Privacy Policy

Last Updated: 1/28/2026

1. Introduction and Scope

1.1. Commitment

Cardz.game hereinafter "the Company," "we," "us," or "our") acknowledges that in the Web3 era, privacy is not merely a compliance requirement but a fundamental user right. We are committed to processing your personal data with transparency, fairness, and accountability, adhering to the highest global standards set forth by the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

1.2. Scope

This Privacy Policy applies to:

The Platform: The website cardz.game and any associated subdomains.
The Service: All features including Mystery Pack purchases, Vaulting, Redemption, and Buybacks.
Smart Contracts: Interactions with our deployed contracts on the Sui Blockchain.

1.3. Role of Blockchain

You acknowledge that On-Chain Data (wallet addresses, transaction hashes, token balances) is processed on a decentralized public ledger (the Sui Blockchain). The Company is a Data Controller only for the Off-Chain Data we collect. We are not a controller for data written to the immutable public blockchain, as we cannot fundamentally control, delete, or alter that infrastructure.

2. Data Collection and Categories

We employ a Data Minimization strategy. We collect only what is strictly necessary for the Service. We categorize personal data as follows:

Category

Data Elements

Source

A. Identity Data

Legal Name, Date of Birth (for age verification).

Provided by User

B. Contact Data

Shipping Address (Street, City, Zip, Country), Email Address, Phone Number.

Provided by User

C. Blockchain Data

Public Wallet Address, Token Inventory, Transaction History, Smart Contract Interactions.

Public Ledger / User

D. Technical Data

IP Address, Browser Type, Device Model, Time Zone, Operating System.

Automated (Cookies/Log Files)

E. Financial Data

We do not store credit card info. We only store transaction hashes and payment receipts linked to your wallet.

Third-Party Payment Processor

F. Profile Data

Username, Preferences, Feedback, Survey Responses, Customer Support Tickets.

Generated by User

3. Purposes and Legal Basis for Processing

Under GDPR Article 6, we must have a valid legal basis for every processing activity.

Processing Activity

Type of Data

Legal Basis (GDPR)

1. Service Access (Connecting Wallet)

Blockchain Data, Technical Data

Contractual Necessity: Required to identify the user and display inventory.

2. Purchase Processing (Opening Packs)

Blockchain Data, Financial Data

Contractual Necessity: Required to execute the sale and update the ledger.

3. Physical Redemption (Shipping)

Identity Data, Contact Data

Contractual Necessity: We cannot ship the item without this address.

4. Fraud Prevention & Security

Technical Data, Blockchain Data

Legitimate Interest: Preventing bot attacks, money laundering, and ensuring platform integrity.

5. Customer Support

Profile Data, Contact Data

Legitimate Interest: Addressing user complaints and technical issues.

6. Compliance (Tax/AML)

Identity Data, Financial Data

Legal Obligation: Complying with tax laws and anti-money laundering regulations.

7. Marketing (Newsletters)

Email Address

Consent: Explicit opt-in required (you may withdraw at any time).

We do not sell data. We disclose data only to the following categories of Third-Party Sub-Processors who act on our behalf under strict Data Processing Agreements (DPAs):

4.1. Infrastructure & Technology

Cloud Hosting: (e.g., AWS, Google Cloud) – To host the platform securely.
Blockchain Nodes: (e.g., Mysten Labs, RPC Providers) – To broadcast your transactions to the Sui network.

4.2. Fulfillment & Logistics

Carriers: (e.g., FedEx, DHL, Japan Post) – Strictly limited to Name, Address, and Phone Number for delivery purposes.
Vaulting Partners: If we utilize third-party secure vaults, they receive only inventory IDs, not user personal data.

4.3. Compliance & Payments

Fiat On-Ramps: (e.g., MoonPay, Stripe) – They collect Financial Data directly. We do not see or store your credit card details.
Legal Authorities: We may disclose data if compelled by a subpoena, court order, or valid request from law enforcement (e.g., regarding stolen assets or money laundering).

5. International Data Transfers

As a global platform, your data may be transferred to, stored, and processed in a country other than your own.

5.1. Transfers from EEA/UK to Japan

Adequacy Decision: The European Commission has recognized Japan as providing an adequate level of data protection. Transfers from the EEA to Japan are therefore lawful without additional authorization.

5.2. Transfers to Other Jurisdictions

If we transfer data to service providers in countries without an Adequacy Decision (e.g., the USA), we implement Standard Contractual Clauses (SCCs) approved by the European Commission, along with supplementary security measures (encryption at rest) to ensure your data remains protected.

6. Data Retention Policy

We retain data only for as long as necessary to fulfill the purposes outlined in this policy.

Active Account Data: Retained for the duration of your account activity.
Shipping Information: Retained for 90 days after delivery confirmation to handle returns/disputes, then pseudonymized or moved to cold offline storage.
Financial/Tax Records: Retained for 7 years (or the statutory period required by local tax law) strictly for audit purposes.
Marketing Data: Deleted immediately upon unsubscription/withdrawal of consent.

7. Data Security Measures

We employ "Defense in Depth" security strategies to protect your Off-Chain Data:

Encryption: All sensitive data (Names, Addresses) is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access Control: Access to personal data is restricted to authorized personnel on a "Need-to-Know" basis, protected by Multi-Factor Authentication (MFA) and hardware security keys.
Separation of Environments: Production databases are strictly isolated from development/testing environments.
Vulnerability Scanning: We conduct regular automated security scans and penetration testing on our infrastructure.

8. Your Global Privacy Rights

Regardless of your location, we extend GDPR-level rights to all users.

8.1. Right to Access: You may request a copy of the Off-Chain personal data we hold about you.

8.2. Right to Rectification: You may request correction of inaccurate data (e.g., updating a shipping address).

8.3. Right to Erasure ("Right to be Forgotten"): You may request the deletion of your Off-Chain Data.

* Note: We cannot delete data from the Sui Blockchain. We will delete your shipping data from our active servers, subject to tax retention obligations.

8.4. Right to Restrict Processing: You may ask us to suspend processing your data during a dispute.

8.5. Right to Data Portability: You may request your data in a structured CSV/JSON format.

8.6. Right to Object: You may object to processing based on "Legitimate Interest" (e.g., direct marketing).

To Exercise Rights: Email [email protected]

Verification: To protect your account, we will require you to sign a cryptographic message with your connected wallet to prove ownership before releasing data.

9. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact our Personal Information Handling Desk:

Cardz.game Privacy Support

Entity Name: [email protected]

PreviousTerms of Service NextContact Us

Last updated 41 minutes ago

hashtag1. Introduction and Scope

hashtag2. Data Collection and Categories

hashtag3. Purposes and Legal Basis for Processing

hashtag4. Data Sharing and Sub-Processors

hashtag4.1. Infrastructure & Technology

hashtag4.2. Fulfillment & Logistics

hashtag4.3. Compliance & Payments

hashtag5. International Data Transfers

hashtag6. Data Retention Policy

hashtag7. Data Security Measures

hashtag8. Your Global Privacy Rights

hashtag9. Contact Information