Privacy Policy
1. Data We Collect
Account data: username, email address, password hash (argon2id). Optionally: linked social accounts (Discord ID, Telegram chat ID, X handle, Google profile), passkey credentials, wallet addresses.
Trade data: offer details, trade history, escrow addresses, USDC transaction hashes, PRL deposit data.
Technical data: IP address, browser user-agent, timestamps, geoip-derived country/city (via local database — no external API calls).
2. How We Use Your Data
To operate the trading platform, verify wallet ownership, detect fraud, enforce the moderation system, send transactional emails (trade confirmations, password resets), and comply with legal obligations. We never sell your data.
3. Email Tracking
Transactional emails may contain a tracking pixel and rewritten links to measure delivery and engagement. We use this data internally to improve deliverability only.
4. Cookies & Local Storage
We use localStorage (not cookies) to persist: your auth token, your theme preference. No third-party cookies. No advertising trackers.
5. Data Retention
- Account data: retained while your account is active + 30 days after deletion request.
- Trade data: retained indefinitely (blockchain transactions are permanent).
- Activity logs: retained for 90 days, then archived.
- TOS acceptance records: retained indefinitely (legal requirement).
6. Data Sharing
We do not share personal data with third parties except: (a) when required by law; (b) SMTP relay providers for email delivery (email address only, transactional); (c) blockchain networks (wallet addresses are public by nature).
7. Your Rights
You can: access your data, export your data (contact support), request deletion (account closure — trade history is retained per section 5), withdraw consent for optional processing. For EU residents: GDPR applies. Contact us for a data processing agreement.
8. Security
Passwords: argon2id hashing. Escrow keys: AES-256-GCM at rest. JWTs: HS256, revocable via token versioning. All connections: HTTPS. Wallet private keys never leave the user's browser (Schnorr signing happens client-side).
9. Contact
Data protection inquiries: Discord.