Privacy Policy

1. Data we collect

• Account data: email address, display name, hashed password (or Google / Telegram account identifier if you sign in through those providers).
• Wallet activity: deposits, withdrawals, stakes, payouts, and on-chain transaction hashes.
• Usage data: login timestamps, IP addresses for rate-limiting and fraud prevention, and request logs retained for up to 90 days.
• Device data: browser user-agent string for compatibility and security.

2. How we use it

Account and wallet data are used to operate the service (authenticate you, credit deposits, settle markets, pay withdrawals). Usage and device data are used to protect the service from abuse (rate limits, CSRF protection, anomaly detection).

3. Sharing

We do not sell personal data. We share it only with: (a) infrastructure providers (database, email, blockchain nodes) strictly to run the service; (b) law enforcement when compelled by a valid legal request; (c) auditors under confidentiality.

4. Cookies

We use two cookies: one HTTP-only session cookie to keep you signed in, and one CSRF token cookie to protect write actions. We do not use advertising or cross-site tracking cookies.

5. Retention

Account and wallet records are retained for the life of the account and for up to 7 years after closure for accounting and compliance purposes. Request logs are retained up to 90 days. You may request deletion subject to these limits.

6. Your rights

You may: request a copy of your data, correct inaccuracies, close your account, or revoke marketing consent at any time. Residents of the EEA, UK, California and similar jurisdictions have additional statutory rights — we honor all applicable requests.

7. Security

Passwords are hashed with bcrypt. Sessions use HTTP-only cookies with CSRF double-submit protection. Wallet operations run under per-row locks to prevent race conditions. We do not store raw payment card data — deposits are on-chain USDT transfers.

8. Contact

Privacy questions or data-request forms: privacy@goldbat.example.