← Back to Home

§ 1 Information We Collect

1.1 Account Information

When you register for a CryptoKartz account, you provide:

• Email address
• Name or display name
• Country of residence
• Password (stored as a bcrypt hash — never in plaintext)

1.2 Meta / Facebook OAuth Data

If you choose to link your Meta (Facebook) account to verify Quest ownership, we collect and store:

• Meta user ID
• Meta profile name
• Email address associated with your Meta account

This data is used solely to verify Meta Quest 3+ device ownership and is never shared with third parties for marketing purposes.

1.3 VR / Biometric Data

The following VR and biometric data may be collected during gameplay sessions:

• Head tracking data — orientation and position of the user's head in 3D space, used to render the XR environment correctly
• Hand controller tracking data — position and orientation of Meta Quest controllers (or hand tracking if enabled), used to map in-game hand and object interactions
• Play session timestamps — start and end times of VR sessions, used for session management and responsible gambling tracking
• Controller input events — button presses and gestures used to resolve in-game skill outcomes

VR biometric data is collected by the CryptoKartz application running on the Meta Quest device and may be transmitted to our servers solely for gameplay integrity, fraud prevention, and analytics purposes. Facial recognition, eye tracking, and brain-computer interface data are not collected.

Data collected from VR sessions is used to:

• Render the XR environment in real-time
• Resolve in-game skill outcomes accurately
• Detect anomalous play patterns that may indicate fraud, bot use, or account compromise
• Support responsible gambling features (session time limits, self-exclusion triggers)

VR biometric data is retained for a maximum of 12 months from the date of collection and is not shared with advertisers or unrelated third parties.

1.4 Wallet Data

Our Service generates and stores cryptocurrency wallet addresses (Solana, Bitcoin, Ethereum) on your behalf. Your BIP39 seed phrase is encrypted server-side using AES-256-GCM and is never transmitted to or accessible by CryptoKartz personnel after initial generation.

1.5 Blockchain Data

We may index on-chain transaction data associated with your wallet addresses for display purposes. This data is sourced from public blockchain APIs (Solana RPC, Blockstream, Ethereum RPC) and is not itself personal data.

1.6 IP Addresses & Logs

Server logs may record IP addresses for security purposes including rate limiting and account lockout enforcement. Logs are retained for a maximum of 90 days.

§ 2 How We Use Your Information

We use collected information to:

• Provide and maintain the Service
• Verify Meta Quest device ownership
• Generate, encrypt, and store cryptocurrency wallet credentials
• Process cross-chain swaps via the Jupiter aggregator
• Enforce security measures (rate limiting, account lockout)
• Communicate about your account (transaction confirmations, security alerts)
• Comply with applicable laws and regulations, including geolocation-based jurisdiction enforcement
• Operate responsible gambling tools (session limits, self-exclusion, cooling-off periods)
• Detect and prevent fraud, multi-accounting, and bot activity in XR gameplay

§ 3 Cookies & Tracking

We use minimal cookies for essential authentication and security only:

• Authentication cookie — stores your JWT session token locally
• Analytics beacon — anonymized page-view tracking via Polsia infrastructure

We do not use third-party advertising cookies or cross-site tracking pixels. Do Not Track browser signals are respected.

§ 4 Third-Party Services

4.1 Meta / Facebook (OAuth)

OAuth data is handled by Meta Platforms under the Meta Privacy Policy. We only request public_profile and email scopes. Meta's data practices are governed by the Meta Privacy Policy available at meta.com.

4.2 Solana RPC

Wallet balance queries and transaction broadcasts are routed through Solana mainnet RPC endpoints. Transaction data submitted to these services is subject to their respective privacy policies. Solana Labs operates the primary RPC network; your wallet address may be logged by RPC providers.

4.3 Jupiter Aggregator

Cross-chain swaps are executed through Jupiter Aggregator v6. We transmit your Solana wallet address and swap parameters to Jupiter's API to obtain quotes and execute transactions. Review Jupiter's privacy policy at jup.ag.

4.4 Blockstream (Bitcoin RPC)

Bitcoin wallet operations and balance queries are routed through Blockstream's Bitcoin API. Blockstream logs transaction data according to its own privacy policy. Blockstream.info and its API are subject to their respective terms and privacy practices.

4.5 Cloudflare

Our Service is protected by Cloudflare's DDoS mitigation and content delivery network. Cloudflare may log IP addresses, browser fingerprints, and request metadata for security and performance purposes. Cloudflare's privacy policy is available at cloudflare.com/privacy.

4.6 Blockchain Explorers

Transaction hashes may be looked up on block explorers (Solscan, Blockstream, Etherscan). These services index public blockchain data independently and operate under their own privacy policies.

4.7 Late.dev / Late Labs

Social media posting and OAuth integrations for connected platforms (Twitter/X, Instagram, TikTok, LinkedIn) are handled via the Late.dev API. Late.dev's privacy policy governs how data is handled when you connect social accounts.

§ 5 Blockchain Data & Transparency

• Public by design: Every transaction broadcast to the Solana, Bitcoin, and Ethereum networks is visible to anyone with access to a block explorer (e.g., Solscan, Blockstream, Etherscan). Your wallet address is publicly viewable.
• Immutable: Once confirmed on-chain, transaction records cannot be altered, deleted, or reversed by CryptoKartz, any government, or any other party.
• Your responsibility: You are solely responsible for ensuring the accuracy of destination addresses, the correct blockchain network, and the adequacy of fees before broadcasting any transaction.
• No erasure: Blockchain data that includes your wallet address cannot be "forgotten" or anonymized. Even if CryptoKartz deletes your account data, the on-chain transaction history associated with your wallet address will remain permanently accessible.
• Analytics limitation: CryptoKartz may correlate on-chain activity with user accounts for service operation purposes, but cannot control how blockchain explorers, analytics firms, or other third parties use public ledger data.

Wallet addresses generated by CryptoKartz are derived from your encrypted seed phrase and are therefore linkable to your account under our control. We will not voluntarily share wallet-to-account correlations with third parties except as required by law.

§ 6 Geolocation & Jurisdiction Compliance

To comply with applicable laws regulating cryptocurrency and online gambling, CryptoKartz may collect and process geolocation data in the following ways:

• IP-based country estimation — Your IP address is used to estimate your country of connection. This is a rough indicator only and may not reflect your actual physical location.
• Self-reported country of residence — Your declared country of residence at registration is stored and used for jurisdictional screening.
• Account restriction enforcement — Users connecting from jurisdictions where cryptocurrency gambling services are prohibited may have their accounts restricted or suspended without notice.

Geolocation data is processed and retained solely for the purpose of legal compliance. It is not sold to third parties. Users in restricted jurisdictions will be notified at login if access is limited.

Important: Geo-restrictions can be circumvented using VPNs or proxy services, but doing so violates Section 1.3 of our Terms of Service ("Prohibited Jurisdictions") and may constitute a breach of applicable law. CryptoKartz reserves the right to terminate accounts detected using VPNs or jurisdiction spoofing.

§ 7 Data Retention

Account data is retained for the duration of your account plus 90 days after deletion. Encrypted seed phrases are deleted upon account deletion. VR/biometric play data is retained for a maximum of 12 months. Blockchain transaction history cannot be deleted as it exists on public ledgers.

§ 8 Data Security

We implement:

• bcrypt password hashing with per-user salts
• AES-256-GCM encryption for stored seed phrases
• Rate limiting and account lockout after 5 failed login attempts
• Encrypted HTTPS transport for all API communications
• Cloudflare DDoS and bot protection
• VPN/proxy detection for jurisdiction enforcement

No system is completely immune to breach. While we use industry-standard protections, we cannot guarantee absolute security.

§ 9 Children's Privacy (COPPA)

The Service is not intended for users under the age of 18 (or 21 where legally required). CryptoKartz does not knowingly collect personal data from minors.

In accordance with the Children's Online Privacy Protection Act (COPPA) and similar international frameworks:

• We do not knowingly collect data from users under 18 years of age
• We do not target the Service to children or minors
• We do not use the Service to build user profiles of minors for any purpose
• If we discover that personal data from a minor has been collected without verified parental consent, it will be deleted within 30 days
• Parents or guardians who believe their child's data has been collected may contact us at privacy@cryptokartz.live for immediate deletion

If you are under the minimum age in your jurisdiction, do not create an account or use the Service. Doing so may result in immediate account termination.

§ 10 International Users & GDPR

If you access the Service from outside the United States, you consent to the transfer and processing of your data in the United States in accordance with this policy.

For users in the European Economic Area (EEA) and other jurisdictions recognizing the GDPR, you have the following rights:

• Access (Art. 15 GDPR) — request a copy of the personal data we hold about you
• Correction (Art. 16 GDPR) — request correction of inaccurate data
• Deletion / Right to be Forgotten (Art. 17 GDPR) — request deletion of your account and personal data (subject to legal retention requirements)
• Portability (Art. 20 GDPR) — request your data in a machine-readable format
• Restriction of Processing (Art. 18 GDPR) — request we limit how we use your data
• Objection (Art. 21 GDPR) — object to processing of your data for specific purposes
• Withdraw Consent — where processing is based on consent, withdraw at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@cryptokartz.live. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.

§ 11 Your Rights Under CCPA

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know — You may request disclosure of the categories and specific pieces of personal information collected, the purpose of collection, and whether it has been sold or shared
• Right to Delete — You may request deletion of personal information, subject to certain exceptions
• Right to Correct — You may request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing — CryptoKartz does not sell or share your personal information with third parties for commercial purposes. You may opt out of any future sale by contacting us
• Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information beyond what is necessary for service operation
• Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights

Categories of personal information collected in the past 12 months:

• Identifiers (email, Meta user ID, wallet address)
• Internet or electronic activity (IP logs, session data)
• Geolocation data (IP-based country estimation)
• VR/biometric play data (head/hand tracking, session timestamps)

We do not sell or share this data. To exercise your CCPA rights, contact privacy@cryptokartz.live with the subject line "California Privacy Rights Request." We will verify your identity before fulfilling the request.

§ 12 Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes affecting VR/biometric data collection, cryptocurrency data practices, or cross-border data transfers will be communicated via email to registered users. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

§ 13 Contact

For privacy-related inquiries, including GDPR and CCPA rights requests:

privacy@cryptokartz.live

For general support: support@cryptokartz.live