Solvay Bicarbonato — A prize competition platform built to Italian law

Brief

Solvay is one of the world’s largest chemical groups and the producer of the bicarbonato brand that has been on Italian kitchen shelves for generations. The brief was a consumer promotion tied to their bicarbonate product line: packages carried a scratch panel concealing a unique code. Consumers could enter the code online, and winners were required to upload their purchase receipt to claim a prize.

The platform had to handle the full lifecycle — code validation, entry management, the draw, prize assignment, and receipt verification — and do so within the constraints of Italian prize competition law, which is specific, documented, and enforced.

The constraints

Italian manifestazioni a premi operate under a defined regulatory framework. A competition of this kind must be registered with the competent ministry, the complete regulations must be filed in advance, and the promoter must post a fideiussione — a surety bond covering the declared prize pool — before the first entry is accepted. The draw mechanism must be verifiable. The audit trail must be complete.

These are not optional requirements. A promotion that fails to meet them can be halted by the authorities, and any prizes awarded under a non-compliant mechanism are legally questionable. The platform was not a marketing tool with legal considerations on the side — it was a legal instrument first, and a user interface second.

Beyond the regulatory layer, the technical constraints were their own. Scratch codes on physical packaging create a specific class of problem: the code space must be large enough that codes cannot be guessed, the validation logic must prevent the same code from being entered twice, and the system must remain resistant to automated entry attempts. Receipt upload adds a verification step that is legally required as proof of purchase, and it must be stored correctly for the duration of the promotion and any subsequent audit period.

The promotion ran for several months. When the draw closed and the last prize was assigned, the obligation did not end — Italian prize competition law requires that entry records, receipt documentation, and draw data be retained and kept available for audit for five years. The platform had to be correct while active and secure long after it went quiet.

Approach

The platform was built in custom PHP with no reliance on off-the-shelf competition or CMS frameworks. The regulatory requirements were precise enough that a general-purpose tool would have required more adaptation than building cleanly from scratch.

Code validation was the first layer to harden. Each scratch code was single-use, bound to a generated key space with sufficient entropy to make brute-force attempts impractical at any realistic scale. Entry attempts beyond normal human rate were rate-limited and logged. Every entry — valid, invalid, or duplicate — was recorded with timestamp and origin data, producing an audit trail that could be interrogated in the event of a dispute.

The draw mechanism was designed to be reproducible: given the same input state, the same output could be verified. This matters not for the user experience but for the legal record — a draw that cannot be independently verified is not a valid draw under Italian competition law.

Receipt upload was treated as a document management problem as much as a user interface one. Uploaded files were validated for format and legibility at submission, stored securely, and associated with the entry record in a way that linked them unambiguously to the specific purchase and draw outcome. The storage and retention of these documents was built to satisfy a five-year retention obligation — not the duration of the promotion, but the period during which the records must remain intact and retrievable for regulatory audit.

The fideiussione and MISE registration were handled by the agency and the client’s legal team. Our responsibility was to ensure the platform reflected exactly what had been declared: the same mechanics, the same prize pool structure, the same entry conditions. Any divergence between the filed regulations and the live platform would have constituted a compliance failure regardless of intent.

What we delivered

• A custom PHP platform managing the full competition lifecycle: code validation, entry processing, draw, prize assignment, and receipt verification
• Single-use code validation with rate limiting and full entry logging
• A verifiable draw mechanism producing a reproducible audit record
• Receipt upload with format validation, secure storage, and document-to-entry association
• An administration interface for monitoring entries, managing prize status, and producing the records required for regulatory compliance
• Secure data retention architecture for entry records, receipts, and draw documentation across the five-year post-competition audit window

Outcome

Several thousand participants entered over the course of the promotion. The platform ran without a single data breach, regulatory violation, or draw dispute. No entry was incorrectly validated. No prize was misassigned. The receipt archive was complete and accessible throughout.

The promotion concluded as filed. The fideiussione was released without claim. The client had no legal exposure from the platform’s operation at any point.

What we took away

Prize competition platforms are not technically complex in the conventional sense. The logic is not novel, the data volumes are manageable, and there are no particularly interesting algorithmic problems to solve. The challenge is a different kind: correctness under legal obligation, maintained over time, with no tolerance for drift between what was promised and what was delivered.

The absence of problems is the outcome. We are content with that.