Privacy Policy
1. What we collect, why, and under which lawful basis
Under GDPR Art. 6 we disclose the legal ground for every category of personal data we process. Most of the data below is handled on the basis of performing the contract you agree to when you create an account; a small amount uses legitimate interest (anti-cheating, product improvement) or consent (analytics).
| Category | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Account data (display name, email, wallet address, Privy ID) | Identify you across sessions | Contract (Art. 6(1)(b)) | Life of account; 30 days after erasure request |
| Gameplay (trades, lobbies, standings, agent configs) | Run competitions, compute scores, maintain leaderboards | Contract | Raw records 2 years, pseudonymized thereafter |
| Device + IP + approximate geo | Anti-cheat (multi-accounting, wash trading), rate limiting | Legitimate interest (Art. 6(1)(f)) — documented in our LIA | 90 days rolling |
| Analytics (page views, click events, session duration) | Improve product based on aggregate patterns | Consent (Art. 6(1)(a)) — opt-in via cookie banner | 13 months |
| Payment records (Stripe, Base Pay) | Process purchases, reconcile ledger | Contract + legal obligation (Art. 6(1)(b),(c)) | 7 years (tax records law) |
| Error logs (Sentry) | Diagnose + fix bugs | Legitimate interest (IPs + emails scrubbed server-side) | 90 days |
2. What we don't do
- We do not sell your personal data.
- We do not share gameplay data with third-party advertisers.
- We do not execute real trades on your exchange accounts without your explicit connect-and-authorize flow. Exchange API credentials are encrypted AES-256-GCM; Battle Trade staff cannot read them in plaintext.
- We do not process data of anyone under 18. If you believe an under-18 has an account, email us and we will erase it.
3. Who we share with (sub-processors)
Full list of third-party services, what data they receive, their region, and links to their Data Processing Agreements: Sub-processors page.
For EU→US transfers, all US sub-processors operate under Standard Contractual Clauses (GDPR Art. 46).
4. Your rights
Under GDPR (EU / UK) and CCPA (California) you can exercise these rights. For most rights you can act directly in-app; for the rest, email support@battle.fyi and we will respond within 30 days.
- Access (Art. 15) + Portability (Art. 20): authenticated users can GET
/api/me/exportto download every record we store keyed on your profile_id as JSON. - Erasure (Art. 17): DELETE
/api/profile/<your_id>while authenticated. This nukes your profile and all child rows in one transaction. Certain payment records are retained 7 years for tax compliance. - Rectification (Art. 16):edit your profile in app or email us for anything the UI can't change.
- Withdraw consent:click "Strictly necessary only" in the cookie banner, or clear
bt_consentcookie. Analytics + Sentry replay stop collecting immediately. - Right to complain: you can lodge a complaint with your local supervisory authority. In the EU, that is often your national DPA; in the UK, the ICO.
5. Cookies
Strictly necessary (no consent required under ePrivacy):
bt_session_token— authenticated session (7d, HTTP-only)bt_guest_claim— guest-upgrade anti-IDOR proof (30d, HTTP-only)bt_admin_session— staff SSO onlybt_consent— your cookie-banner choice
Gated by consent (only set if you click Accept in the cookie banner):
- Vercel Analytics session identifier
- Vercel Speed Insights session identifier
- Sentry error-replay session (activates only on an actual error)
6. Data breach notification
In the event of a personal-data breach we will notify the relevant supervisory authority within 72 hours per GDPR Art. 33. Affected users will be notified without undue delay if the breach is likely to result in a high risk to their rights (Art. 34).
7. Children
Battle Trade is not intended for users under 18. You are asked to confirm your age when creating an account. If you believe an under-18 has an account, email us and we will erase it.
8. Contact
Privacy questions: support@battle.fyi. For time-sensitive requests (security incidents), prefix the subject line with [PRIVACY URGENT].