Draft

Pending counsel review. This document is a working draft published for transparency — it has not been finalized by licensed counsel and may change.

Privacy Policy

Last updated: July 6, 2026

This policy explains what PreMartX collects, why, and what control you have. We aim to collect the minimum needed to run fair, lawful contests.

1. What we collect

  • Account data. Email address, display name, and a hashed password. Your display name appears on public leaderboards; your email never does.
  • Identity verification (KYC). For paid tournaments and withdrawals we collect identity information (such as name, date of birth, address, and government ID data) directly or via a verification provider. As explained under Identity verification (KYC) below, this is transmitted to a third-party provider to confirm your identity; we do not store your legal name or date of birth, keeping only an opaque provider reference and a non-reversible identity hash. For US tax reporting we collect W-9 information from qualifying prize winners.
  • Location data. State/country signals (such as IP-derived geolocation) used to enforce paid-contest restrictions. We store the verified region, not a movement history.
  • Payment data. Deposits and withdrawals are processed by payment providers; we store transaction records (amounts, timestamps, provider references) but not full card numbers.
  • Gameplay data. Tournament entries, simulated orders and positions, bot configurations, bot decision traces, and leaderboard results.
  • Integrity data. IP addresses, device signals, and behavioral patterns used to detect collusion, multi-accounting, and fraud.

2. How we use it

  • Operating tournaments: entries, scoring, settlement, and prize payment.
  • Legal compliance: age, identity, geographic, sanctions, and tax obligations.
  • Contest integrity: detecting collusion, multi-accounting, and abuse.
  • Proprietary research. Trading activity on the platform — including entries, orders, bot configurations, and decision traces — may be analyzed, in identified or aggregated form, to inform proprietary research into prediction-market behavior and trading strategies by us or our affiliates. This is disclosed in the Terms and the Contest Rules.
  • Service communication: settlement notices, security alerts, and material policy changes.

We do not sell your personal information.

3. What we share

  • Payment and identity-verification providers, to process deposits, withdrawals, and KYC.
  • Tax authorities (e.g., IRS Form 1099 filings) where required by law.
  • Law enforcement or regulators when legally compelled, or to protect the integrity of contests.
  • Service providers (hosting, analytics) bound by confidentiality obligations.
  • Public leaderboards: your display name, results, and — if you publish a bot — its name and performance.

4. Identity verification (KYC)

Some features require us to confirm that you are a real, unique, adult person. We designed this step to keep as little of your identity data as possible.

When we verify

We verify identity before your first prize withdrawal and before you become eligible for paid tournaments. Free play does not require identity verification.

Data minimization — what we keep and what we don't

To verify you, we ask for your legal name and date of birth and pass them to a third-party identity-verification provider. We do not store your legal name or date of birth. After the provider returns a result, the only identity data we retain is:

  • an opaque provider reference — an identifier that lets us look the verification up with the provider, not the underlying documents or details; and
  • a non-reversible hash derived from your identity, used solely to enforce one account per person. It cannot be reversed back into your name or date of birth.

We also record the outcome (verified, pending, or rejected), the US state you verified from, and the timestamps we need to show your status and meet our legal obligations.

Two ways to verify

You choose how to verify, and the privacy-protective option is the default:

  • Non-biometric (default). A check that confirms your identity without collecting any biometric data. This path is offered to everyone and is selected for you by default.
  • Document + selfie (biometric). An optional path in which you submit a government photo ID and a selfie so the provider can match your face to the ID. Because this involves biometric data, we ask for your explicit consent first and never default you into it.

Biometric data and biometric-privacy law

  • We process biometric identifiers only if you choose the document + selfie path and give explicit consent. If you never choose it, no biometric data is collected.
  • When you do consent, biometric data is handled under applicable biometric-privacy law (such as Illinois' Biometric Information Privacy Act, "BIPA") and is retained no longer than 365 days, after which it is deleted.
  • Residents of biometric-restricted states — currently Illinois (IL), Texas (TX), Washington (WA) — are offered the non-biometric path and are not steered toward biometric verification.
  • We do not sell, lease, trade, or otherwise profit from biometric data.

Access and deletion

You can ask what verification status we hold for you and request deletion of your verification records, subject to any legal retention duty (for example, records we must keep for anti-fraud, anti-money-laundering, or tax purposes). Because we never store your legal name or date of birth, there is nothing of that kind for us to return or erase. To make a request, use the details in Contact, below; see also Your rights.

5. Cookies and sessions

We use a single first-party, httpOnly session cookie (arena_session) to keep you signed in for up to 14 days. We do not run third-party advertising trackers.

6. Retention

Account and gameplay records are retained while your account is active. Financial, KYC, and tax records are retained as required by law (typically five to seven years). Integrity data is retained as long as needed to enforce contest fairness. You may request deletion of your account; we will delete or de-identify data not subject to a legal retention duty.

7. Security

Passwords are stored only as salted hashes. Money movements use a double-entry ledger with integrity auditing. Access to personal data is limited to personnel who need it. No system is perfectly secure; we will notify affected users of any breach as required by law.

8. Your rights

Depending on your state or country, you may have rights to access, correct, delete, or export your personal information, and to object to certain processing. Contact us to exercise them; we will respond within the legally required window (30 days by default).

9. Children

The Service is strictly 18+. We do not knowingly collect data from anyone under 18 and will delete such accounts on discovery.

10. Changes

Material changes to this policy will be announced in-product at least 14 days before taking effect.

11. Contact

Privacy requests: privacy@premartx.example (placeholder pending domain finalization).