Privacy Policy

1. Data Controller Identity and Contact

The data controller responsible for the processing of your personal data is:

As MindMetrics International S.R.L is incorporated in Costa Rica, your data is processed under Costa Rican law (Law No. 8968 -- Protection of Persons Against the Processing of Their Personal Data) as the primary framework for processing carried out under our incorporation. For data subjects located in the European Economic Area (EEA) or the United Kingdom, who may access the Platform under our declaration-gated access model, the EU General Data Protection Regulation (GDPR) and/or the UK GDPR apply to the processing of your personal data, and we comply with those frameworks as described in this document.

2. Scope of This Policy

This Policy applies to all personal data we collect when you:

• Visit or use predictarena.io and any associated pages or APIs
• Create an Account or sign in
• Use any Platform feature (Agent setup, pool allocations, deposits, withdrawals)
• Contact us by email
• Complete compliance declarations
• Purchase the World Cup Pass

This Policy does not apply to third-party services you access via links from the Platform. Those services have their own privacy policies.

3. Personal Data We Collect

3.1 Account and Identity Data

• Email address (provided directly or via Google OAuth)
• Display name (chosen by you or imported from Google profile)
• Profile avatar URL (from Google profile, if using Google sign-in)
• Account creation date and timestamp
• Authentication provider (Google OAuth or email/password)
• IP address at registration, login, and significant account actions
• Country of access (derived from IP address, used for geo-blocking enforcement only)

3.2 Compliance and Declaration Data

• Full text of each compliance declaration completed
• IP address at the time of each declaration
• Precise UTC timestamp of each declaration
• Cumulative deposit level at time of enhanced declaration trigger
• KYC verification status (pass/fail/pending -- full identity documents processed by a specialist identity verification provider only)

3.3 Platform Activity Data

• Agent configuration: preset type, allocation amount setting, live additions enabled/disabled, creation date
• Pool allocation records: pool ID, outcome allocated, amount, timestamp, result, payout amount
• Settlement history: credits, refunds, payout amounts, and timestamps
• Correct prediction count and Agent selection history (used for Agent status, rankings, and personalization)
• Leaderboard ranking and earnings history
• Free trial activation date and expiry
• Subscription status (trial, wc_pass, expired) and pass expiry date

3.4 Financial Transaction Data

• USDC deposit addresses generated for your Account
• Blockchain transaction hashes for deposits
• Deposit amounts and timestamps
• Withdrawal wallet addresses provided by you
• Withdrawal amounts, timestamps, and blockchain transaction hashes
• Cumulative deposit total (used for KYC threshold tracking)
• Transaction reference number and payment status

3.5 Technical and Device Data

• Browser type, version, and rendering engine
• Operating system type and version
• Device type (desktop, mobile, tablet)
• HTTP request headers (User-Agent, Accept-Language, etc.)
• Authentication session token (httpOnly, Secure cookie -- not readable by JavaScript)
• Edge network access logs (IP, path, timestamp, response code) -- retained for security, abuse prevention, and operational reliability

3.6 KYC Data (where applicable)

For Users whose cumulative deposits exceed USD 9,990, identity verification is performed by a specialist third-party identity verification provider. That provider may process a government-issued identity document (passport, national ID), a live facial recognition check, and address verification. We receive only a verification outcome (verified / not verified). We do not store, process, or have access to your identity document images or biometric data. The verification provider processes this data under its own privacy policy and applicable data protection law.

3.7 Support Communications

• Email content and metadata of support communications
• Transaction hashes or other identifiers you provide in support requests
• Support ticket history and resolution records

3.8 Data We Do Not Collect

• Full payment card numbers, CVV codes, or bank account details
• Private keys, wallet seed phrases, or mnemonic phrases (never requested or stored)
• Precise GPS location data (country-level only from IP)
• Social media accounts or profile data beyond Google OAuth (email, name, avatar)
• Biometric data beyond that processed directly by the specialist identity verification provider for KYC
• Health data, racial or ethnic origin, political opinions, religious beliefs, or other special category data
• Data about children (the Platform is not directed at users under 18)

4. How We Collect Your Data

• Directly from you: when you register, complete declarations, configure your Agent, make deposits or withdrawals, purchase the World Cup Pass, or contact support.
• Via Google OAuth: when you choose "Sign in with Google", Google's authentication service provides us with your email address, display name, and profile picture URL. We request only these basic profile scopes. We do not access your Google Drive, Contacts, Calendar, or any other Google service data.
• Automatically: IP address, browser, device type, and access logs are collected automatically when you access the Platform.
• Via blockchain monitoring: deposit transaction data is received from the Base blockchain through a secure blockchain infrastructure provider. We monitor only addresses generated for your Account.
• World Cup Pass purchase: transaction reference and customer email upon successful purchase. We do not receive card numbers or banking details.
• Via identity verification provider: KYC verification status (pass/fail) is received from a specialist identity verification provider. No identity document data is transferred to us.

5. Legal Basis for Processing

We process your personal data under the following legal bases. Where GDPR applies (as described in Section 1), these bases correspond to GDPR Article 6 legal bases:

6. How We Use Your Data

• To create and manage your Account and verify your identity and eligibility.
• To operate your Agent, execute Pool allocations, and calculate Settlement payouts.
• To process USDC deposits (generate deposit addresses, monitor on-chain activity) and withdrawals.
• To enforce geographic access restrictions and blocked country lists.
• To verify and enforce subscription status and World Cup Pass expiry.
• To process and record compliance declarations in accordance with AML requirements.
• To trigger and process KYC verification at applicable deposit thresholds.
• To detect, investigate, and prevent fraud, money laundering, account takeover, and violations of these Terms.
• To send transactional communications: pool settlement notifications, withdrawal confirmations, trial expiry reminders, pass expiry notifications, and material platform updates.
• To respond to your support requests.
• To comply with applicable laws and respond to lawful requests from authorities.
• To maintain and improve Platform security, infrastructure, and performance.
• To generate anonymised, aggregated usage statistics for Platform improvement.

We do not:

• Sell, rent, or trade your personal data to third parties.
• Use your personal data for behavioural advertising or ad targeting.
• Use your personal data to train external AI or machine learning models.
• Share your data with sponsors, partners, or affiliates for their own marketing purposes.
• Use automated decision-making that produces legal or similarly significant effects on you without human review.

7. Data Sharing

We do not sell, rent, or trade your personal data. We share limited personal data only in the following circumstances:

• Service providers: We engage trusted third-party service providers (including hosting, infrastructure, authentication, payment processing, blockchain monitoring, wallet services, and identity verification) who process limited personal data on our behalf solely to operate the Platform. All service providers are bound by confidentiality obligations and data protection requirements, and are permitted to use your data only to provide their services to us.
• Payment processing: When you purchase the World Cup Pass, your email address and payment reference are shared with our Merchant of Record payment processor. Your card details are processed directly by the payment processor and are never accessible to MindMetrics International S.R.L.
• Fiat onramp (optional): If you use the in-platform fiat-to-USDC purchase option, your payment and identity data are processed directly by the onramp provider under their own privacy policy. We receive only a destination wallet address and transaction confirmation.
• Identity verification (KYC): If you exceed applicable deposit thresholds, your identity documents and biometric data are processed directly by our third-party KYC provider. We receive only a verification status (pass/fail). We do not store or access your identity documents.
• Google OAuth: If you sign in with Google, Google processes your authentication. We receive only your email address, display name, and profile picture via standard OAuth scopes.
• Blockchain infrastructure: Your Platform-generated deposit wallet addresses are monitored via a blockchain data infrastructure provider. No personal identity data is shared with this provider.
• Legal requirements: We may disclose personal data where required by applicable law, regulation, court order, or lawful request from governmental or regulatory authorities.
• Protection of rights: We may disclose data to protect the rights, property, or safety of the Platform, its Users, or the public.
• Corporate transactions: In connection with a merger, acquisition, or sale of the Company or its assets, your data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not share your data with advertisers, data brokers, sponsors, or any party for their own marketing purposes.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States and the European Union, by the service providers we engage to operate the Platform. We ensure that all such transfers are subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) where applicable.
• Contractual data protection obligations requiring service providers to maintain standards equivalent to those described in this Policy.
• Reliance on adequacy decisions where applicable jurisdictions have received adequacy status.

Data subjects located in the European Economic Area and the United Kingdom may access the Platform under our declaration-gated access model. Accordingly, the EU GDPR and the UK GDPR apply to the processing of their personal data, and we comply with these frameworks — including by providing the data-subject rights described in this Policy and by applying appropriate safeguards to international transfers (such as Standard Contractual Clauses where applicable). Costa Rican law (Law No. 8968) remains the primary framework for processing carried out under our incorporation.

For any questions about international transfers or to request details of applicable safeguards, contact privacy@predictarena.ioCopy.

9. Data Retention Schedule

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

When data is no longer required, it is securely deleted or permanently anonymised. Deletion requests are subject to mandatory retention requirements, which override deletion requests for data subject to legal hold obligations.

10. Your Data Protection Rights

You have the following rights regarding your personal data. We will respond to all requests within 30 days. Complex requests may take up to 90 days, in which case we will notify you within 30 days of receipt. We may verify your identity before processing your request.

To exercise any of these rights, contact privacy@predictarena.ioCopy with the subject line "Data Rights Request -- [Right Type]" and your registered email address.

11. Automated Decision-Making and Profiling

The Platform uses automated rules-based Agent systems to make Pool allocation decisions on behalf of users. These are algorithmic decisions based on pre-defined scoring formulas. They do not constitute automated decision-making with legal or similarly significant effects on individuals (within the meaning of GDPR Article 22), as the User retains full control over Agent selection, funding levels, and deactivation at all times. No Agent decision affects the User's legal rights, employment, credit, insurance, healthcare, or similar status.

Geographic access restrictions are enforced automatically based on IP-derived country data. This is a compliance measure, not a profiling decision. Users who believe their access has been incorrectly restricted may contact support@predictarena.ioCopy for manual review.

KYC verification thresholds are triggered automatically by cumulative deposit totals. This triggers a process conducted by a specialist third-party provider -- it does not itself make a decision about your eligibility. The KYC outcome from the specialist provider determines whether you may continue depositing.

We do not use your personal data for behavioural profiling, credit scoring, insurance assessment, employment screening, or any other high-stakes automated decision-making.

12. Blockchain Data and Public Information

The Platform operates on the Base blockchain, a public decentralised ledger. Certain data related to your Platform activity is inherently public:

• Your unique deposit wallet address is recorded on-chain when you make a deposit.
• All USDC transfer transactions to and from Platform wallets are publicly visible on the Base blockchain.
• Agent Treasury values and transparency API values are publicly disclosed on the Platform.

Blockchain transactions are immutable and permanent. We cannot delete or modify on-chain data. Your deposit wallet address, while public on-chain, is not linked to your name or identity in any publicly available Platform data. The Platform does not publish any mapping of wallet addresses to user identities.

If you are concerned about blockchain privacy, consider using a fresh wallet address for Platform deposits that is not publicly associated with your identity elsewhere.

13. Cookies and Local Storage

We use strictly necessary cookies and browser storage only. No non-essential, tracking, advertising, analytics, or third-party cookies are used.

We do not use Google Analytics, Meta Pixel, Hotjar, Mixpanel, or any other client-side analytics or tracking tool. No cookie consent banner is shown because we use only strictly necessary cookies, which are exempt from consent requirements under ePrivacy Directive Article 5(3) and equivalent national legislation.

The Platform may use browser localStorage or sessionStorage to temporarily store UI state (e.g. agent setup progress). This data is local to your browser, not transmitted to our servers, and cleared when you clear your browser data.

14. Security Measures

We implement the following technical and organisational security measures to protect your personal data:

Despite these measures, no system is completely immune to security risks. In the event of a personal data breach that poses a risk to your rights and freedoms, we will: notify relevant supervisory authorities within 72 hours of becoming aware (where required by applicable law); notify affected Users without undue delay where the breach is likely to result in a high risk to their rights; provide details of the breach, its likely consequences, and the measures taken or proposed.

15. Children's Privacy

PredictArena is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. Age confirmation is a mandatory eligibility declaration at registration.

If we become aware that we have inadvertently collected personal data from an individual under 18, we will delete that Account and all associated personal data promptly. If you are a parent or guardian and believe a minor has registered on the Platform, please contact privacy@predictarena.ioCopy immediately.

16. Marketing Communications

We send transactional communications as part of Platform operation (settlement notifications, withdrawal confirmations, trial expiry reminders). These are not marketing communications and are not subject to marketing opt-out.

If we introduce marketing or promotional communications in future (tournament updates, new feature announcements), we will request your explicit consent before sending them. You may withdraw consent at any time by using the unsubscribe link in any marketing email or by emailing privacy@predictarena.ioCopy.

We will never sell your email address or personal data to any third party for marketing purposes.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, Platform features, or applicable law. The current version will always be available at predictarena.io/privacy with the version number and date of last update.

For material changes (changes that affect your rights or how we use your data), we will provide at least 7 days' advance notice via email and in-platform notification. For non-material changes (clarifications, third-party additions), we will update the Policy with an updated date.

Continued use of the Platform after the effective date of any update constitutes your acceptance of the updated Policy. If you do not agree to a material change, you should cease using the Platform and may request deletion of your data subject to applicable retention obligations.

18. Contact and Supervisory Authority

For all privacy-related enquiries, data rights requests, or complaints:

privacy@predictarena.ioCopy

Subject line format: "Privacy -- [Request Type]" e.g. "Privacy -- Subject Access Request"

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the relevant data protection supervisory authority:

• Costa Rica: PRODHAB -- Agencia de Proteccion de Datos de los Habitantes (prodhab.cr)