Privacy Policy

Effective: [Effective Date TBD]

This Privacy Policy describes how [Company Name TBD] ("we", "us", "our") collects, uses, shares, and protects personal data in connection with FundedForecast (the "Service"), available at [final-domain.tbd]. By using the Service you acknowledge the processing described below.

1. Data We Collect

1.1 Account data

• Email address.
• Password — stored only as a bcrypt hash; the plaintext value is never persisted and is not visible to us.
• Username chosen by the user.

1.2 Technical & security data

• IP address — at registration and on referral-click events, the raw IP is hashed with SHA-256 before storage; we do not retain the plaintext IP.
• User-agent string of the browser/device.
• Approximate country, derived from IP geolocation at the time of the event.
• Session JWT issued on login, used to authenticate subsequent requests.

1.3 Affiliate & referral data

• Referral cookie ID set when a user lands via /r/{refCode}, with a lifetime of 60 days, used to attribute first purchases to the referring affiliate.
• Click events: hashed IP, user-agent, country, UTM parameters, and the resolved referral code.
• Crypto wallet address provided by affiliates to receive payouts.
• Conversion linkage between a referral click and the resulting user account and purchase.

1.4 Trading and audit data

• Challenge purchases, including amount, currency, NowPayments transaction reference, and timestamp.
• Trading activity associated with Challenges, including positions taken on Polymarket markets and resulting outcomes.
• Audit log of administrative actions affecting your account (for example, suspension, ban, payout failure, or commission adjustment), retained for accountability.

We do not currently perform identity verification (KYC) at the MVP stage. Database fields exist that may support KYC in the future but are not in active use.

2. How We Use Your Data

• To create and operate your account.
• To process Challenge purchases and grant access to the Service.
• To attribute referrals and calculate, hold, and pay affiliate commissions.
• To detect and prevent fraud, abuse, and multi-accounting, including same-IP correlation between affiliate and referred user.
• To enforce these Terms and respond to legal requests.
• To communicate service-related notices, including security alerts and changes to terms.
• To maintain audit logs of administrative actions for accountability and dispute resolution.

3. Legal Basis for Processing

Where the GDPR or analogous laws apply, we rely on the following legal bases:

• Contract performance — to provide the Service you have requested, including processing purchases and paying commissions.
• Legitimate interests — to protect the Service against fraud, abuse, and unauthorized access; to maintain accurate records; to improve reliability and security.
• Legal obligation — where we are required by law to retain or disclose data.
• Consent — for non-essential cookies or optional communications, where applicable; consent can be withdrawn at any time.

4. Data Sharing

We share personal data only with service providers that help us operate the Service, and only to the extent necessary:

• NowPayments — payment processing for Challenge purchases (cryptocurrency).
• Supabase — managed PostgreSQL database hosting for account, referral, and trading records.
• Vercel — application hosting and edge delivery.
• Upstash Redis — rate limiting and short-lived counters; processes hashed identifiers, not raw account data.
• Polymarket — execution and resolution of prediction-market positions taken within Challenges.

We do not sell personal data. We may disclose data when required by law, to enforce our Terms, or to protect the rights, safety, and property of users and third parties.

5. Cookies

• Referral cookie — stores a referral code for attribution; lifetime 60 days; first-party.
• Session cookie / JWT — keeps you logged in after authentication; first-party; expires per session policy.
• Third-party analytics or advertising cookies — not currently in use. If we add them, this Policy will be updated and, where required, consent will be obtained.

6. Data Retention

The retention periods below are illustrative and pending final legal review. They will be confirmed before public production launch.

• Account data — retained while your account is active and for a defined period thereafter [TBD years] to meet tax, accounting, and dispute-resolution obligations.
• Click and referral data — retained for approximately 90 days for fraud detection and attribution review, then aggregated or deleted.
• Audit log of admin actions — retained indefinitely for accountability, in line with security best practice.
• Payment records — retained as required by applicable financial-record-keeping laws.

7. Your Rights

Depending on your location, you may have the following rights:

• Access — request a copy of personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your data, subject to retention obligations and legitimate interests (e.g. fraud records, audit log).
• Portability — request your data in a structured, commonly used, machine-readable format.
• Objection / Restriction — object to or restrict processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Complaint — lodge a complaint with your local data-protection authority.

To exercise any of these rights, write to legal@[domain-tbd]. We may need to verify your identity before responding.

8. International Transfers

The Service relies on global cloud infrastructure (notably Vercel and Supabase). Your data may therefore be processed in countries outside your country of residence, including jurisdictions that may not provide an equivalent level of data protection. Where required, we rely on appropriate safeguards such as standard contractual clauses provided by our service providers.

9. Security

We apply technical and organizational measures appropriate to the risk, including:

• Passwords stored as bcrypt hashes only.
• IP addresses stored as SHA-256 hashes only; raw IPs are not persisted.
• HTTPS for all network traffic.
• Rate limiting on sensitive endpoints to mitigate brute-force and abuse.
• Audit logging of administrative actions.
• Principle of least privilege for internal access to production data.

No system is fully secure. In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify you and the relevant authority where required by law.

10. Children

The Service is not intended for and may not be used by anyone under 18. The Affiliate Program is restricted to participants aged 18 or older. If we learn that we have collected personal data from a person under 18, we will delete the data and terminate the account.

11. Changes to this Policy

We may update this Policy from time to time. The effective date at the top of the document indicates when the latest version took effect. Material changes will be communicated through the Service or by email where appropriate.

12. Contact

For privacy questions or to exercise your rights, contact us at legal@[domain-tbd]. Postal address: [Registered Address TBD]. Company: [Company Name TBD], registration [Company Registration Number TBD].