WinVault

← Back to Portfolio
WinVault

Apr 2026 – Present

A UK prize competition platform designed to sit firmly outside the Gambling Act 2005 (free entry routes on prize draws, genuine skill questions on Q&A comps), with the full compliance stack in place from the start: GDPR, KYC, self-exclusion, geo-restriction, VAT handling, and audited random draws.

Tech Stack

Laravel PHP TailwindCSS React + Inertia.js MySQL Redis Filament Stripe Sanctum

Tags

Web Laravel Compliance

About this project

WinVault started as a clean-sheet attempt to build a UK prize competition site that is unambiguously not gambling, and turned into a full platform with most of the operational machinery already in place. The design brief was to match what Omaze, Rafflehouse, and the UKCC crowd offer at the front of the site, while being stricter than most of them about how the legal and compliance side is handled behind it.

Two competition types at launch: prize draws with a mandatory free postal/online entry route (so there is no "consideration" under the Gambling Act 2005), and skill Q&A competitions where a genuine skill element removes "chance". Everything else that follows from taking that seriously (age gating, winner identity verification, self-exclusion with a 6-month reinstatement minimum, geo-restriction to the UK, a 14-day refund cooling-off window, VAT at 20%, verifiable random draws signed via random.org's API) is wired in from the start rather than bolted on later.

Behind the scenes there's a payment gateway abstraction (Stripe and PayPal for live, a DemoGateway for development), wallet top-ups, a referral programme with UTM attribution, subscriptions with pause/resume, Turnstile bot protection, admin 2FA, Sentry error monitoring, Redis-backed Horizon queues, a Content Security Policy with Vite nonces, webhook idempotency, and a theming system that's config-driven (CSS variables) so branding can swap without touching code. Admin runs on Filament, with a set of runbooks covering the common operational scenarios: drawing winners, handling refunds, responding to GDPR subject access requests, and incident response.

Built solo on Laravel 11, React via Inertia.js, Tailwind, MySQL, and Redis, with a Sanctum-secured API layer and a PWA manifest for installability. Currently in beta at winvault.enhanceify.co.uk with the full test suite green and all planned build phases code-complete; the remaining work is the part that needs real-world connections (Stripe account verification, ICO registration, solicitor sign-off on the T&Cs, production VPS, and the content and branding polish before public launch).

Visit site View code