Privacy Policy
This Privacy Policy describes how TypeBag ("we", "us") collects, uses, and shares personal data in connection with the Service at typebag.com.
1. Controller
The data controller is TypeBag SRL, registered in Romania. Contact: [email protected].
2. Data We Collect
Account and authentication
- Email address (via Privy authentication).
- Privy user identifier.
- Solana embedded-wallet address (public, on-chain).
- Optional display name you set yourself.
Gameplay
- Keystrokes during duels: each keypress, its position in the passage, the timestamp relative to game start, and whether it was correct. This data is required for fair-play enforcement.
- Match results, ratings, and aggregate stats.
- Browser fingerprint signals (user-agent, timezone, screen profile) used for sybil-detection.
Financial
- USDC deposit and withdrawal transactions, including blockchain signatures, source/destination addresses, and amounts.
- On-platform balance and audit-log of every change.
Technical
- IP address, country, and approximate region (from Cloudflare headers).
- Device, browser, and OS information.
- Server logs (request IDs, errors, latency, basic access logs).
3. Why We Process This Data
- Contract performance: running matches, settling pots, processing withdrawals.
- Legal obligation: sanctions screening, anti-money-laundering, regulator requests, tax reporting.
- Legitimate interest: anti-cheat enforcement, fraud detection, service security, basic analytics, debugging.
- Consent: any optional analytics or marketing where consent is required by law (see "Cookies" below).
4. Who We Share It With
- Privy — authentication and embedded-wallet provider. Receives email, social login data, and wallet metadata.
- Helius / QuickNode — Solana RPC providers. Receive on-chain transaction broadcast data and the platform wallet address.
- Hetzner Online GmbH — hosting provider for our servers and database.
- Cloudflare — CDN, DNS, and DDoS protection. Receives IP addresses and request metadata.
- Sentry (if enabled) — error monitoring. Receives stack traces and request IDs (PII redacted at the logger boundary).
- Discord — operational alerting. Receives non-personal incident metadata.
- Law-enforcement and regulators — when required by valid legal process.
We do not sell personal data and we do not share it with advertisers.
5. International Transfers
Some of our processors are based outside the European Economic Area. We rely on Standard Contractual Clauses, adequacy decisions, or other safeguards permitted by the GDPR for these transfers.
6. Retention
- Account records: for as long as the account is open, plus seven (7) years after closure for AML and tax compliance.
- Keystroke and game data: twelve (12) months from the date of the match, then aggregated and the raw rows deleted.
- Server logs: thirty (30) days, except for security incidents.
- On-chain data: blockchain records are immutable and outside our control.
7. Your Rights (GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data-protection rules, you have the right to access, rectify, erase, restrict, or object to processing of your personal data, the right to data portability, and the right to lodge a complaint with a supervisory authority. Send requests to [email protected]. We will respond within thirty (30) days.
Some data we are obliged to retain (e.g., AML records, sanctions screening results) cannot be erased on request. We will explain any such restriction in our response.
8. Cookies
We use a small number of strictly-necessary cookies for authentication and session management. We do not use third-party advertising cookies. If we add optional analytics, we will request consent first.
9. Children
The Service is not intended for, or directed at, anyone under 18. We do not knowingly collect personal data from minors.
10. Changes
We may update this Privacy Policy from time to time. The "Effective" date at the top reflects the latest version. Material changes will be communicated via email or in-app notice.