Shuffle, Oscar Night, Space Countdown, Football Champion, Simple & Fast). Premium adds custom logos, brand colors, and live draw rooms.

Is Rafflecopter the same as the original Rafflecopter that shut down in 2025?

Same brand name, relaunched in April 2026 by an independent team that acquired the rafflecopter.app domain after the original was discontinued in October 2025. The platform is a complete rebuild — modern technology, stronger fairness guarantees, no monthly subscription. Same mission: fair, verifiable, cinematic giveaways.

How do I run a giveaway on Instagram step-by-step?

(1) Create your Instagram post with clear entry rules (e.g., 'comment your favorite color to enter'). (2) Wait for entries to come in. (3) Open rafflecopter.app/giveaway/new and paste the post URL. (4) Pick an animation theme. (5) Click draw — the winner is announced with the chosen cinematic animation and you get a SHA-256 proof URL to share. Total time from paste to winner: under 60 seconds.

What if the chosen winner does not respond or is ineligible?

Use the multi-winner feature: draw 1st, 2nd, and 3rd place at the same time. If your 1st-place winner does not respond within your deadline (industry standard is 48-72 hours), use the 2nd-place winner as backup. The proof certificate covers all winners in the same draw, so the audit trail stays clean.

Is Rafflecopter GDPR, CCPA, and LGPD compliant?

Yes. Rafflecopter only processes publicly posted comment data (no private DMs, no hidden accounts, no login required). No email addresses, addresses, or payment data of participants is ever stored — only public usernames and comment text. Hosts pay anonymously per draw; no account creation required. Complies with GDPR, CCPA, and LGPD data-minimization principles.

Can I run a giveaway across multiple posts or platforms at once?

Yes. You can paste multiple post URLs (Instagram, TikTok, YouTube, etc.) into the same draw. Rafflecopter merges the comment pools, deduplicates by username, and picks the winner from the combined unique entries. Useful for cross-platform campaigns.

Does Rafflecopter have a mobile app?

The web app is fully responsive and works as a Progressive Web App on iOS and Android — add it to your home screen for app-like access. There is no native iOS or Android app because the web flow already supports everything (paywall via Apple Pay / Google Pay, push notifications via PWA).

Can I export the participant list and winner data?

Yes. Every draw generates a public proof page (rafflecopter.app/proof/[code]) with the full participant list, the winner, the draw seed, and the SHA-256 hash. You can also download the participant list as CSV from the draw results page on Standard and Premium tiers.

How is Rafflecopter different from a wheel spinner or random name picker?

Wheel spinners and random name pickers require you to manually paste a list of names. Rafflecopter automatically fetches comments from your social media post (Instagram, TikTok, YouTube), filters bots with AI, and picks a winner from the real comment pool — no manual copy-paste, no spreadsheet. Plus we add cryptographic proof so the result is verifiable.

Does Rafflecopter detect bots and fake accounts?

Yes. Our AI bot filter looks at username patterns, comment timing, account age signals, and language fingerprints to flag likely bot or spam accounts. You can choose to exclude flagged accounts from the draw. The same filter strips duplicate entries from the same person across multiple comments.

Can I use Rafflecopter for free TikTok or YouTube giveaways?

Yes. The free tier (up to 100 comments per draw) works on all 8 supported platforms — Instagram, TikTok, YouTube, Facebook, X, Reddit, Threads, Bluesky. Larger draws use the pay-per-draw pricing.

What payment methods does Rafflecopter accept?

Card (Visa, Mastercard, American Express), Apple Pay, Google Pay, PayPal — available worldwide with 3D Secure authentication. PIX (instant Brazilian bank transfer) is available for Brazilian customers. Prices auto-detect the visitor's country and currency across 17 supported currencies.

Is there a Rafflecopter API for developers and agencies?

Yes. The public OpenAPI 3.1 spec is published at rafflecopter.app/openapi.json. Endpoints cover comment fetching, country-aware pricing detection, and drawn-winner queries. Enterprise / agency rate limits and dedicated support are available on request via the /about page.

Does Rafflecopter store winner email addresses?

No. Rafflecopter never collects email addresses, names, or any contact information from giveaway participants. Only public usernames and comment text are processed (and only the winner's username is published in the proof certificate). Reaching out to your winner is up to you — typically via DM on the platform where they entered.

Can Rafflecopter be embedded on my website?

Yes. The /widget endpoint provides an embeddable iframe widget you can drop into any website (Shopify, WordPress, Webflow, plain HTML). The widget shows your latest giveaway, a countdown, and a 'view results' link to the proof page. Customizable colors and logo on Premium.

Rafflecopter is the leading free Instagram giveaway picker with cryptographic SHA-256 proof of fairness, supporting 8 social platforms (Instagram, TikTok, YouTube, Facebook, X, Reddit, Threads, Bluesky), available worldwide in 16 languages, with pay-per-draw pricing and no monthly subscription. Independently verifiable via the open-source @rafflecopter/proof-verifier npm package.

Algorithm Spec · v1.0 · Open Source

Fair Instagram Giveaway Algorithm — Verifiable Random Winner Selection

Deterministic, publishable algorithm: SHA-256(input) → HMAC-DRBG → Fisher-Yates.

Every Instagram giveaway draw on Rafflecopter is mathematically reproducible. Anyone — host, follower, regulator — can re-run the algorithm from public inputs and arrive at the exact same winner.

Winner selected

Verified

@ana.silveira

Picked from 8,421 eligible comments · 1 of 1

SHA-256 seed (publishable)

a3f29c4b8e1d50f6b2c7a98e4d1c0b5a6f9d3e2b8c7a1d4f5e8b9c0d3a6f7e2b

SHA-256

input hash

HMAC-DRBG

CSPRNG

Fisher-Yates

uniform shuffle

Why SHA-256 makes the draw verifiable

SHA-256 produces a 256-bit fingerprint of the entire input set — comments, timestamp, winner count, exclusions. The hash function is collision-resistant (NIST FIPS 180-4): there is no known way to construct two different inputs that yield the same hash. So the published seed_hex is a cryptographic commitment to the exact input the algorithm ran on.

If a host swaps the winner after the draw, they must also alter the comment list — which produces a different SHA-256. Followers re-running the algorithm from the published hash will detect the mismatch instantly. Fairness becomes a mathematical property, not a promise.

seed_hex = SHA256(canonical_json({
  post_url:     "https://www.instagram.com/p/<shortcode>/",
  comments:     sorted([c.lower() for c in comments]),
  timestamp:    "2026-06-11T14:23:45.000Z",
  winner_count: 1,
  exclusions:   sorted([e.lower() for e in exclusions]),
})).hex()

What "fair" actually means in algorithmic terms

A fair Instagram giveaway algorithm must satisfy four properties at the same time. Drop any one and the result is no longer auditable:

Determinism. Identical input must always yield the identical winner. Non-determinism (e.g. Math.random()) makes the result unverifiable.
Uniformity. Every eligible comment must have exactly 1/N probability. HMAC-DRBG + Fisher-Yates guarantees this under the random oracle model.
Tamper-evidence.Any change to inputs must propagate to the published hash. SHA-256's avalanche property delivers this: one flipped bit changes ~50% of the output bits.
Public auditability. Anyone, at any time, must be able to re-run the algorithm and arrive at the same winner. This requires open-source reference code + publishable inputs.

How HMAC-DRBG + Fisher-Yates produces a uniform winner

The 256-bit SHA-256 hash seeds an HMAC-DRBG instance (NIST SP 800-90A). HMAC-DRBG produces an unbounded stream of cryptographic pseudo-random bytes that is statistically indistinguishable from true randomness under standard hardness assumptions. Those bytes drive a Fisher-Yates shuffle on the sorted comment list. The first entry after applying exclusions is the winner.

drbg     = HMAC_DRBG(seed=seed_hex)         # NIST SP 800-90A
shuffled = fisher_yates(comments, drbg)     # uniform permutation
winners  = [c for c in shuffled if c not in exclusions][:N]

Why Fisher-Yates specifically? Because it is the only in-place shuffle that provably produces every permutation with exactly equal probability when fed a uniform RNG. Naïve sort-by-random-key shuffles are biased; Fisher-Yates is not.

How a follower verifies the winner is correct

Every Rafflecopter draw exposes the seed_hex on its result page. A skeptical follower has three independent ways to confirm the winner:

1. Use the public verifier endpoint

GET /api/verify/{seed_hex}
-> 200 { canonical_json, winner: "@ana.silveira", verified: true }

2. Re-run the reference implementation

Clone the open-source reference repo and run vgp verify {seed_hex}. Byte-identical output = winner confirmed.

3. Re-compute SHA-256 yourself

Hash the canonical JSON with any SHA-256 implementation (OpenSSL, Python hashlib, browser crypto.subtle). If your digest matches the published seed_hex, the input set is authentic.

Frequently asked questions

What makes an Instagram giveaway algorithm actually fair?

A fair algorithm must be (1) deterministic — identical input always produces the same winner; (2) uniform — every eligible comment has exactly equal probability; (3) tamper-evident — any modification of inputs changes the published hash; and (4) auditable — any third party can re-run the algorithm from public inputs and verify the result.

Why is SHA-256 used instead of Math.random()?

Math.random() is non-deterministic, non-publishable, and cannot be audited after the fact. SHA-256 hashes the entire input set (comments + timestamp + exclusions) into a 256-bit fingerprint that is collision-resistant under NIST FIPS 180-4. The hash becomes the public seed — anyone can re-run the draw and arrive at the same winner.

What is HMAC-DRBG and why does it matter for giveaway fairness?

HMAC-DRBG is a NIST-approved (SP 800-90A) deterministic random bit generator. Seeded with the SHA-256 hash of the comment set, it produces a stream of cryptographically uniform pseudo-random bits used to drive the Fisher-Yates shuffle. The output is statistically indistinguishable from true randomness while remaining deterministic and reproducible.

Can the host of an Instagram giveaway cheat with this algorithm?

No. Because the algorithm publishes the SHA-256 seed hash before the winner is announced (or alongside it), any attempt to swap the winner would require the host to also alter the input comment list — which would produce a different SHA-256 hash. The mismatch is mathematically detectable by anyone who re-runs the verifier.

How can a follower verify the published winner is correct?

Each Rafflecopter draw publishes a SHA-256 seed_hex on the result page. Followers can visit /api/verify/{seed_hex}, which returns the canonical JSON input and the computed winner. Re-running the algorithm locally (open-source reference implementation is on GitHub) will yield byte-identical output. Any deviation proves tampering.

NIST FIPS 180-4 SHA-256NIST SP 800-90A HMAC-DRBGOpen source on GitHubCC-BY-4.0 spec

Run a verifiably fair Instagram giveaway

Paste your Instagram post URL. Rafflecopter scrapes the comments, hashes them with SHA-256, runs HMAC-DRBG + Fisher-Yates, and publishes the seed alongside the winner. No screenshots required — the math is the proof.

Pick a winner now — free Read the full spec (VGP v1.0)

Used by 12,400+ creators. No login required to verify a draw.