What is a receipt code in VoteAlly?

A receipt code is a unique 12-character code generated when a voter submits their ballot. It is created from the ballot ID using a secure process on VoteAlly's server. The code is shown to voters on the confirmation screen after they submit their vote, allowing them to verify their ballot was recorded.

How do voters verify their vote using a receipt code?

Administrators can export a Ballot Audit CSV from the Reports tab. This file lists every ballot ID, receipt code, timestamp, and question title. Voters search the published list for their receipt code to confirm their ballot was included in the final tally.

Do receipt codes survive PII purging?

Yes. Receipt codes are stored with the ballot data, which is completely separate from voter personal information. When personal data is removed, voter names, emails, and phone numbers are deleted, but all ballot data including receipt codes remains intact.

Voter Receipts and Ballot Verification

Give your voters confidence that their ballot was counted. Receipt codes provide tamper-proof verification without revealing how anyone voted.

What is a Receipt Code?

A receipt code is a unique 12-character code generated when a voter submits their ballot. It is created on VoteAlly's server by combining the ballot's unique ID with a secret key that only the server knows. This process uses bank-level security to ensure the code is tamper-proof.

The resulting code (e.g., A7F3B9C2E1D4) serves as a fingerprint for that specific ballot. It is unique, always produces the same result for the same ballot, and cannot be reversed to reveal the ballot contents.

Each receipt code is guaranteed to be unique. No two ballots can share the same code.

How Voters See Their Receipt

After a voter clicks "Submit Vote," the server records the encrypted ballot and generates the receipt code. The voter then sees a Vote Confirmed screen that displays their unique receipt code.

Voters should save this code for their records. It is the only way for them to independently verify their ballot later. The code is shown once on the confirmation screen and is not stored anywhere the voter can retrieve it afterward.

Tip: Remind your voters to write down or screenshot their receipt code immediately after voting. You can include this reminder in your invitation emails or pre-meeting communications.

How Receipts Preserve Anonymity

VoteAlly uses a strict separation between voter identity and ballot content. The receipt code is derived from the ballot ID only, not from the voter's identity or their vote choices.

Ballot data is stored completely separately from voter information. The ballot itself has no connection to who cast it. Voter participation (who voted on which question) is tracked in a different place entirely. This separation means there is no way to trace a receipt code back to a voter's identity, or to connect a voter to their specific ballot.

Additional protections reinforce this separation:

Timestamp rounding: Ballot timestamps are rounded down to the nearest hour, so there is no way to match a voter's login time to a specific ballot.
Encrypted ballot contents: The actual vote choices are protected with bank-level encryption. The original selection is never stored in readable form.
Secure tallying: Vote counts use scrambled candidate identifiers, so the database never sees which candidate received which votes in plain text.

Exporting the Ballot Audit CSV

Administrators can download a Ballot Audit CSV that lists every ballot recorded for a session. This file is designed for transparency: you can publish it so voters can verify their ballots were counted.

Navigate to the Reports tab

Open the voting session in your admin dashboard and go to the Reports tab.

Click "Export Ballot Audit"

This downloads a CSV file containing every ballot in the session.

Review the CSV columns

The file includes: BallotID, ReceiptCode, Timestamp, QuestionID, and QuestionTitle. It does not include voter names, emails, or vote choices.

Publish or share the receipt code list

Share the ReceiptCode column with your membership. Voters can search the list for their code to confirm their ballot was included in the final tally.

Important: The export action is logged in the audit trail. The log records who exported the file, when, and how many ballot records were included.

How a Voter Verifies Their Ballot

Once you publish the Ballot Audit CSV (or the ReceiptCode column from it), any voter can verify their ballot independently:

The voter locates the receipt code they saved after voting.
They search the published list for their code (e.g., using Ctrl+F in a spreadsheet or text file).
If the code appears, their ballot is confirmed as part of the official tally.
If the code does not appear, they should contact the administrator for investigation.

Key point: The published list only contains receipt codes and question titles. It does not reveal who cast which ballot or what choices were made. This makes it safe to share publicly.

Receipts Survive PII Purging

VoteAlly automatically purges voter Personally Identifiable Information (PII) after a configurable retention period (90 days by default). When this happens, voter names, emails, phone numbers, and candidate photos are permanently removed.

Receipt codes are not affected by personal data removal. They are stored with the ballot data, which is completely separate from voter information. Because ballots have no connection to who cast them, ballots and their receipt codes are kept permanently as part of the audit trail.

Removed by PII Purge

Voter names and emails
Phone numbers and member IDs
Access codes and magic link tokens
Candidate photos (from cloud storage)

Preserved After Purge

All ballot records and receipt codes
Encrypted vote choices
Candidate names (public record)
Vote weights and participation counts

Frequently Asked Questions

Can a receipt code reveal how someone voted?

No. The receipt code is generated using a one-way process that cannot be reversed. It proves that a specific ballot exists in the system, but it cannot be used to reveal the vote choices. Ballot contents are protected separately with bank-level encryption.

Can two voters receive the same receipt code?

No. Each ballot generates a unique receipt code, and the system enforces uniqueness to prevent duplicates. Every receipt code maps to exactly one ballot.

Can a voter forge a receipt code?

No. Receipt codes are generated on VoteAlly's server using a secret key that is never shared with anyone outside the system. Without access to this secret, it is practically impossible to produce a valid receipt code.

What happens to receipt codes after PII is purged?

Receipt codes remain intact. They are stored with the ballot data, which is completely separate from voter personal information. The purge process removes voter names, emails, and phone numbers, but all ballot data is kept permanently as part of the audit trail.

Does the Ballot Audit CSV contain voter names or vote choices?

No. The Ballot Audit CSV contains only the BallotID, ReceiptCode, Timestamp, QuestionID, and QuestionTitle. It is designed to be safe for public distribution.

What should a voter do if their receipt code is missing from the published list?

They should contact the administrator. A missing receipt code could indicate that the voter did not see the "Vote Confirmed" screen (meaning their submission did not complete) or that there was a technical issue. The admin can check the audit trail for details.

Last updated: April 2, 2026