Privacy Policy
Last updated: June 8, 2026
1. Who We Are
Token Tactics ("Platform", "we", "us") is operated by Lumorix Limited (trading as Token Tactics), a company registered in the Republic of Seychelles, company number 245200. We are the data controller for the personal data processed through the Platform available at tokentactics.xyz.
For any privacy-related inquiries, contact us at privacy@tokentactics.xyz.
2. What Data We Collect
We collect the following categories of personal data:
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, password hash | Authentication, account recovery |
| Wallet | EVM wallet address | Blockchain verification, scenario completion |
| Activity | Scenario progress, answers, points | Platform functionality, leaderboard |
| Device | IP address, browser info, timezone | Security (fraud prevention, Sybil protection) |
| OAuth | Google account ID (if Google sign-in used) | Authentication |
| Marketing | Traffic source / campaign label you arrived from (e.g. a UTM tag in the link) | Measure which channels bring users (legitimate interest); also sent to PostHog when analytics consent is given |
We do not collect: real names, phone numbers, physical addresses, payment card details, government IDs, or biometric data. We do not purchase data from third parties.
3. Legal Basis (GDPR Art. 6)
- Consent — You agree to the Terms and this Policy at registration (checkbox).
- Contract — Processing is necessary to provide the Platform services (scenario tracking, points, leaderboard).
- Legitimate interest — Fraud prevention, security monitoring, and service improvement.
4. How We Use Your Data
- Authenticate you and maintain your session
- Track scenario progress and calculate points
- Verify blockchain transactions for scenario completion
- Display your rank on the leaderboard (points only, no personal info shown to others)
- Send transactional emails (verification, password reset, streak reminders)
- Detect and prevent fraudulent activity (multi-account abuse)
- Generate aggregated, anonymized analytics to improve the Platform
5. Data Sharing
We share data only with:
- Resend (email delivery) — receives your email address for transactional emails
- Etherscan / Blockchain APIs — receives your wallet address to verify on-chain transactions (public blockchain data)
- OpenRouter / AI providers — processes your text answers for AI-judged scenario steps (no personal identifiers are sent, only your answer text)
- AppsFlyer — receives anonymized app install and in-app event data to verify scenario completion (device-level attribution, no direct personal identifiers)
- PostHog (product analytics, EU-hosted) — receives anonymized usage events (such as funnel steps) so we can understand how the Platform is used. Analytics are consent-gated (off until you accept the cookie notice); direct identifiers are masked and your user ID is sent only as a one-way hash. Not used for advertising
- Google (if you use Google sign-in) — standard OAuth flow, no additional data shared
We do not sell, rent, or trade your personal data. We do not use your data for advertising. We do not share data with data brokers.
6. Data Security
We implement the following security measures:
- Passwords are hashed using bcrypt (never stored in plaintext)
- Email and wallet addresses are indexed using SHA-256 hashes for lookups
- PII is masked in application logs (email, wallet, IP)
- All connections use HTTPS with HSTS
- Security headers: CSP, COOP, CORP, X-Frame-Options DENY
- Rate limiting on authentication and sensitive endpoints
- JWT-based sessions with automatic invalidation on account ban/deletion
7. Data Retention
- Account data — retained while your account is active
- Device info (IP, browser) — automatically anonymized after 180 days
- Read notifications — automatically deleted after 180 days
- Completed verification requests — automatically deleted after 1 year
- Expired tokens — automatically cleared daily
8. Your Rights (GDPR)
Under applicable data protection laws, you have the right to:
- Access — Export a recent activity snapshot of your account via Profile → "Download My Data" (JSON format, includes profile, scenario progress, recent step answers, recent notifications, and consent records)
- Rectification — Update your wallet address in your profile. For any other correction (including email), contact privacy@tokentactics.xyz
- Erasure — Delete your account via Profile → "Delete Account" (30-day grace period, then permanent anonymization)
- Portability — Export your data in JSON format
- Withdrawal of consent — Delete your account at any time
- Complaint — Contact your local data protection supervisory authority
9. Account Deletion
When you request account deletion, a 30-day grace period begins. During this period, you can cancel by logging in. After 30 days, your data is permanently anonymized:
- Email, wallet address, Telegram data — replaced with anonymous placeholders or nulled
- Password hash — deleted
- Device records, notifications, consent records — permanently deleted
- Scenario progress, points, leaderboard rank — preserved in anonymized form (no PII)
10. Cookies and Local Storage
We use essential cookies required for the Platform to function and, only after you accept the cookie notice, product-analytics storage (PostHog — see below):
- Session cookie (
authjs.session-token) — maintains your login session - Language preference (
NEXT_LOCALE) — stores your selected display language (functional cookie, 1 year)
We also use browser local storage for the following non-cookie data:
- Cookie consent acknowledgment (
cookie-consent-accepted) — remembers that you acknowledged this notice - PostHog product analytics (cookies + local storage, set only after you accept the cookie notice) — measures aggregated, anonymized usage such as funnel steps. EU-hosted; no advertising or cross-site tracking
Third-party services integrated into the Platform (such as WalletConnect for wallet connectivity) may use their own session storage mechanisms as described in their respective privacy policies.
We do not use advertising cookies or cross-site tracking cookies. Product-analytics cookies (PostHog) are set only with your consent and can be declined by not accepting the cookie notice.
11. International Transfers
Your data is stored on servers located in Europe. We do not transfer personal data outside the European Economic Area (EEA) or Switzerland except where necessary for the services described above (e.g., email delivery via Resend, blockchain API queries). Such transfers are subject to appropriate safeguards including standard contractual clauses.
12. Children
The Platform is not intended for individuals under 21 years of age. We do not knowingly collect data from anyone under 21. If we become aware that we have collected data from a person under 21, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you via email or a prominent notice on the Platform.
14. Contact
Lumorix Limited (trading as Token Tactics)
Company number: 245200
House Of Francis, Room 303, Ile Du Port, Mahe, Seychelles
privacy@tokentactics.xyz