Privacy Policy

1.Introduction

Welcome to PolyWager.io ("PolyWager," "we," "us," or "our"). PolyWager is a premium cryptocurrency gaming platform operated by PolyWager Entertainment Ltd., a company registered and licensed under applicable gaming regulations. We are committed to protecting and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 ("CCPA"), the California Privacy Rights Act ("CPRA"), and all other applicable data protection legislation worldwide.

This Privacy Policy explains what personal data we collect, how we process it, the legal bases for that processing, with whom we share it, and the rights you have regarding your information. It applies to all users of the PolyWager platform, including our website at polywager.io, our mobile applications, application programming interfaces (APIs), and any other services or products we offer (collectively, the "Services").

By creating an account or otherwise using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use our Services.

For the purposes of applicable data protection legislation, the data controller is:

2.Information We Collect

We collect information that you provide directly to us, information that is generated automatically when you use our Services, and information we obtain from third-party sources. The categories of personal data we collect include:

2.1 Account Registration Data

When you create an account, we collect information necessary to establish and manage your account:

• Email address (used for account verification, login, and communications)
• Username (your chosen public display name on the platform)
• Password (stored exclusively as a cryptographic hash; we never store plaintext passwords)
• Date of birth (to verify you meet the minimum age requirement)
• Country of residence (to determine regulatory requirements and service availability)
• Preferred language and currency settings
• Referral information (if you were referred by another user or marketing campaign)

2.2 Identity Verification (KYC) Data

To comply with anti-money laundering ("AML") regulations, counter-terrorism financing ("CTF") requirements, and responsible gaming obligations, we collect identity verification documents. Depending on your jurisdiction and activity level, these may include:

• Government-issued photo identification (passport, national identity card, or driver's license)
• Proof of address documents (utility bills, bank statements, or official correspondence dated within three months)
• Selfie or live photo for biometric comparison against submitted identification documents
• Source of funds documentation (bank statements, payslips, or tax returns) for enhanced due diligence where required
• Politically Exposed Person (PEP) screening results and sanctions list checks

KYC verification is conducted by our authorized third-party verification providers. You will be informed prior to the collection of any biometric data, and such data is processed strictly for identity verification purposes.

2.3 Financial and Transaction Data

When you deposit, withdraw, or otherwise transact on our platform, we collect:

• Cryptocurrency wallet addresses used for deposits and withdrawals
• Transaction hashes and blockchain network identifiers
• Deposit and withdrawal amounts, timestamps, and status records
• Transaction history including all credits, debits, and balance changes
• Payment method metadata (we do not store private keys or seed phrases)
• Fiat currency transaction details where applicable, including payment processor references

2.4 Gaming and Usage Data

To operate our games, ensure fairness, and comply with regulatory requirements, we collect:

• Complete game history including bets placed, outcomes, multipliers, and game-specific parameters
• Betting patterns, frequency, session duration, and wagering volume
• Provably fair verification seeds (server seed hashes, client seeds, and nonces)
• In-game preferences, settings, and feature usage
• Bonus and promotional offer usage, redemption records, and wagering progress
• Responsible gaming tool usage (deposit limits, loss limits, self-exclusion periods)
• Session data including login times, session duration, and activity timestamps
• Chat messages and interactions in public game rooms

2.5 Technical and Device Data

When you access our Services, we automatically collect technical information about your device and connection:

• IP address (used for geolocation, fraud prevention, and regulatory compliance)
• Device type, model, operating system, and version
• Browser type, version, language settings, and installed plugins
• Device identifiers and browser fingerprint data (for fraud detection and session management)
• Screen resolution, color depth, and timezone settings
• Referring URLs, pages visited, click patterns, and navigation paths within the platform
• Network connection type and Internet Service Provider (ISP) information
• Cookie identifiers and local storage data (see Section 9 for details)

2.6 Communications Data

When you communicate with us or use our communication features, we collect:

• Support ticket content, attachments, and correspondence history
• Live chat transcripts with customer support representatives
• Email communications sent to or received from PolyWager
• In-platform chat messages in public game rooms and community channels
• Feedback, survey responses, and review submissions
• Any information you voluntarily provide in communications with our team

3.How We Use Your Information

We process your personal data for the following specific and lawful purposes:

3.1 Account Management and Service Delivery

• Creating, maintaining, and administering your user account
• Authenticating your identity and managing access to your account
• Processing deposits, withdrawals, and other financial transactions
• Providing, operating, and improving our gaming products and services
• Personalizing your experience based on your preferences and usage patterns
• Delivering customer support and responding to your inquiries

3.2 Game Operation and Fairness

• Operating provably fair game mechanics and maintaining game integrity
• Recording and verifying game outcomes, bets, and payouts
• Generating and managing cryptographic seeds for provably fair verification
• Monitoring for and preventing cheating, collusion, or game manipulation
• Administering bonuses, promotions, VIP programs, and rewards

3.3 Fraud Prevention and Security

• Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activities
• Implementing multi-account detection and prevention measures
• Monitoring for suspicious transaction patterns and potential money laundering
• Performing blockchain analytics to identify high-risk wallets and transactions
• Protecting the security, integrity, and availability of our platform and infrastructure
• Conducting regular security assessments and penetration testing

3.4 Legal and Regulatory Compliance

• Fulfilling Know Your Customer (KYC) and identity verification requirements
• Complying with Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations
• Meeting licensing requirements, regulatory reporting obligations, and audit demands
• Responding to lawful requests from law enforcement, regulatory authorities, and courts
• Implementing responsible gaming measures including self-exclusion, deposit limits, and activity monitoring
• Maintaining records as required by applicable gaming and financial regulations

3.5 Analytics and Platform Improvement

• Analyzing platform usage, performance metrics, and user behavior trends
• Conducting A/B testing and evaluating new features and product improvements
• Generating aggregated, anonymized statistical reports for business planning
• Monitoring system performance, uptime, and infrastructure health
• Identifying and resolving technical issues, bugs, and performance bottlenecks

3.6 Marketing and Communications

• Sending promotional offers, bonuses, and platform updates only with your explicit opt-in consent
• Delivering transactional communications (account verification, security alerts, withdrawal confirmations)
• Providing service-related announcements about policy changes, maintenance, and material updates
• Personalizing marketing content based on your preferences and activity (with consent)
• Facilitating referral programs and affiliate marketing where applicable

You may withdraw your consent to marketing communications at any time by clicking the "unsubscribe" link in any marketing email, adjusting your notification preferences in your account settings, or contacting us at privacy@polywager.io.

4.Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we must have a valid legal basis for each processing activity involving your personal data. The legal bases upon which we rely are:

4.1 Performance of a Contract (Article 6(1)(b) GDPR)

Processing your data is necessary to perform our contractual obligations to you under our Terms of Service. This includes creating and managing your account, processing transactions, operating games, paying out winnings, and providing customer support.

4.2 Legal Obligation (Article 6(1)(c) GDPR)

We are legally required to process certain data to comply with applicable laws and regulations. This includes KYC and identity verification, AML and CTF monitoring, responsible gaming obligations, tax reporting, regulatory record-keeping, and responding to lawful requests from authorities.

4.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data where it is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Fraud prevention, platform security, and the protection of our users and business
• Analytics, research, and product improvement to enhance user experience
• Enforcing our Terms of Service and preventing platform abuse
• Ensuring network and information security
• Internal administrative purposes and business operations

You have the right to object to processing based on legitimate interests. We will honor such requests unless we can demonstrate compelling legitimate grounds for processing that override your rights, or the processing is necessary for the establishment, exercise, or defense of legal claims.

4.4 Consent (Article 6(1)(a) GDPR)

For certain processing activities, we rely on your freely given, specific, informed, and unambiguous consent. This applies to marketing communications and promotional offers, the use of non-essential cookies and tracking technologies, and the processing of special category data where applicable. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5.Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We share your information only in the following circumstances and with the following categories of recipients:

5.1 Service Providers and Processors

• Payment and Cryptocurrency Processors: To facilitate deposits, withdrawals, and financial transactions. These providers process transaction data, wallet addresses, and amounts under strict data processing agreements.
• KYC and Identity Verification Providers: To conduct identity verification, document authentication, biometric comparison, PEP screening, and sanctions list checks as required by law.
• Blockchain Analytics Providers: To perform transaction monitoring, risk scoring of wallet addresses, and detection of connections to illicit activity in compliance with AML regulations.
• Cloud Hosting and Infrastructure Providers: To host, maintain, and secure our platform, databases, and associated infrastructure. Data is stored in secure, enterprise-grade data centers.
• Customer Support Tools: To manage support tickets, live chat, and communication channels.
• Analytics and Monitoring Services: To analyze platform usage, measure performance, and improve our Services using aggregated and, where necessary, pseudonymized data.
• Email and Communication Services: To send transactional and, where consented to, promotional communications.

All service providers are contractually bound by data processing agreements that require them to process your data only on our documented instructions, maintain appropriate security measures, and comply with applicable data protection laws.

5.2 Legal and Regulatory Disclosures

We may disclose your personal data when we are legally required or permitted to do so, including:

• In response to valid court orders, subpoenas, warrants, or other lawful requests from governmental or judicial authorities
• To comply with regulatory obligations imposed by gaming commissions, financial regulators, or data protection authorities
• When necessary to protect the rights, property, safety, or security of PolyWager, our users, or the public
• To our professional advisors (lawyers, auditors, accountants) who are subject to professional confidentiality obligations

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so for a specific purpose.

6.International Data Transfers

As a global platform, your personal data may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer your personal data outside of the European Economic Area (EEA), the United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. These safeguards include:

• Adequacy Decisions: Transferring data to countries that the European Commission or the UK Secretary of State has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): Using the European Commission's approved Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to contractually require recipients to protect your data to European standards.
• Supplementary Measures: Implementing additional technical and organizational measures where necessary, such as encryption in transit and at rest, pseudonymization, and access controls.
• Binding Corporate Rules: Where applicable, relying on approved Binding Corporate Rules for intra-group data transfers.

You may request a copy of the safeguards we have in place for international data transfers by contacting our Data Protection Officer at dpo@polywager.io.

7.Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. The specific retention periods depend on the category of data and the purpose of processing:

At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymized. Where data is retained in anonymized form for statistical purposes, it is no longer considered personal data and may be retained indefinitely.

In certain circumstances, retention periods may be extended where required by ongoing legal proceedings, regulatory investigations, or audits. We will inform you of such extensions where lawfully permitted to do so.

8.Your Rights

Depending on your jurisdiction, you have specific rights regarding your personal data. We are committed to honoring these rights and facilitating their exercise.

8.1 Rights Under the GDPR (EEA, UK, and Switzerland Residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR (and the UK GDPR):

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about the processing (a "Subject Access Request").
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and to have incomplete data completed.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing. This right is subject to certain exceptions, including legal obligations and the defense of legal claims.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or direct marketing at any time. Where you object to direct marketing, we will cease such processing immediately.
• Right Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Where automated decisions are made, you have the right to obtain human intervention, express your point of view, and contest the decision.

8.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (such as where the data is necessary to complete a transaction, comply with a legal obligation, or detect security incidents).
• Right to Correct: You have the right to request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information. PolyWager does not sell personal information. We do not share personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes necessary for providing the Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, quality, or level of service as a result of exercising your rights.

8.3 How to Exercise Your Rights

To exercise any of the rights described above, you may:

• Email our Data Protection Officer at dpo@polywager.io
• Send a written request to privacy@polywager.io
• Use the privacy rights request form available in your account settings
• Contact our customer support team via live chat or support ticket

We will verify your identity before processing any request to protect against unauthorized access to your data. We will respond to your request within 30 days (GDPR) or 45 days (CCPA), with the possibility of extension where necessary. If we are unable to fulfill your request due to a legal exception, we will provide a clear explanation.

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (for EEA/UK residents) or with the California Attorney General (for California residents).

9.Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate, secure, and improve our Services. A cookie is a small text file that is stored on your device when you visit our platform.

9.1 Essential Cookies (Strictly Necessary)

These cookies are necessary for the platform to function and cannot be disabled. They are used for:

• User authentication and session management (keeping you logged in)
• Security features including CSRF protection and fraud detection
• Load balancing and server routing
• Remembering your cookie consent preferences

9.2 Analytics Cookies

With your consent, we use analytics cookies to understand how users interact with our platform. These cookies help us:

• Measure page views, session duration, and user navigation patterns
• Identify popular features and pages, and areas for improvement
• Track platform performance metrics and error rates
• Generate aggregated usage statistics (individual users are not identified)

9.3 Preference Cookies

These cookies remember your choices and settings to provide a more personalized experience:

• Language and currency preferences
• Display settings (theme, layout preferences)
• Game preferences and recently played games
• Notification preferences

9.4 Managing Your Cookie Preferences

You can manage your cookie preferences through the following methods:

• Our cookie consent banner displayed on your first visit allows you to accept or decline non-essential cookies
• You can update your preferences at any time through the cookie settings link in the footer of our website
• Most web browsers allow you to control cookies through their settings (note: disabling essential cookies may impair platform functionality)
• You can opt out of specific analytics services (for example, Google Analytics) through their respective opt-out mechanisms

For more detailed information about the specific cookies we use and their purposes, please refer to our Cookie Policy, accessible from the footer of our website.

10.Children's Privacy

Our Services are strictly intended for individuals who are at least eighteen (18) years of age, or the legal age for gambling in their jurisdiction, whichever is greater. We do not knowingly collect, solicit, or process personal information from anyone under the age of 18.

In compliance with the Children's Online Privacy Protection Act (COPPA), the GDPR's provisions on children's data (Article 8), and the UK Age Appropriate Design Code, we implement the following measures:

• Mandatory date of birth verification during account registration
• Age verification as part of our KYC process, including document-based verification
• Immediate account termination and data deletion upon discovering an underage user
• Proactive monitoring for indicators of underage usage

If you believe that we have inadvertently collected personal data from a person under the age of 18, please contact us immediately at privacy@polywager.io, and we will take prompt steps to delete such information and terminate the associated account.

11.Security Measures

We implement comprehensive technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, destruction, or accidental loss. Our security program includes:

11.1 Technical Safeguards

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Sensitive fields (such as KYC documents) are encrypted at the application layer with dedicated encryption keys.
• Two-Factor Authentication (2FA): We offer and encourage the use of two-factor authentication (TOTP and WebAuthn/FIDO2) for account access. 2FA is mandatory for high-value withdrawals and account settings changes.
• Password Security: Passwords are hashed using bcrypt with a high work factor. We enforce minimum password complexity requirements and check passwords against known breach databases.
• Network Security: Our infrastructure is protected by enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), DDoS mitigation, and continuous network monitoring.
• Secure Development Practices: We follow secure software development lifecycle (SDLC) practices, including code review, static analysis, dependency scanning, and regular penetration testing by independent third-party security firms.

11.2 Organizational Safeguards

• Access Controls: Access to personal data is restricted to authorized personnel on a strict need-to-know basis, enforced through role-based access control (RBAC) and least privilege principles.
• Employee Training: All staff receive mandatory data protection and security awareness training upon hiring and on a recurring annual basis.
• Vendor Security: Third-party service providers undergo security assessments before onboarding and are subject to ongoing compliance monitoring.
• Regular Audits: We conduct regular internal and external security audits, vulnerability assessments, and compliance reviews.
• Incident Response Plan: We maintain a documented incident response plan that is regularly tested and updated to ensure rapid detection, containment, and resolution of security incidents.

While we implement rigorous security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents in accordance with our Data Breach Notification procedures outlined in Section 12.

12.Data Breach Notification

In the event of a personal data breach, we have established procedures to comply with our notification obligations under the GDPR, CCPA, and other applicable laws:

12.1 Supervisory Authority Notification

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where notification is not possible within 72 hours, we will provide a reasoned justification for the delay.

12.2 User Notification

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. Notification will include:

• A clear description of the nature of the breach
• The categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate potential adverse effects
• Contact details of our Data Protection Officer for further information

12.3 Notification Methods

We will notify affected users via email to the address registered on their account. If direct communication is not feasible, we will issue a public notice on our website. For California residents, we will also comply with the breach notification requirements under California Civil Code Section 1798.82.

12.4 Breach Documentation

In accordance with Article 33(5) of the GDPR, we maintain a comprehensive record of all personal data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken. These records are available for inspection by supervisory authorities upon request.

13.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational purposes. When we make changes, we will:

• Update the "Effective Date" and "Last Updated" date at the top of this policy
• Notify you of material changes via email to the address associated with your account at least 30 days before the changes take effect
• Display a prominent notice on our platform informing you of the updated policy
• Where required by law, obtain your renewed consent before processing your data under the updated terms
• Maintain an archive of previous versions of this policy, available upon request

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Services and contact us to close your account.

14.Contact & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please do not hesitate to contact us:

14.1 Data Protection Officer

PolyWager has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with applicable privacy laws. You may contact the DPO directly at dpo@polywager.io for any matters related to the processing of your personal data, the exercise of your data protection rights, or concerns about our data practices.

14.2 Supervisory Authority

If you are located in the European Economic Area or the United Kingdom and believe that our processing of your personal data infringes upon your rights under the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, the relevant authority is the Information Commissioner's Office (ICO) at https://ico.org.uk.

14.3 California Attorney General

California residents may also contact the California Attorney General for information about their privacy rights under the CCPA/CPRA at https://oag.ca.gov/privacy.