Privacy Policy
Last updated: [EFFECTIVE_DATE]
This Privacy Policy describes how [ENTITY], a BVI Foundation Company organized under the laws of the British Virgin Islands (“SportsPerp,” “we,” “us,” or “our”), collects, uses, discloses, and protects information when you access or use the SportsPerp web interface at https://app.sportsperp.xyz, the SportsPerp documentation site at https://docs.sportsperp.xyz, our public APIs at https://api.sportsperp.xyz, the SDK, and any other site, application, or service we operate (collectively, the “Frontend”).
This Policy supplements, and is incorporated into, our Terms of Use. Capitalized terms not defined here have the meanings given in the Terms of Use.
Please read this Policy carefully. By accessing or using the Frontend you confirm that you have read and understood it. If you do not agree with any part of this Policy, do not access or use the Frontend.
1. About this Policy and the on-chain protocol
SportsPerp consists of three distinct surfaces, and this Policy applies to only one of them:
- The Frontend that we host, which is governed by this Policy.
- The On-chain Program, which is permissionless, deterministic, and operates on the Solana blockchain. We do not control the blockchain and do not separately “collect” the data that you and others publish to it by transacting.
- Third-party interfaces that interact with the same on-chain Program, which we do not control and to which this Policy does not apply.
Information that you publish to the Solana blockchain — including wallet addresses, transaction signatures, position state, and on-chain events — is public by design, permanent, and outside our control. We cannot edit, delete, or rectify on-chain records. Where this Policy refers to “personal data,” “personal information,” or similar, it refers only to data we process through the Frontend.
2. Controller
For the purposes of the EU/UK General Data Protection Regulation, the equivalent legislation in your jurisdiction, and any other applicable data-protection law, the controller of personal data processed through the Frontend is:
[ENTITY]
[ENTITY_REGISTERED_ADDRESS]
Privacy contact: privacy@sportsperp.xyz
If you are in the European Union, the European Economic Area, the United Kingdom, or another jurisdiction that requires it, you may contact our local representative or data-protection officer at the same address.
3. Categories of information we collect
We aim to collect the minimum data necessary to operate the Frontend. The categories below describe what we may collect; not every category applies to every visitor.
3.1 Information you provide voluntarily
We collect information you choose to provide, including when you:
- contact us by email or through a community channel (Telegram, Discord, etc.): the contents of your message, the channel handle, and any contact details you include;
- respond to a survey, application, or bug-bounty submission: the responses and any supporting material you share;
- submit feedback about the Frontend, the Program, or the documentation.
We do not require, and do not intentionally collect, government-issued identification, full legal name, residential address, date of birth, payment-card details, banking information, or other formal know-your-customer (“KYC”) data through the Frontend.
3.2 Wallet and on-chain interaction data
When you connect a self-custodial wallet to the Frontend, we process:
- your public wallet address (a public Solana key — not, by itself, a direct identifier of any natural person);
- the public state associated with that wallet that we read from the blockchain (positions, collateral, transaction history) in order to display it back to you; and
- the unsigned-transaction payloads we construct for you to sign.
We do not receive your private key, seed phrase, or signing material at any point. All signatures occur in your wallet, on your device.
Some jurisdictions, including parts of the European Union and the United Kingdom, treat a wallet address that can be linked to a natural person as personal data. To the extent that is true in your jurisdiction, we process your wallet address as personal data and you have the rights described in Section 9.
3.3 Technical and device data
When you access the Frontend, our servers and our infrastructure providers automatically collect technical data, including:
- IP address (in most cases truncated, hashed, or short-retention only — see Section 7);
- approximate geographic location derived from IP (country/region level, used for restricted-jurisdiction enforcement);
- browser type and version, operating system, and device type;
- the page or API endpoint requested, HTTP referrer, request timestamp, response status code, and User-Agent;
- a session identifier or other short-lived technical identifier to enable the Frontend to function.
3.4 Usage and analytics data
We may collect aggregated, statistical, and event-level usage data such as:
- pages viewed, components interacted with, and feature usage;
- error events, latency, and other operational telemetry;
- approximate referral source and campaign attribution where you arrive via a tracked link.
Where we use analytics or telemetry providers, we do so under the cookie and tracking framework described in Section 8.
3.5 Cookies and similar technologies
We use cookies, local-storage entries, and similar technologies to operate the Frontend, to remember preferences, and to measure usage. See Section 8 for the categories and how to manage them.
4. How we use information
We use the information we collect for the following purposes:
| Purpose | Examples | Legal basis (EU/UK GDPR) |
|---|---|---|
| Operate the Frontend | Routing requests, signing flows, displaying positions, serving APIs and websocket feeds, providing the documentation. | Necessary for the performance of our contract with you (Art. 6(1)(b)). |
| Compliance and restricted-jurisdiction enforcement | Geo-blocking, sanctions/wallet screening, responding to legal orders. | Compliance with a legal obligation (Art. 6(1)(c)); our legitimate interests in protecting the Frontend and complying with applicable law (Art. 6(1)(f)). |
| Security, fraud prevention, abuse mitigation | Detecting attacks, rate-limiting, blocking Sybil and incentive abuse, investigating exploits. | Legitimate interests (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)). |
| Service improvement and analytics | Diagnosing bugs, measuring performance and feature usage, improving UX. | Legitimate interests (Art. 6(1)(f)); your consent where required (Art. 6(1)(a)). |
| Communications | Responding to your messages, sending operational notices, providing community support. | Performance of contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)). |
| Marketing (limited) | Announcing protocol updates or events via our official channels (no targeted advertising). | Your consent (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f)). |
| Establish, exercise, or defend legal claims | Responding to disputes, regulatory inquiries, and litigation. | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)). |
We do not sell your personal information, we do not use it for cross-context behavioral advertising, and we do not subject you to automated decision-making producing legal or similarly significant effects on you.
5. How we obtain information
We obtain information:
- Directly from you, when you provide it in messages, submissions, or by interacting with the Frontend;
- Automatically, through technical interactions between your device and our infrastructure (logs, cookies, telemetry); and
- From the Solana blockchain, when we read public on-chain state in order to render it in the Frontend.
We do not currently purchase personal data from data brokers.
6. Sharing and disclosure
We share personal information only as set out below, and we do not sell personal information.
6.1 Service providers (“sub-processors”)
We share personal information with third parties that provide infrastructure or operational services on our behalf, including, by category:
| Category | Function | Examples |
|---|---|---|
| Hosting and edge | Serving the Frontend and the documentation site | Vercel |
| Backend infrastructure | Running off-chain services that compute and serve the OBV index and candle data | Hetzner |
| RPC and blockchain access | Submitting and reading Solana transactions and account state | Helius |
| Match data | Sourcing the underlying football statistics that feed the OBV index | StatsBomb |
| Wallet integration | Standard wallet adapters that connect your wallet to the Frontend | Phantom, Solflare, Backpack |
| Community channels (if you contact us through them) | Hosting community communication | Telegram, Discord |
| Operational alerting | Internal alerts about system health (used to protect users) | Telegram, email |
These service providers process personal information only on our documented instructions and are bound by appropriate confidentiality and data-protection obligations. The current list of categories above is illustrative and may change as our infrastructure evolves; the categories of recipients will continue to reflect this Policy.
6.2 Legal, regulatory, and safety
We may disclose personal information where we reasonably believe disclosure is necessary to:
- comply with a court order, subpoena, regulator’s request, or other legal process;
- enforce these Terms or our Restricted Persons policy;
- protect the rights, property, safety, or security of the SportsPerp Parties, our users, or any third party;
- investigate or prevent fraud, exploitation, abuse, security incidents, or other illegal activity.
6.3 Corporate transactions
If we are involved in a merger, acquisition, financing, asset sale, restructuring, insolvency, or other corporate transaction, personal information may be transferred to the counterparty or successor entity, subject to commercially reasonable confidentiality protections and to the continued application of this Policy (or a successor policy that is materially no less protective).
6.4 With your consent
We may share personal information with other parties where you have given us specific, informed consent to do so.
6.5 Aggregated or de-identified data
We may share aggregated, anonymized, or de-identified information that does not reasonably identify any individual for any lawful purpose without restriction.
7. Retention
We retain personal information only for as long as needed to fulfil the purposes described in this Policy, including any reasonable period required to comply with our legal, regulatory, accounting, or reporting obligations, to enforce our agreements, or to resolve disputes. As guidance:
- Server access logs — typically up to 90 days, then aggregated or deleted.
- Analytics events — typically up to 14 months in identifiable or pseudonymous form, then aggregated.
- Support and community correspondence — for the duration of the relationship plus a reasonable period thereafter for record-keeping.
- Compliance and sanctions screening records — for the period required by applicable law (which can be several years).
- On-chain data — permanent and outside our control (see Section 1 and Section 9.5).
When personal information is no longer needed, we delete, anonymize, or aggregate it.
8. Cookies and similar technologies
8.1 Categories we use
We use the following categories of cookies and similar technologies on the Frontend:
| Category | Purpose | Required? |
|---|---|---|
| Strictly necessary | Operate the Frontend, route requests, remember your wallet connection state, enforce security and rate limits. | Always on; cannot be refused without disabling the Frontend. |
| Functional | Remember preferences such as selected market, chart timeframe, recently visited markets, and theme. | Optional. |
| Analytics / performance | Measure how the Frontend is used and how it performs, so we can improve it. | Optional; we ask for consent where required by law. |
We do not use advertising or cross-site tracking cookies. We do not participate in any cross-context behavioral advertising network.
8.2 Managing cookies
You can control cookies through your browser settings (clearing, blocking, or limiting them) or, where we present a consent banner, through the choices in that banner. Disabling strictly-necessary cookies may make parts of the Frontend non-functional.
8.3 “Do Not Track” signals
Because there is no industry-standard definition for “Do Not Track” signals, we currently do not respond to them. We will revisit this position if and when a generally accepted standard emerges.
9. Your rights
Subject to applicable law and to the limits explained in Section 9.5, you have the following rights with respect to personal information we hold about you:
| Right | What it means |
|---|---|
| Access | Obtain confirmation of whether we process your personal data and, if so, a copy. |
| Rectification | Have inaccurate or incomplete personal data corrected. |
| Erasure | Ask us to delete personal data we no longer have a lawful basis to keep. |
| Restriction | Ask us to restrict processing while a request is being verified or while we have an overriding legitimate ground to keep it. |
| Objection | Object to processing based on our legitimate interests, including for analytics. |
| Portability | Receive your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or contract and carried out by automated means. |
| Withdraw consent | Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal. |
| Lodge a complaint | Lodge a complaint with the data-protection authority in your jurisdiction. We would, of course, appreciate the chance to address your concern first — contact privacy@sportsperp.xyz. |
9.1 How to exercise your rights
Email us at privacy@sportsperp.xyz with a clear description of the right you wish to exercise. We may need to verify your identity, including by asking you to sign a message from the wallet address to which the request relates. We will respond within the period required by applicable law (typically one month under the GDPR, extendable in certain circumstances).
9.2 California residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, the right to delete and correct it, the right to opt out of sale or sharing for cross-context behavioral advertising (which we do not engage in), the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not knowingly sell or share personal information of California residents. To exercise these rights, contact privacy@sportsperp.xyz.
9.3 Brazil (LGPD), Canada (PIPEDA), and other regimes
Where the LGPD, PIPEDA, or other applicable privacy law grants you rights analogous to those listed above, those rights are also available to you. Contact privacy@sportsperp.xyz and we will treat your request in accordance with the applicable law.
9.4 Authorized agents
You may designate an authorized agent to make a request on your behalf. We may require proof that you have authorized the agent to act for you and may verify your identity directly.
9.5 Limits on your rights with respect to on-chain data
The Solana blockchain is a public, distributed network. Once a transaction is confirmed, the associated data — including wallet addresses, transaction signatures, amounts, and timestamps — is permanent and replicated across nodes that we do not control. We cannot:
- erase, modify, or anonymize on-chain data;
- prevent others from reading on-chain data; or
- compel third-party block-explorers, indexers, or other observers to remove it.
To the extent your right to erasure, rectification, or restriction is incompatible with this technical reality, we are unable to fulfil the request as it relates to on-chain data. We can, however, delete or anonymize personal information held in our off-chain systems where the applicable law and our retention obligations allow.
10. International transfers
We are established in the British Virgin Islands, and our service providers operate infrastructure across multiple countries, including in the European Economic Area, the United Kingdom, the United States, and elsewhere. When we transfer personal information across borders, we put in place appropriate safeguards required by applicable law, including, where relevant, Standard Contractual Clauses approved by the European Commission, the United Kingdom International Data Transfer Addendum, or another lawful transfer mechanism. You can request a copy of the safeguards applicable to a given transfer by contacting privacy@sportsperp.xyz.
11. Security
We implement administrative, technical, and physical safeguards reasonably designed to protect personal information against unauthorized access, alteration, disclosure, loss, or destruction. These include access controls, encryption in transit, segregation of secrets and signing material, logging and monitoring, and routine reviews of our infrastructure.
No system is perfectly secure. We cannot guarantee the absolute security of personal information, and you transmit it to us at your own risk. You are solely responsible for the security of your wallet, your seed phrase, your private keys, and the device on which you sign transactions. We will never ask for, and you should never share, your seed phrase or private key with us.
If we become aware of a security incident affecting personal information that triggers a notification obligation under applicable law, we will notify the affected users and the relevant authorities within the timeframes required by that law.
12. Children
The Frontend is not directed to, and is not intended for use by, individuals under 18 years of age (or, where higher, the age of majority in their jurisdiction). We do not knowingly collect personal information from anyone under that age. If you believe we may have collected personal information from a child, contact privacy@sportsperp.xyz and we will take appropriate steps to delete it.
13. Third-party sites and integrations
The Frontend may link to, embed, or integrate with third-party sites and services that we do not control. This Policy does not apply to those third parties; their information practices are governed by their own privacy policies, which we encourage you to review. We are not responsible for the content or practices of any third party.
14. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will revise the “Last updated” date at the top of this page and, where reasonably practicable, post a notice in the Frontend and on the Official Links channels at least thirty (30) days before the change takes effect. Your continued use of the Frontend after the effective date of an update constitutes your acceptance of the updated Policy.
15. Contact
For any question about this Policy, or to exercise any of the rights described in Section 9, contact:
Privacy contact: privacy@sportsperp.xyz
Postal address: [ENTITY_REGISTERED_ADDRESS]