Trust & security
Sorteo runs school lotteries, which means it handles children’s data and decisions families have to live with. This page says plainly what we store, what we never ask for, what’s public, and why the security model starts from an unusual idea: you shouldn’t have to trust us.
Built so you don’t have to trust us
Sorteo’s core claim isn’t "trust us." It’s that nobody has to. Every draw locks its entries with a cryptographic commitment before the draw, takes its randomness from drand (a public randomness beacon run by independent organizations), and publishes a transcript anyone can replay: families, board members, auditors, or the press. If we tampered with a result, the transcript wouldn’t check out.
What we store
The minimum needed to run an enrollment: the student’s first and last name, birthdate, requested grade, ranked schools, the household’s email (and mailing address where the district collects it), and any priority claims with their supporting detail (for example, the enrolled sibling’s name). Nothing else. We don’t collect data for advertising, and we never sell anyone’s data.
What families never give us: a password
Families apply through a short public form. No account, no password. They get a receipt with a private entry code that lets them find their result. That means there is no pile of parent credentials for us to lose: the risk surface simply isn’t there.
What’s public is anonymous by design
Public results pages show entry codes, never names. The published transcript contains exactly what’s needed to verify the draw (entry code, grade, ranked schools, and priority tiers) and nothing that identifies a child: no names, no birthdates, no contact details.
Your data stays yours
Districts can export their entries to CSV at any time. Your data is never hostage. And deleting a workspace is real deletion: it removes the district and all of its data, not a "deactivated" flag.
Who processes data
A short, honest list of the services Sorteo runs on:
Vercel: application hosting
MongoDB: database
Clerk: identity for district administrators only (families have no accounts)
Resend: transactional email delivery
Anthropic: machine translation of district-authored content (never family PII)
drand: a public randomness beacon; it receives no data at all, it only publishes random values
Where we stand on FERPA
Sorteo is built to support districts’ obligations under FERPA: minimal collection, access scoped to your own district’s administrators, real deletion, identifiable data kept off public pages, and no secondary use of data. If your district needs a data-processing agreement, write to us.
Cookies
One functional cookie, remembering your language preference. No ad trackers, no third-party pixels. That’s why there’s no cookie banner squatting over this page.