Privacy Policy

1. Introduction

Phygitals, Inc. ("Phygitals," "we," "us," or "our"), a Delaware corporation with its principal office at 1111B S Governors Ave STE 34931, Dover, DE 19904, is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you access or use our website, platform, and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service, regardless of location. We are committed to processing personal data in compliance with applicable data protection laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy regulations.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, please do not use the Service.

For the purposes of the GDPR, the data controller is Phygitals, Inc. For questions about this Privacy Policy or our data practices, please contact us at [email protected].

2. Information We Collect

We collect information in several ways when you interact with our Service. The categories of information we collect include information you provide directly, information collected automatically, and information obtained from third-party sources.

2.1 Information You Provide Directly

We collect information that you voluntarily provide when creating an account, making a purchase, using platform features, or contacting us. This may include:

• Account Information: Email address, phone number, Apple ID or Google account identifiers (depending on your chosen login method), and username;

• Profile Information: Display name, country of residence, category interests (e.g., Pokemon, Yu-Gi-Oh!, Basketball), and linked social media accounts;

• Shipping & Claim Information: Full name, street address, city, state/province, postal code, country, email, and phone number (required for physical card redemptions);

• Identity Verification (KYC): When identity verification is required, Veriff may collect government-issued identification documents, selfie photographs, and associated biometric or identity data;

• Communications: Messages sent via in-app messaging through our messaging service provider, customer support inquiries through our customer support platform, and any other communications you send to us;

• Transaction Information: Records of purchases, sales, offers, pack openings, claims, submissions, and pawn transactions made through the Service.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

• Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers;

• Usage Information: Pages viewed, features used, click patterns, time spent on pages, search queries, pack opening results, marketplace activity, and navigation paths;

• Log Data: IP address, access times, referring URLs, and error logs;

• Blockchain Data: Solana wallet public address(es), on-chain transaction history, token balances, and NFT holdings (note: blockchain data is inherently public);

• Cookies and Similar Technologies: Information collected via cookies, web beacons, pixels, and local storage (see our Cookie Policy for details).

2.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Authentication Provider (Privy): Privy provides us with authentication tokens, wallet addresses, and associated login method identifiers when you sign in;

• Payment Processors (Coinflow, Stripe): Our payment processors share transaction confirmation data, payment status, and fraud-prevention signals (they do not share full payment card numbers with us);

• Analytics Providers: PostHog, Google Analytics, and other analytics services may provide aggregated or pseudonymized data about user behavior;

• Blockchain Networks: Publicly available data from the Solana blockchain, including transaction history and wallet activity;

• Vault Partners: PSA, Fanatics, and Alt may share information regarding card authentication, grading, inventory status, and fulfillment tracking;

• Referral Sources: If you are referred by another user, we receive the referring user's referral code.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and Maintaining the Service: To create and manage your account, process transactions, fulfill orders, manage vault storage, facilitate marketplace operations, execute pack openings, and deliver all core platform functionality;

• Payment Processing: To process purchases, facilitate withdrawals, manage buyback payouts, and handle pawn lending transactions;

• Identity Verification: To verify your identity when required for compliance, fraud prevention, or security purposes through our identity verification provider (Veriff);

• Communication: To send you transactional notifications (purchase confirmations, shipping updates, offer notifications), respond to customer support inquiries, and provide service-related announcements;

• Improvement and Personalization: To analyze usage patterns, optimize platform performance, develop new features, personalize content and recommendations, and conduct A/B testing via PostHog and other analytics services;

• Security and Fraud Prevention: To detect and prevent fraud, unauthorized transactions, abuse, and other harmful activities, monitor error logs via Sentry, and verify user interactions via Cloudflare Turnstile;

• Marketing and Advertising: To measure the effectiveness of our advertising campaigns, manage conversion tracking via Meta (Facebook) Pixel and Reddit Pixel, and send promotional communications (with your consent where required);

• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests;

• Enforcement: To enforce our Terms of Service and other agreements, and to protect the rights, property, and safety of Phygitals, our users, and others.

Legal Bases for Processing (GDPR): Where the GDPR applies, our legal bases for processing your personal data include: (a) performance of a contract (providing the Service, processing transactions); (b) legitimate interests (fraud prevention, security, platform improvement, analytics); (c) consent (marketing communications, cookies); and (d) legal obligation (compliance with laws and regulations).

4. Sharing & Disclosure of Information

We do not sell your personal information. We may share your information with the following categories of recipients for the purposes described in this Privacy Policy:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your information:

• Privy - Authentication and embedded wallet management (receives email, social account IDs, wallet addresses);

• Coinflow - Fiat-to-crypto payment processing and on-ramp (receives wallet address, payment session data, transaction amounts);

• Stripe - Payment processing (receives payment card details, transaction amounts, email);

• LiFi - Cross-chain token swaps (receives wallet addresses, token amounts);

• Tensor - NFT marketplace infrastructure (receives wallet address, NFT data, transaction details);

• Veriff - Identity verification / KYC (receives government-issued ID documents, selfie photographs, and biometric data when verification is required);

• TalkJS - In-app messaging (receives user IDs, message content);

• Intercom - Customer support (receives user identity, email, support conversations);

• Loops - Transactional email delivery (receives email address and transaction-related template data);

• EasyPost - Shipping label generation and rate calculation (receives full shipping address, phone number, package details);

• Vault partners (PSA, Fanatics, Alt) - Vault storage, card grading, and fulfillment (receives card data, shipping information);

• Cloudflare - Content delivery, media storage, and bot protection via Turnstile CAPTCHA (receives IP address, browser fingerprint, interaction data);

• Helius - Solana blockchain RPC provider (receives wallet addresses, transaction data);

• Metaplex / Irys - NFT minting and permanent metadata storage (receives NFT attributes, card images);

• Address validation services - Address autocomplete (receives partial address input).

4.2 Analytics & Advertising Partners

We share certain information with analytics and advertising partners to measure and improve the Service:

• PostHog - Product analytics, event tracking, feature flag evaluation, and session recording. Session recordings capture user interactions with the Service (clicks, scrolls, page navigation) with sensitive fields masked. PostHog may also process user identifiers for analytics purposes;

• Google Analytics (GA4) and Google Tag Manager - Page views, user interactions, and conversion events for measuring Service performance;

• Meta (Facebook) Pixel - Page view events and conversion tracking for advertising measurement;

• Reddit Pixel - Page visit events and, where available, hashed user identifiers (email, external ID) for advertising attribution and measurement;

• Sentry - Error reports, stack traces, and browser performance data for debugging and Service reliability;

• Vercel Speed Insights - Page load performance metrics.

Session Recording Disclosure: We use session recording tools (PostHog) to understand how users interact with the Service. These recordings capture mouse movements, clicks, scrolls, and page content, but sensitive data such as payment information and passwords is automatically masked. You can opt out of session recording by adjusting your cookie preferences or contacting us.

4.3 Other Disclosures

We may also disclose your information in the following circumstances:

• Legal Requirements: When required by applicable law, legal process, governmental request, or court order;

• Protection of Rights: To protect the rights, property, or safety of Phygitals, our users, or the public;

• Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity;

• With Your Consent: When you have provided express consent to share information with a specific third party;

• Blockchain: Information recorded on the Solana blockchain (wallet addresses, transaction history, NFT ownership) is inherently public and cannot be deleted or modified by Phygitals.

5. Cookies & Tracking Technologies

We use cookies, pixels, web beacons, and similar tracking technologies to collect information about your use of the Service. These technologies help us analyze traffic, personalize content, measure advertising effectiveness, and improve your experience.

The types of tracking technologies we use include:

• Essential Cookies: Necessary for the Service to function, including authentication (Privy), session management, security (Cloudflare Turnstile), and payment processing;

• Analytics Cookies: Used by PostHog, Google Analytics, and Sentry to understand how users interact with the Service, track errors, and measure performance;

• Marketing Cookies: Used by Meta (Facebook) Pixel and Reddit Pixel for conversion tracking and advertising measurement.

For detailed information about the cookies and tracking technologies we use, how to manage your cookie preferences, and your choices regarding tracking, please refer to our Cookie Policy.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the nature of the data and the purpose for which it is processed:

• Account Information: Retained for the duration of your account and for a reasonable period thereafter to fulfill legal and regulatory obligations;

• Transaction Records: Retained for a minimum of seven (7) years to comply with financial record-keeping obligations;

• Communication Records: Customer support conversations are retained for up to three (3) years after the last interaction;

• Analytics Data: Identifiable analytics data is retained for up to twenty-six (26) months. Aggregated and anonymized analytics data may be retained indefinitely;

• Marketing & Advertising Data: Marketing cookies and associated data are retained for up to ninety (90) days, or as specified in our Cookie Policy;

• Device & Log Data: IP addresses, device identifiers, and access logs are retained for up to twelve (12) months for security and fraud prevention purposes;

• KYC/Identity Verification Data: Retained in accordance with applicable anti-money laundering and know-your-customer regulations;

• Blockchain Data: Data recorded on the Solana blockchain is permanent and immutable. Phygitals cannot delete, modify, or remove data from the blockchain.

When personal data is no longer needed for its original purpose and there is no legal obligation to retain it, we will securely delete or anonymize such data within a reasonable timeframe.

7. Your Rights

Depending on your jurisdiction, you may have certain rights with respect to your personal information. We are committed to respecting and facilitating these rights.

7.1 Rights Under the GDPR (EEA/UK Residents)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR:

• Right of Access: You have the right to request a copy of the personal data we hold about you;

• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data;

• Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, blockchain data);

• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances;

• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format;

• Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes;

• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing;

• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

Please note that certain data, such as wallet addresses and transaction history recorded on the Solana blockchain, is publicly accessible and immutable. Phygitals cannot delete or modify blockchain data, and deletion requests apply only to off-chain data within our control.

7.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it;

• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions;

• Right to Correct: You have the right to request correction of inaccurate personal information;

• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of personal information. Phygitals does not sell personal information. To the extent that sharing of data with advertising platforms constitutes "sharing" under the CCPA, you may opt out by adjusting your cookie preferences;

• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers (name, email, phone, wallet address), internet or electronic network activity, geolocation data (country), commercial information (transaction history), and, where applicable, biometric information (identity verification via Veriff).

7.3 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request by emailing us at [email protected]. We will verify your identity before processing your request and will respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA). In some cases, we may need to request additional information to verify your identity.

You may also designate an authorized agent to make a request on your behalf. If you use an authorized agent, we may require additional verification to confirm that the agent is authorized to act for you.

8. Automated Decision-Making

Phygitals may use automated processing in certain areas of the Service, including:

• Fraud detection: Automated systems analyze transaction patterns, account behavior, and other signals to detect and prevent fraudulent activity;

• KYC verification: Veriff uses automated document verification and biometric comparison, which may be supplemented by manual review;

• Risk assessment: Automated systems may assess account risk levels for purposes of determining eligibility for certain features (e.g., pawn lending, withdrawal limits);

• Content moderation: Automated tools may be used to detect prohibited content or behavior on the platform.

Under the GDPR (Article 22), you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. If you believe an automated decision has been made about your account that you wish to contest, you may request human review by contacting us at [email protected]. We will review the decision and respond within the timeframes required by applicable law.

9. International Data Transfers

Phygitals is incorporated in Delaware, United States, and our Service is operated and hosted using infrastructure located in the United States and other countries. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States, which may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• Data processing agreements with our service providers that include appropriate data protection obligations;

• Other lawful transfer mechanisms recognized under applicable data protection laws.

Our third-party service providers, including Privy (authentication), Coinflow and Stripe (payments), Tensor (marketplace), TalkJS (messaging), Intercom (support), PostHog and Google Analytics (analytics), Sentry (error monitoring), Veriff (identity verification), EasyPost (shipping), and our vault partners (PSA, Fanatics, Alt), may process your data in the United States or other jurisdictions. We ensure that all such providers are contractually bound to protect your personal information in a manner consistent with this Privacy Policy and applicable law.

EU/EEA Representative: In accordance with Article 27 of the GDPR, Phygitals has designated a point of contact for EU/EEA data subjects. EU/EEA residents may direct inquiries regarding data protection to [email protected], and we will respond in accordance with applicable GDPR timelines.

10. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under the age of 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information as promptly as possible.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at [email protected] so that we can take appropriate action.

11. Security

We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL;

• Secure authentication via Privy with support for multi-factor authentication;

• Access controls limiting employee access to personal data on a need-to-know basis;

• Regular security monitoring and error tracking via Sentry;

• Wallet isolation ensuring each user's Solana wallet is separate and independently secured;

• Payment card data processed and stored exclusively by PCI-compliant payment processors (Coinflow, Stripe) - Phygitals does not store payment card numbers.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the security of your account credentials, wallet access, and any private keys associated with your wallet.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Phygitals will:

• Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR;

• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR and applicable state breach notification laws (including the California Consumer Privacy Act and state-specific breach notification statutes);

• Document the breach in our internal breach register, including the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures taken or proposed to address the breach;

• Investigate and remediate by conducting a thorough investigation into the cause of the breach and implementing appropriate measures to prevent recurrence.

Breach notifications to affected individuals will include, at a minimum:

• A description of the nature of the breach;

• The name and contact details of our data protection point of contact ([email protected]);

• A description of the likely consequences of the breach;

• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

For U.S. residents, Phygitals will comply with all applicable state data breach notification laws, which may require notification within timeframes ranging from 30 to 60 days depending on the state. We will provide notifications through the most expedient means available, which may include email, mail, or prominent posting on our website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy;

• Provide notice through the Service or via email where practicable;

• Where required by applicable law, obtain your consent to material changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the posting of any changes constitutes your acceptance of such changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Phygitals, Inc. 1111B S Governors Ave STE 34931 Dover, DE 19904, United States Email: [email protected] General Support: [email protected]

For EU/EEA residents, if you are not satisfied with our response to your inquiry or believe that we are processing your personal data in a manner that is not compliant with applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence.

Data Protection Inquiries: For privacy-specific or data protection requests, including exercising your rights under the GDPR or CCPA, please direct your inquiry to [email protected] with the subject line "Data Protection Request." We will acknowledge receipt and respond within the timeframes required by applicable law.