+1 240-619-6976

How to Build a Secure Lottery Result Notification System on Firebase

Court

A practical guide for state lotteries and regulated gaming organizations that want to send personalized winning-number push notifications… without issuing a new RFP, without storing personal identity data, and without modifying the core gaming engine.

What This System Does

This system is a Draw Result Push Notification Engine for state lottery mobile apps.

It runs automatically at scheduled draw times, compares official winning numbers against saved player selections (digital playslips), and sends personalized push notifications to individual devices.

That’s it.

Explicit scope:

  • It does not validate tickets
  • It does not process payments
  • It does not modify the gaming engine
  • It does not require storing names, emails, or account data
  • It does not require AI in production

It stores selected numbers tied to a push token, checks results at draw time, and sends informational notifications.

That bounded scope makes it easier to explain to compliance and security teams.

What Problem This Solves

Most lottery apps send generic notifications:

  • “Jackpot is $450M.”
  • “Play now.”

But players care about one thing:

Did I win?

Right now, most apps require users to manually check results.

This system creates a habit loop:

Draw → Automatic Notification → App Open → Repeat

And it does it using minimal data and infrastructure you can control internally.

Architecture: How It’s Set Up

Hosting

The mobile app remains unchanged in structure.
This system acts as a lightweight backend layer built on Firebase.

There is no public-facing dashboard required for the basic implementation.

Data (Firestore)

Firestore stores digital playslip entries tied to a device’s push token.

You only need the push token to send a personalized message.

You do not need:

  • Name
  • Email
  • Phone number
  • Account ID

A typical structure:

Collection: devices/{pushToken}/entries/{entryId}

Each entry document contains:

  • gameId (ex: powerball)
  • drawDateTime
  • numbers (array)
  • bonusNumber (if applicable)
  • createdAt
  • notificationPreference (wins_only or all_results)

The push token acts as the delivery address.

No identity layer required.

Workloads (Cloud Functions 2nd Gen)

Cloud Functions handle:

  • Scheduled draw checks
  • Matching logic
  • Push notification delivery

Cloud Scheduler triggers functions at official draw times.

Example:

  • Powerball → Monday, Wednesday, Saturday
  • Pick 3 → Daily

At run time, the function:

  1. Pulls official winning numbers from your approved source
  2. Queries Firestore for entries matching that game + draw time
  3. Runs match logic
  4. Sends push notifications via Firebase Cloud Messaging

2nd gen functions provide better timeout and scaling controls, especially when querying larger datasets.

Push Delivery (Firebase Cloud Messaging)

When the app installs and enables notifications, it receives a push token.

The app stores that token in Firestore.

That token is the only identifier required to send a personalized notification.

If the token changes, the app updates it.

The push token = the delivery endpoint.

Two Deployment Modes

Mode 1: With iLottery / Account Data

If your gaming provider exposes:

  • Numbers played
  • Draw participation
  • Ticket metadata

You can associate those entries with push tokens directly.

No need for a digital playslip layer. But certainly could be fun for acquisition if users can make digital playslips without needing to be logged in.

The function simply checks account entries against results.

Mode 2: Digital Playslip Layer (Vendor-Agnostic)

If you do not receive number-level data then use the digital playslip inside your app.

Users enter numbers exactly like a paper slip:

  • Select game
  • Select draw
  • Enter numbers
  • Optional multiplier

These entries are saved to Firestore.

At draw time, the system compares those saved entries to official results and sends pushes.

You are not validating tickets.

You are providing informational notifications.

This works even if you do not control the core gaming system.

Notification Logic

Each entry includes a notification preference:

  • wins_only
  • all_results

The function respects that preference.

Example messages:

Win:

“You matched 3 numbers in Pick 3. Open the app to see details.”

No win:

“Powerball results are in. No win this time — next draw Wednesday.”

This prevents notification fatigue and improves opt-in retention.

Security Posture

Data Minimization

Only store:

  • Push token
  • Numbers selected
  • Draw metadata

No personal identity data required.

Firestore Rules

  • Default deny
  • Client can write entries tied to its own push token
  • Clients cannot read other devices’ entries
  • Only backend functions can query across entries

Secret Management

If pulling official results via API:

  • Store API credentials in Google Secret Manager
  • Never store keys in Firestore or client code

Push credentials are handled by Firebase infrastructure.

Auditability

Log:

  • Scheduled job execution
  • Number of entries processed
  • Push delivery success/failure rates

For regulated environments, being able to answer:

  • When did the function run?
  • How many entries were processed?
  • Were notifications sent successfully?

…is essential.

Analytics and Measurement

Firebase Analytics tracks:

  • Push opt-in rate
  • Push open rate
  • Open rate by game
  • Retention lift among users who save playslips
  • Drop-off after consecutive losses

This gives you quantifiable proof of engagement impact.

Optional AI Layer (Not Required)

AI is not necessary for baseline functionality.

If added later, it can:

  • Predict churn risk after multiple losses
  • Optimize notification timing
  • Personalize message tone
  • Recommend reminders

AI should be additive, not foundational.

Email Behavior (Optional Extension)

Some states may also:

  • Send summary emails for wins
  • Email links to result details

Email links should require authentication and should not expose sensitive information publicly.

Push-first remains the most direct channel.

Why This Approach Works in Regulated Environments

This design keeps risk low:

  • No modification to gaming engine
  • No financial processing
  • No identity expansion
  • No production AI dependency
  • Role-based backend access
  • Minimal stored data

Scope is clearly bounded:

Save entries → Check results → Send push.

That clarity makes security review and compliance approval significantly easier.

The Bigger Pattern

This is not just about notifications.

It’s about building small internal SaaS layers inside a state lottery app.

Instead of issuing another RFP, you:

  • Build narrowly scoped tools
  • Keep data minimal
  • Automate predictable workflows
  • Iterate quickly

The same pattern can apply to:

  • Jackpot alerts by behavior
  • Responsible gaming reminders
  • Game-specific engagement loops
  • Retention experiments

If you can build this system, you’ve proven your team can ship modern engagement infrastructure without waiting a year.

And that’s where real modernization begins.

P.S. If you are already sending personalized emails for winning notifications then all you need is the push token and can send the same as a notification to users.