# Privacy Policy This Privacy Policy explains how we collect, use, share, store, and protect your personal data / personal information, and how you may exercise your related rights. If you do not agree to this Privacy Policy, please stop using the Services. By using the Services, you acknowledge that you have read and understood this Privacy Policy. ## 1. Scope and Important Notices **Data Controller:** * Company Name: \[Please insert full company name] * Registered Address: \[Please insert registered address] * Registration Number: \[Please insert company registration number] * Contact Email: \[Please insert company registration number] **Scope:** This Privacy Policy applies to our processing of personal data when you access or use our Services. **Exclusions – Third Parties:** This Privacy Policy does not apply to third-party websites, wallets, payment providers (e.g., Visa, Google Pay, PayPal), logistics/fulfillment providers, social media platforms, or other third parties. Such parties process your information independently and in accordance with their own privacy policies. **Public Nature of Blockchain:** Information related to blockchain networks (such as wallet addresses, transaction hashes, transfer records, smart contract interactions, and similar data) may be public, searchable, and immutable (i.e., it cannot be altered or deleted). We do not control how blockchain networks process such information, and we are not able to modify or remove on-chain data. ## 2. Information We Collect We collect information that is necessary for the specific features you use, which mainly includes: ### 2.1 Information You Provide Voluntarily * **Account Information:** email address, username/nickname, and profile photo/avatar. * **Customer Support and Communications:** the content of support tickets you submit, chat records, email correspondence, screenshots, and any attachments. * **Redemption / Delivery Information (Physical Redemption):** recipient name, phone number, delivery address, postal code, and country/region. Where customs clearance is required, we may collect information necessary for customs clearance. * **Creator / Partner Information (Onboarding / Incubation):** when you apply to onboard or sign incubation/cooperation documents, we may collect contact person details, team/company information, settlement/payout-related information, and required qualification materials, subject to the applicable agreement. ### 2.2 Information We Collect Automatically * **Device and Log Information:** device model, operating system, browser type, language, IP address, time zone, access time, page views and click/interactions records, crash logs, and performance data. * **Anti-Fraud and Security Signals:** login behavior, indicators of abnormal activity, and device/network characteristics required for risk detection (used for account takeover prevention, fraud prevention, anti-cheat measures, and maintaining orderly marketplace operations). ### 2.3 Transaction, Payment, and On-Chain Related Information * **Order and Transaction Information:** purchase/mint/listing/sale records, price, quantity, order status, and platform fees and royalties (as displayed on the relevant pages). * **Payment-Related Information:** payment method type, payment status, and transaction identifiers and result information returned by payment service providers. In most cases, we do not store your full card number; your card information is generally processed by the payment provider in accordance with its compliance requirements. * **On-Chain Data:** wallet addresses, transaction hashes, smart contract addresses, tokenId, on-chain events, and similar data (which may be obtained from blockchain nodes, indexing services, or blockchain explorers). ## 3. Purposes and Legal Bases for Processing We process your personal data for the following purposes: | Purpose | Legal Basis (GDPR where applicable) | | ---------------------------------------- | ----------------------------------------------------------------- | | Account management and authentication | Performance of a contract (Art.6(1)(b)) | | Order processing, payment, delivery | Performance of a contract (Art.6(1)(b)) | | Customer support and dispute resolution | Performance of a contract / Legitimate interest (Art.6(1)(b)/(f)) | | Platform improvement, analytics | Legitimate interest (Art.6(1)(f)) | | Marketing communications (with consent) | Consent (Art.6(1)(a)) | | Legal compliance and regulatory response | Legal obligation (Art.6(1)(c)) | ## 4. How We Share Your Information We may share your information with: * **Service providers:** cloud hosting, payment processors, logistics/fulfillment, email/SMS, customer support tools, security/analytics providers — who process data on our behalf under data processing agreements. * **Blockchain networks:** on-chain transactions are publicly visible; we cannot control third-party access to on-chain data. * **Regulatory and law enforcement:** where required by applicable law, court order, or where necessary to detect/prevent fraud, protect safety, or respond to regulatory inquiries. * **Business transfers:** in connection with a merger, acquisition, or asset sale, your data may be transferred to the acquirer. We do not sell your personal data. ## 5. Data Retention We retain your personal data for as long as is necessary for the purposes for which it was collected, including to fulfill legal, accounting, and regulatory obligations. When your data is no longer necessary, we will securely delete or anonymize it, subject to applicable laws requiring longer retention (e.g., financial recordkeeping, AML obligations, and tax laws). ## 6. Cross-Border Data Transfers Your personal data may be transferred to and processed in jurisdictions outside your country of residence. We will ensure that appropriate safeguards are in place: * For transfers from the EU/EEA: We rely on the European Commission's Standard Contractual Clauses (SCCs) as adopted under Decision 2021/914, or, where applicable, adequacy decisions under Article 45 GDPR. * For transfers from Southeast Asia: We comply with the cross-border data transfer requirements under applicable local data protection laws, including: * Singapore (PDPA): ensuring the recipient provides a comparable standard of data protection. * Thailand (PDPA): ensuring adequate protection or obtaining your consent. * Malaysia (PDPA): transfers only to jurisdictions approved by the Minister or with your consent and contractual safeguards. * Philippines (DPA): ensuring adequate protection under NPC guidance. * Indonesia (PDP Law): ensuring adequate protection in the receiving country. * Vietnam: complying with applicable data localization and cross-border transfer requirements. You may contact us (see Section 15) to obtain further details about the safeguards in place. ## 7. How We Protect Your Information We implement reasonable technical and organizational measures to protect your personal data, including encryption in transit (TLS/SSL), access controls, regular security reviews, and incident response procedures. No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security. ## 8. Data Breach Notification In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: * Notify the competent supervisory authority within the timeframe required by applicable law (e.g., 72 hours under GDPR Article 33; 3 calendar days under Singapore PDPC; within the timeline required by the Philippine NPC, Indonesian regulations, or other applicable law). * Where the breach is likely to result in a high risk to you, notify affected individuals without undue delay, providing a description of the breach, likely consequences, and measures taken. ## 9. Cookies and Tracking Technologies For information about how we use cookies, web beacons, and similar technologies, please refer to our Cookie Policy. ## 10. Children's Privacy The Services are not directed at children under the age of 18 (or the applicable age of majority). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. ## 11. Your Rights Depending on your jurisdiction, you may have the following rights regarding your personal data: * Right of Access — request a copy of the personal data we hold about you. * Right to Rectification — request correction of inaccurate or incomplete data. * Right to Erasure — request deletion of your data (subject to legal retention obligations). * Right to Restriction — request that we limit the processing of your data in certain circumstances. * Right to Data Portability — receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and transmit it to another controller. * Right to Object — object to processing based on legitimate interests or for direct marketing. * Right to Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior processing. * Right Not to Be Subject to Automated Decision-Making — see Section 11A below. To exercise these rights, please contact us at: \[Please insert company registration number] We will respond to your request within the timeframe required by applicable law (e.g., one month under GDPR, 30 days under Singapore PDPA). We may need to verify your identity before processing your request. ## 11A. Automated Decision-Making Our platform uses automated systems for fraud detection, risk assessment, and anti-abuse measures. These systems may make decisions that affect your access to certain features or services (e.g., transaction restrictions, account freezing, or order cancellation). Where such automated processing produces legal effects or significantly affects you, you have the right to: * request human review of the decision; * express your point of view; and * contest the decision. To exercise these rights, please contact us at the email address above. ## 12. Do Not Track We currently do not respond to "Do Not Track" browser signals. Our tracking practices are described in our Cookie Policy. ## 13. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our platform and/or by sending a notification. The "Last Updated" date at the top of this page indicates when the latest revision was made. ## 14. Region-Specific Provisions ### 14A. Additional Provisions for Users in the EU/EEA If you are located in the European Union or European Economic Area, the following additional provisions apply: **EU Representative (GDPR Art.27).** As we are established outside the EU/EEA, we have appointed the following entity as our representative in the EU in accordance with Article 27 GDPR: * Representative Name: \[Please insert EU Representative Name, e.g., a third-party service provider] * Address: \[Please insert EU Representative Address] * Email: \[Please insert EU Representative Email] **Data Protection Officer (DPO).** * DPO Name: \[Please insert DPO Name] * DPO Email: \[Please insert DPO Email] **Data Protection Impact Assessment (DPIA).** We have conducted Data Protection Impact Assessments for high-risk processing activities (including financial transactions, on-chain data processing, and automated risk-control systems) in accordance with GDPR Article 35. DPIAs are reviewed and updated regularly. **Legal Basis for Processing.** See Section 3 above for the specific legal bases for each processing purpose. **Supervisory Authority.** You have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. ### 14B. Additional Provisions for Users in Southeast Asia If you are located in Southeast Asia, the following additional provisions apply depending on your country of residence: **Singapore (PDPA 2012):** * We have designated a Data Protection Officer (DPO) responsible for overseeing our compliance with the PDPA. Contact: \[Please insert DPO Name] * In the event of a notifiable data breach, we will notify the PDPC and affected individuals in accordance with the PDPA. * We will cease using data and allow you to withdraw consent in accordance with Section 16 of the PDPA. **Thailand (PDPA 2019):** * Processing of your personal data is based on your consent, contractual necessity, or other lawful bases under Section 24 of the PDPA. * You may exercise your rights under Sections 30–36 of the PDPA by contacting us. **Indonesia (PDP Law 2022):** * Your personal data is processed in accordance with the Indonesian Personal Data Protection Law. * You may request access, rectification, deletion, and portability of your personal data. * In the event of a data breach, we will notify you and the relevant authority within 72 hours. **Malaysia (PDPA 2010):** * Your personal data will not be transferred outside Malaysia without adequate safeguards or your consent, in accordance with Section 129 of the PDPA. * You may exercise your right of access and correction under the PDPA. **Philippines (DPA 2012):** * We process data in compliance with the Data Privacy Act of 2012 and the rules issued by the National Privacy Commission (NPC). * In the event of a personal data breach, we will notify the NPC and affected individuals within 72 hours. **Vietnam:** * We comply with applicable Vietnamese data protection regulations, including Decree 13/2023/ND-CP on Personal Data Protection. * Where data localization requirements apply, we will ensure compliance. ## 15. Contact Us If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us via: * Email: \[Please insert support Email] * Privacy-Specific Requests: \[Please insert support Email] * Mailing Address: \[Please insert registered/office address] For EU/EEA users, you may also contact our EU Representative (see Section 14A above). *Last Updated: \[Please insert date, e.g., March 2026]*