Privacy Policy

1. Who We Are

Token Tactics ("Platform", "we", "us") is operated by Lumorix Limited (trading as Token Tactics), a company registered in the Republic of Seychelles, company number 245200. We are the data controller for the personal data processed through the Platform available at tokentactics.xyz.

For any privacy-related inquiries, contact us at privacy@tokentactics.xyz.

2. What Data We Collect

We collect the following categories of personal data:

We do not collect: real names, phone numbers, physical addresses, payment card details, government IDs, or biometric data. We do not purchase data from third parties.

3. Legal Basis (GDPR Art. 6)

• Consent — You agree to the Terms and this Policy at registration (checkbox).
• Contract — Processing is necessary to provide the Platform services (scenario tracking, points, leaderboard).
• Legitimate interest — Fraud prevention, security monitoring, and service improvement.

4. How We Use Your Data

• Authenticate you and maintain your session
• Track scenario progress and calculate points
• Verify blockchain transactions for scenario completion
• Display your rank on the leaderboard (points only, no personal info shown to others)
• Send transactional emails (verification, password reset, streak reminders)
• Detect and prevent fraudulent activity (multi-account abuse)
• Generate aggregated, anonymized analytics to improve the Platform

5. Data Sharing

We share data only with:

• Resend (email delivery) — receives your email address for transactional emails
• Etherscan / Blockchain APIs — receives your wallet address to verify on-chain transactions (public blockchain data)
• OpenRouter / AI providers — processes your text answers for AI-judged scenario steps (no personal identifiers are sent, only your answer text)
• AppsFlyer — receives anonymized app install and in-app event data to verify scenario completion (device-level attribution, no direct personal identifiers)
• Google (if you use Google sign-in) — standard OAuth flow, no additional data shared

We do not sell, rent, or trade your personal data. We do not use your data for advertising. We do not share data with data brokers.

6. Data Security

We implement the following security measures:

• Passwords are hashed using bcrypt (never stored in plaintext)
• Email and wallet addresses are indexed using SHA-256 hashes for lookups
• PII is masked in application logs (email, wallet, IP)
• All connections use HTTPS with HSTS
• Security headers: CSP, COOP, CORP, X-Frame-Options DENY
• Rate limiting on authentication and sensitive endpoints
• JWT-based sessions with automatic invalidation on account ban/deletion

7. Data Retention

• Account data — retained while your account is active
• Device info (IP, browser) — automatically anonymized after 180 days
• Read notifications — automatically deleted after 180 days
• Completed verification requests — automatically deleted after 1 year
• Expired tokens — automatically cleared daily

8. Your Rights (GDPR)

Under applicable data protection laws, you have the right to:

• Access — Export a recent activity snapshot of your account via Profile → "Download My Data" (JSON format, includes profile, scenario progress, recent step answers, recent notifications, and consent records)
• Rectification — Update your wallet address in your profile. For any other correction (including email), contact privacy@tokentactics.xyz
• Erasure — Delete your account via Profile → "Delete Account" (30-day grace period, then permanent anonymization)
• Portability — Export your data in JSON format
• Withdrawal of consent — Delete your account at any time
• Complaint — Contact your local data protection supervisory authority

9. Account Deletion

When you request account deletion, a 30-day grace period begins. During this period, you can cancel by logging in. After 30 days, your data is permanently anonymized:

• Email, wallet address, Telegram data — replaced with anonymous placeholders or nulled
• Password hash — deleted
• Device records, notifications, consent records — permanently deleted
• Scenario progress, points, leaderboard rank — preserved in anonymized form (no PII)

10. Cookies and Local Storage

We use only essential cookies required for the Platform to function:

• Session cookie (authjs.session-token) — maintains your login session
• Language preference (NEXT_LOCALE) — stores your selected display language (functional cookie, 1 year)

We also use browser local storage for the following non-cookie data:

• Cookie consent acknowledgment (cookie-consent-accepted) — remembers that you acknowledged this notice

Third-party services integrated into the Platform (such as WalletConnect for wallet connectivity) may use their own session storage mechanisms as described in their respective privacy policies.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11. International Transfers

Your data is stored on servers located in Europe. We do not transfer personal data outside the European Economic Area (EEA) or Switzerland except where necessary for the services described above (e.g., email delivery via Resend, blockchain API queries). Such transfers are subject to appropriate safeguards including standard contractual clauses.

12. Children

The Platform is not intended for individuals under 21 years of age. We do not knowingly collect data from anyone under 21. If we become aware that we have collected data from a person under 21, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you via email or a prominent notice on the Platform.

14. Contact

Lumorix Limited (trading as Token Tactics)
Company number: 245200
House Of Francis, Room 303, Ile Du Port, Mahe, Seychelles
privacy@tokentactics.xyz