PoolDefy — Privacy Policy

Effective date: 4 May 2026 · Last updated: 4 May 2026 · Version 2.0

This Privacy Policy explains how PoolDefy (“we,” “us,” “the Platform”) collects, uses, shares, and protects personal information about users of the Platform at pooldefy.com and our related services (collectively, the “Services”). It applies to information we collect when you use the Services, whether or not you are logged in.

PoolDefy operates as a free-to-play promotional sweepstakes platform offering a Gold Coin (amusement) currency and a Promo Coin (sweepstakes) currency. The Promo Coin component triggers identity-verification and tax-reporting obligations on prize redemption. This Policy describes how we handle the data needed to operate that model, including identity documents, residential address, and payout-method information.

Information we collect
- Google account data (Google Sign-In)
How we use information
Legal bases for processing (EEA / UK)
When we share information
Public blockchain data
Cookies & similar technologies
Location & jurisdiction enforcement
How long we keep information
Security
Your rights
California residents (CCPA / CPRA)
Other U.S. state privacy rights
EEA / UK residents (GDPR)
Age & legal capacity
International transfers
Third-party links
Changes to this Policy
Contact

1. Information we collect

1.1 Information you provide

Account information. Email address, username, display name, password (hashed), and any optional profile fields (avatar, bio).
Eligibility & redemption verification. When you request a Promo Coin redemption (or where we have a reasonable basis to re-verify): full legal name, residential address, date of birth, government-issued photographic identification, proof-of-address documentation, and tax-reporting information (for example, a Form W-9 for U.S. residents reaching the IRS reporting threshold).
Communications. Messages you send to support, comments, chat messages, content you post on the Platform, and AMOE submissions you mail to us (Section 9 of the Terms of Use).
Purchase & redemption-related information. The USDC source-of-funds details for Gold Coin package purchases, the wallet addresses you nominate for redemption payouts, transaction hashes, and saved-address labels you create.
Two-factor / security credentials. TOTP secrets, recovery codes, security questions, and trusted-device tokens.

1.2 Information collected automatically

Device & technical data. IP address, user-agent string, device type and operating system, screen size, language, and approximate location derived from IP. Used both for service delivery and for enforcement of the ineligible-jurisdiction list (Section 7).
Browser fingerprint. A hash derived from non-PII signals (canvas, WebGL, font set, plugin set, time zone) used to detect duplicate accounts and ban evasion.
Activity data. Pages and contests you view, picks you submit, entries you make in either currency, Gold Coin package purchases, daily-reward claims, redemption requests, comments you post, watchlist items, follow / unfollow actions, and timestamps for each.
Performance & logs. Server logs, error reports, and websocket session metadata used for troubleshooting and platform reliability.

1.3 Information from third parties

Sports data providers. We receive event schedules, fixtures, and live results from independent sports-data providers (e.g. Sportmonks for football, NBA's CDN for basketball, ESPN for college sports). This data does not identify you.
Identity-verification vendors. When you request redemption, we may receive verification results from KYC / AML vendors (typically a pass / fail status, a confidence score, the document image you provided, and any sanctions / PEP / adverse-media flags).
Sanctions & risk databases. We may screen wallet addresses, IPs, and identity data against industry-standard sanctions and risk-flag lists.

1.4 Google account data (Google Sign-In)

If you choose to sign in with Google, PoolDefy uses Google's OAuth 2.0 / OpenID Connect flow. The disclosure below is provided to comply with the Google API Services User Data Policy, including the Limited Use requirements.

Data we access. We request only the standard sign-in scopes:

openid — to receive a Google-issued ID token that proves you control the Google account.
email — your primary Google email address and its verification status.
profile — your name and profile picture (received but not stored — see below).

We do not request, access, or use any other Google user data. We never request access to Gmail, Drive, Contacts, Calendar, photos, location, or any other Google service.

How we use the data. Solely to authenticate you to the PoolDefy platform — that is, to:

Create a PoolDefy account on first sign-in, or look up your existing account on subsequent sign-ins;
Verify the email address you signed in with so you don't have to confirm it separately;
Link your Google account to a single PoolDefy account so future Google sign-ins return you to the same profile.

We do not use Google account data for advertising, profiling, training machine-learning models, or any purpose other than authentication.

What we store. From the data Google returns we persist only:

Your email address (the same one stored for password-only signups);
The Google-issued stable user identifier (the sub claim) so we can recognise you on return.

We do not store the name or profile picture returned by the profile scope. We do not store Google access tokens or refresh tokens.

Sharing. Google account data is never sold, transferred, or shared with third parties. It is used only on PoolDefy's own backend for the authentication purpose described above. The data is processed on our infrastructure (currently Railway / Vercel — see Section 15 on international transfers).

Retention. Google account data we store is retained for the lifetime of your PoolDefy account. When you delete your PoolDefy account (Section 8), we delete the linked Google identifier and email along with the rest of your profile, subject to the regulatory retention windows described in that section.

Your control. You can disconnect Google sign-in from your PoolDefy account at any time by signing out and switching to password authentication, or by revoking PoolDefy's access from your Google Account at myaccount.google.com/permissions. Revoking access from Google does not delete your PoolDefy account; to delete the account itself, follow the instructions in Section 10.

Limited Use confirmation. PoolDefy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How we use information

Purpose	Categories used
Operate the Services. Authenticate you, run contests, settle results, process Gold Coin package purchases, credit Promo Coin grants, render leaderboards.	Account information, activity data, purchase & redemption-related information.
Sweepstakes prize redemption. Verify your identity and eligibility, calculate the prize amount, prepare tax-reporting forms where applicable, and broadcast the redemption transfer.	Account information, eligibility & redemption verification information, redemption-related information.
Anti-fraud, anti-collusion, anti-money-laundering. Detect multi-accounting, pick collusion, sanctions matches, AMOE abuse, and suspicious purchase / redemption patterns.	IP, fingerprint, wallet addresses, activity data, eligibility verification information.
Ineligible-jurisdiction enforcement. Block contest entries and redemptions for residents of, or persons physically located in, ineligible jurisdictions.	IP and approximate location, residential address (during verification).
Customer support. Respond to questions, investigate disputes, void or adjust where appropriate.	Account information, communications, activity data.
Communications. Transactional notifications (purchase confirmed, redemption status, contest settled, position changes), security alerts, and (with your consent or where permitted) product news.	Email, account preferences.
Product analytics & reliability. Diagnose bugs, measure feature adoption, improve the Platform.	Aggregated activity data, device & technical data.
Legal compliance. Tax reporting where required, sanctions screening, sweepstakes compliance, responding to lawful requests from regulators or law enforcement.	Account information, eligibility verification information, activity data.

3. Legal bases for processing (EEA / UK residents)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract performance — to provide the Services you've signed up for (operating contests, processing purchases, processing redemptions).
Legitimate interests — running anti-fraud and anti-collusion controls, preventing AMOE and bonus abuse, ensuring service reliability and security, and enforcing the ineligible-jurisdiction list.
Legal obligation — sanctions screening, AML / CTF compliance, sweepstakes-prize tax reporting, responding to lawful requests.
Consent — non-essential cookies, marketing emails, certain optional data uses you can opt out of at any time.

We share personal information only as follows:

Service providers and infrastructure. Hosting (Vercel, Railway), database (PostgreSQL on Railway), email delivery, analytics, fraud-detection, identity-verification (KYC / AML) vendors, and sweepstakes-administration vendors. These vendors process information on our behalf under contractual data-protection terms.
Tax authorities. Where prize totals require statutory reporting (for example, IRS Form 1099-MISC for U.S. residents reaching the annual threshold), we file the required forms and provide a copy to you.
Sweepstakes administrators & bond providers. Where required by state sweepstakes-registration rules, we may share anonymised contest-winner statistics with state regulators or with bond providers retained for the operation.
Sports-integrity bodies and regulators. Where we are required by law, by sports-integrity rules, or in response to lawful requests from law-enforcement or regulatory authorities.
Other users. Limited information for the social and competitive parts of the Platform — your username, avatar, public profile, comments, leaderboard placements, and contest entries are visible to other users by design.
Corporate transactions. In connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to confidentiality protections and applicable law.
Protection of rights and safety. Where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of PoolDefy, our users, or the public.

We do not sell or rent your personal information to advertisers or data brokers, and we do not share personal information for cross-context behavioural advertising.

5. Public blockchain data

Gold Coin package purchases funded with USDC, and Promo Coin redemption payouts, occur on public blockchains (currently Polygon for USDC). Information you transmit on chain — including the wallet addresses involved, transaction hashes, amounts, and timestamps — is permanently and publicly viewable and is not under our control. Any third party can correlate on-chain activity associated with your wallet, including activity outside the Platform.

Inside the Platform we keep your wallet activity tied to your account so we can credit purchases and process redemptions. We do not publish your account-to-wallet linkage outside the Platform except as described in Section 4.

6. Cookies & similar technologies

We use cookies and similar storage technologies for the following purposes:

Strictly necessary. Authentication, session management, security, fraud prevention, and ineligible-jurisdiction enforcement. These cannot be disabled without breaking the Service.
Functional. Theme preferences, balance-hidden state, currency-toggle state, dismissed welcome banners, cached contest feed.
Analytics. Aggregated usage analytics to improve the product. You may decline these via your browser controls.

We do not currently use third-party advertising cookies. If we adopt them in future, we will update this Policy and provide a clear opt-in mechanism where required.

7. Location & jurisdiction enforcement

Because Promo Coin sweepstakes contests and redemptions are unavailable in certain jurisdictions (Section 4 of the Terms of Use), we determine an approximate location for every session using:

The IP address of the connection;
Where you have completed identity verification, the residential address on file;
The country / state attribute of any payment instrument you use.

We do not collect precise GPS-level location. We may block access to the Promo Coin portion of the Services from sessions whose approximate location resolves to an ineligible jurisdiction; the Gold Coin portion may remain accessible at our discretion. Attempts to obscure your location through VPNs, proxies, or false residence statements are a Terms violation and may result in account suspension.

8. How long we keep information

Active account data — for as long as your account exists.
Purchase & redemption records — retained for the period required by tax, AML, sweepstakes, and accounting laws (typically 5–7 years after the last transaction).
Identity-verification records — retained for the period required by AML / KYC / sweepstakes rules in the operating jurisdiction (typically 5 years after the last redemption).
AMOE postal records — retained for 12 months after the grant is credited, in case of an audit or dispute.
Server & security logs — retained for up to 90 days for routine logs, longer for incidents under investigation.
Closed accounts — we retain a minimal record (account ID, closure reason, retention triggers) to honour deletion / re-registration prevention obligations and to defend legal claims.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, hashed passwords, role-based access controls, audit logs, two-factor step-up for sensitive admin actions, and segregation patterns for treasury and redemption wallets. No system is perfectly secure; if you have reason to believe your account has been compromised, contact us immediately at support@pooldefy.com.

10. Your rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you and request a copy.
Correct inaccurate or incomplete information.
Delete your information, subject to retention obligations described in Section 8.
Restrict or object to certain processing.
Port your information to another service in a structured, machine-readable format.
Withdraw consent for any processing that relies on it.
Lodge a complaint with a supervisory authority where one applies.

To exercise any of these rights, email support@pooldefy.com. We will respond within the time frame required by applicable law (typically 30–45 days).

11. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes for collection, and the categories of recipients.
Right to delete personal information we have collected, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising.
Right to limit use of sensitive personal information. Sensitive PII (e.g. ID-verification documents, government identifiers, exact location, financial information) is used only for the disclosed compliance and redemption purposes.
Right to non-discrimination for exercising any of these rights.

To exercise these rights, email support@pooldefy.com. We may need to verify your identity before responding.

12. Other U.S. state privacy rights

Residents of Colorado, Connecticut, Utah, Virginia, Texas, Oregon, New Hampshire, Delaware, and other U.S. states with comprehensive consumer-privacy statutes have rights similar to those described in Section 11, subject to each state's specific framework. Those rights generally include access, correction, deletion, portability, and the right to opt out of targeted advertising, sale, and certain types of profiling. To exercise these rights, email support@pooldefy.com; we will route your request to the appropriate workflow for your state.

13. EEA / UK residents (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, the legal bases for our processing are described in Section 3, and the rights described in Section 10 apply to you in the form set out in the GDPR / UK GDPR. You have the right to lodge a complaint with your national supervisory authority. The data controller is the entity operating PoolDefy.

14. Age & legal capacity

The Services are intended only for individuals aged 18 or older (or the age of majority in your jurisdiction of residence if higher), and only for individuals with the legal capacity to enter into contracts and to participate in promotional sweepstakes in their jurisdiction of residence. We do not knowingly collect personal information from any individual under 18. If you become aware that information has been provided to us by an individual under 18, contact support@pooldefy.com and we will remove it.

15. International transfers

We operate globally and may transfer personal information to countries other than the one in which you reside. Where we transfer information out of the EEA or UK, we use appropriate safeguards (e.g. EU Standard Contractual Clauses) to provide a level of protection equivalent to your home jurisdiction.

16. Third-party links

The Platform may link to third-party websites and services (e.g. blockchain explorers, sports-integrity bodies, identity-verification vendor portals, social media). Their privacy practices are not covered by this Policy — review their policies before interacting.

17. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated via email or in-Platform notice at least 14 days before they take effect. The effective date at the top of this Policy reflects the most recent revision.

18. Contact

Questions, requests to exercise your rights, or complaints? Email support@pooldefy.com.

Contents