PoolDefy — Privacy Policy

Effective date: 27 April 2026 · Last updated: 27 April 2026 · Version 1.0

This Privacy Policy explains how PoolDefy (“we,” “us,” “the Platform”) collects, uses, shares, and protects personal information about users of the Platform at pooldefy.com and our related services (collectively, the “Services”). It applies to information we collect when you use the Services, whether or not you are logged in.

Information we collect
How we use information
Legal bases for processing (EEA / UK)
When we share information
Public blockchain data
Cookies & similar technologies
How long we keep information
Security
Your rights
California residents (CCPA / CPRA)
EEA / UK residents (GDPR)
Legal capacity
International transfers
Third-party links
Changes to this Policy
Contact

1. Information we collect

1.1 Information you provide

Account information. Email address, username, display name, password (hashed), and any optional profile fields (avatar, bio).
Verification information. Where required to process withdrawals or comply with anti-fraud / sanctions rules: government-issued identification, proof of address, date of birth, and source-of-funds documentation.
Communications. Messages you send to support, comments, chat messages, and content you post on the Platform.
Payment-related information. Wallet addresses you use to deposit or withdraw, transaction hashes, and saved-address labels you create.
Two-factor / security credentials. TOTP secrets, recovery codes, security questions, and trusted-device tokens.

1.2 Information collected automatically

Device & technical data. IP address, user-agent string, device type and operating system, screen size, language, and approximate location derived from IP.
Browser fingerprint. A hash derived from non-PII signals (canvas, WebGL, font set, plugin set, time zone) used to detect duplicate accounts and ban evasion.
Activity data. Pages and contests you view, picks you submit, entries you make, deposits / withdrawals you initiate, comments you post, watchlist items, follow / unfollow actions, and timestamps for each.
Performance & logs. Server logs, error reports, and websocket session metadata used for troubleshooting and platform reliability.

1.3 Information from third parties

Sports data providers. We receive event schedules, fixtures, and live results from independent sports-data providers (e.g. Sportmonks for football, NBA's CDN for basketball). This data does not identify you.
Identity-verification vendors. Where verification is required, we may receive verification results from KYC / AML vendors (typically a pass / fail status plus the document image you provided).
Sign-in providers. If you choose Google sign-in, we receive your verified email, name, and profile image from Google.
Sanctions & risk databases. We may screen wallet addresses, IPs, and identity data against industry-standard sanctions and risk-flag lists.

2. How we use information

Purpose	Categories used
Operate the Services. Authenticate you, run contests, settle results, process deposits / withdrawals, render leaderboards.	Account information, activity data, payment-related information.
Anti-fraud, anti-collusion, anti-money-laundering. Detect multi-accounting, pick collusion, sanctions matches, and suspicious withdrawal patterns.	IP, fingerprint, wallet addresses, activity data, verification information.
Customer support. Respond to questions, investigate disputes, refund or void where appropriate.	Account information, communications, activity data.
Communications. Transactional notifications (deposits confirmed, payouts settled, position changes), security alerts, and (with your consent or where permitted) product news.	Email, account preferences.
Product analytics & reliability. Diagnose bugs, measure feature adoption, improve the Platform.	Aggregated activity data, device & technical data.
Legal compliance. Tax reporting where required, sanctions screening, responding to lawful requests from regulators or law enforcement.	Account information, verification information, activity data.

3. Legal bases for processing (EEA / UK residents)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract performance — to provide the Services you've signed up for (operating contests, paying out winnings, processing deposits / withdrawals).
Legitimate interests — running anti-fraud and anti-collusion controls, preventing platform abuse, ensuring service reliability and security, and recovering misallocated funds.
Legal obligation — sanctions screening, AML / CTF compliance, tax reporting, responding to lawful requests.
Consent — non-essential cookies, marketing emails, certain optional data uses you can opt out of at any time.

We share personal information only as follows:

Service providers and infrastructure. Hosting (Vercel, Railway), database (PostgreSQL on Railway), email delivery, analytics, fraud-detection, and KYC vendors. These vendors process information on our behalf under contractual data-protection terms.
Sports-integrity bodies and regulators. Where we are required by law, by sports-integrity rules, or in response to lawful requests from law-enforcement or regulatory authorities.
Other users. Limited information for the social and competitive parts of the Platform — your username, avatar, public profile, comments, leaderboard placements, and contest entries are visible to other users by design.
Corporate transactions. In connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to confidentiality protections and applicable law.
Protection of rights and safety. Where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of PoolDefy, our users, or the public.

We do not sell or rent your personal information to advertisers or data brokers.

5. Public blockchain data

Deposits and withdrawals occur on public blockchains (currently Polygon for USDC). Information you transmit on chain — including your wallet address, transaction hash, amounts, and timestamps — is permanently and publicly viewable and is not under our control. Any third party can correlate on-chain activity associated with your wallet, including activity outside the Platform.

Inside the Platform we keep your wallet activity tied to your account so we can credit deposits and process withdrawals. We do not publish your account-to-wallet linkage outside the Platform except as described in Section 4.

6. Cookies & similar technologies

We use cookies and similar storage technologies for the following purposes:

Strictly necessary. Authentication, session management, security, fraud prevention. These cannot be disabled without breaking the Service.
Functional. Theme preferences, balance-hidden state, dismissed welcome banners, cached contest feed.
Analytics. Aggregated usage analytics to improve the product. You may decline these via your browser controls.

We do not currently use third-party advertising cookies. If we adopt them in future, we will update this Policy and provide a clear opt-in mechanism where required.

7. How long we keep information

Active account data — for as long as your account exists.
Financial / transaction records — retained for the period required by tax, AML, and accounting laws (typically 5–7 years after the last transaction).
Verification records — retained for the period required by AML / KYC rules in the operating jurisdiction.
Server & security logs — retained for up to 90 days for routine logs, longer for incidents under investigation.
Closed accounts — we retain a minimal record (account ID, closure reason, retention triggers) to honour deletion / re-registration prevention obligations and to defend legal claims.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, hashed passwords, role-based access controls, audit logs, two-factor step-up for sensitive admin actions, and multisig / segregation patterns for treasury wallets. No system is perfectly secure; if you have reason to believe your account has been compromised, contact us immediately at support@pooldefy.com.

9. Your rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you and request a copy.
Correct inaccurate or incomplete information.
Delete your information, subject to retention obligations described in Section 7.
Restrict or object to certain processing.
Port your information to another service in a structured, machine-readable format.
Withdraw consent for any processing that relies on it.
Lodge a complaint with a supervisory authority where one applies.

To exercise any of these rights, email support@pooldefy.com. We will respond within the time frame required by applicable law (typically 30 days).

10. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes for collection, and the categories of recipients.
Right to delete personal information we have collected, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising.
Right to limit use of sensitive personal information. We use sensitive PII (e.g. ID-verification documents) only for the disclosed compliance purposes.
Right to non-discrimination for exercising any of these rights.

To exercise these rights, email support@pooldefy.com. We may need to verify your identity before responding.

11. EEA / UK residents (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, the legal bases for our processing are described in Section 3, and the rights described in Section 9 apply to you in the form set out in the GDPR / UK GDPR. You have the right to lodge a complaint with your national supervisory authority. The data controller is the entity operating PoolDefy.

12. Legal capacity

The Services are intended only for individuals with the legal capacity to enter into contracts in their jurisdiction of residence. We do not knowingly collect personal information from any individual lacking that capacity. If you become aware that information has been provided to us by an individual without legal capacity, contact support@pooldefy.com and we will remove it.

13. International transfers

We operate globally and may transfer personal information to countries other than the one in which you reside. Where we transfer information out of the EEA or UK, we use appropriate safeguards (e.g. EU Standard Contractual Clauses) to provide a level of protection equivalent to your home jurisdiction.

14. Third-party links

The Platform may link to third-party websites and services (e.g. blockchain explorers, sports-integrity bodies, social media). Their privacy practices are not covered by this Policy — review their policies before interacting.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated via email or in-Platform notice at least 14 days before they take effect. The effective date at the top of this Policy reflects the most recent revision.

16. Contact

Questions, requests to exercise your rights, or complaints? Email support@pooldefy.com.

Contents