Orobasdevnet beta

Privacy Policy

Last updated: May 30, 2026 · Effective: May 30, 2026

1. Introduction

This Privacy Policy describes how [ENTITY: pending](“Orobas,” “we,” “us,” or “our”) collects, uses, discloses, and protects information about you when you use our website at orobas.gg and our related services (collectively, the “Service”). Capitalized terms not defined here have the meanings given in our Terms of Service.

By using the Service, you consent to the practices described in this Policy. If you do not agree, do not use the Service.

2. Information we collect

2.1 Information you provide directly

  • Account information. Email address (used for authentication via Privy) and any display name you choose.
  • Identity verification (KYC). When required, we collect government-issued ID, selfie images, date of birth, physical address, and other documents through our verification partner Persona. We receive a pass/fail verification result and certain metadata; we do not store the underlying ID images ourselves. See Section 5 (third-party services).
  • Communications. Messages you send us by email, support requests, dispute filings, and any content you submit through the Service.

2.2 Information collected automatically

  • Device and connection data. IP address, browser type and version, operating system, screen size, language preference, time-zone, and referrer URL.
  • Usage data. Pages viewed, features used, actions taken (deposits, wagers, withdrawals), timestamps, and error logs.
  • Cookies and similar technologies. See Section 7 (Cookies) for detail. We use a minimal set of strictly-necessary cookies for authentication and session management; we do not use advertising or tracking cookies.
  • Geolocation.An approximate country determination based on your IP address (via Cloudflare's CF-IPCountry header), used to enforce geographic restrictions. We do not collect precise GPS location.
  • Error and performance telemetry. Crash reports and performance data captured by Sentry. See Section 5 (third-party services).

2.3 Information collected from public blockchains

The Solana blockchain is a public ledger. Your on-chain wallet address, your deposits and withdrawals, and the per-game escrow and settle transactions are public information by design. While we do not directly link your wallet address to your email on chain, your wallet address is associated with your account internally and may be publicly inferred through pattern analysis. You should consider all on-chain activity as effectively public.

3. How we use information

We use the information described above to:

  • Operate, maintain, and improve the Service.
  • Authenticate users, manage accounts, and credit deposits and wagers.
  • Provide customer support, respond to inquiries, and resolve disputes.
  • Detect, prevent, and investigate fraud, abuse, cheating, money laundering, and other policy violations. This includes anti-cheat analysis of chess games using Stockfish-based engines.
  • Comply with legal obligations, including KYC, AML, sanctions screening, tax reporting, and law-enforcement requests.
  • Enforce our Terms of Service.
  • Communicate with you about the Service, including security notices, transactional notifications, and (with your consent) product announcements.
  • Analyze usage patterns to understand how the Service is used and to improve its design.

4. Legal bases (for users in the EEA / UK)

If you are in the European Economic Area or the United Kingdom, our legal bases under the GDPR / UK GDPR for processing your personal data are:

  • Contract performance. Most processing is necessary to perform our contract with you (the Terms of Service).
  • Legitimate interests. Fraud prevention, security, anti-cheat enforcement, and service improvement.
  • Legal obligation. KYC, AML, sanctions, tax reporting, regulatory cooperation.
  • Consent. Where we ask separately for it (e.g. product-update emails).

You may withdraw consent at any time for processing based on consent, without affecting the lawfulness of earlier processing.

5. Third-party services

We rely on the following sub-processors to operate the Service. Each is bound by its own privacy policy and contractual obligations to us.

  • Privy (privy.io) — identity, authentication, embedded Solana wallets. Privy receives your email address and stores your wallet keys on your behalf. [LEGAL REVIEW: Privy DPA + SCC posture]
  • Supabase (supabase.com) — our primary database and real-time messaging layer. Hosts your account record, balance ledger, wager and game history, and audit logs. [LEGAL REVIEW: Supabase data-residency election; SCC]
  • Helius (helius.dev) — Solana RPC infrastructure. Receives queries about wallet balances and transactions; does not see your email address.
  • Switchboard (switchboard.xyz) — verifiable random function (VRF) for coinflip outcomes. Receives no personal data.
  • Sentry (sentry.io) — error tracking and performance monitoring. Receives stack traces, user-agent strings, and IP addresses associated with errors. We scrub email addresses and other PII before transmission where feasible. [LEGAL REVIEW: Sentry data-scrubbing rules; EU data residency option]
  • Persona (withpersona.com) — identity verification (KYC). Receives your government-issued ID, selfie images, and personal information for verification. Persona retains data per its own retention policies; we receive a pass/fail result and limited metadata. [LEGAL REVIEW: Persona DPA, retention windows, CCPA "sale" carve-outs]
  • Cloudflare (cloudflare.com) — content-delivery and DDoS protection. Receives your IP address and request metadata; provides the country-of-origin header we use for geographic restriction.
  • Vercel (vercel.com) — application hosting. Receives request data necessary to serve the Service.
  • Inngest (inngest.com) — background-job orchestration (anti-cheat analysis, reconciliation crons). Receives data about jobs to execute on our behalf.

The Solana blockchain itself is not a sub-processor — it is a public ledger maintained by an open network of validators. Transactions on Solana are visible to anyone with network access.

6. Disclosure of information

We may disclose your information:

  • To the sub-processors listed in Section 5, only as necessary to operate the Service.
  • To comply with applicable law, regulation, legal process, or governmental request (subpoena, court order, sanctions inquiry).
  • To enforce or apply our Terms of Service or to protect the rights, property, or safety of Orobas, our users, or others.
  • In connection with a corporate transaction (merger, acquisition, financing, sale of assets), in which case the acquirer will be bound by privacy commitments at least as protective as those in this Policy. [LEGAL REVIEW: notice-of-change requirements in EEA / CCPA]
  • With your consent or at your direction.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

7. Cookies and similar technologies

We use only strictly-necessary cookies, which are required for the Service to function: an authentication session cookie set by Privy, and a CSRF-protection cookie set by our backend. We do not use third-party advertising cookies, analytics cookies that profile users, or any tracking pixels.

You may configure your browser to refuse cookies, but doing so may prevent you from using the Service. [LEGAL REVIEW: EU / UK cookie-banner requirement may apply even for strictly-necessary cookies]

8. Data retention

We retain your information for as long as your account is active and as required to provide the Service. After account closure, we retain information as follows:

  • Account and transaction records: retained for five (5) years after account closure, to comply with AML/record-keeping obligations. [LEGAL REVIEW: retention windows differ by jurisdiction]
  • KYC documentation:retained per our verification partner's policies and applicable AML rules.
  • Support communications: retained for three (3) years.
  • Audit logs: retained for seven (7) years.
  • On-chain records: are public and cannot be deleted by us. The Solana blockchain is immutable.

9. International transfers

We operate from and store data in the United States. [LEGAL REVIEW: confirm storage region once entity is established] If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and any other country where our service providers maintain facilities.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that the European Commission has not determined to provide an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. The controller of record for SCC purposes is [ENTITY: pending]. [LEGAL REVIEW: SCC module selection; supplementary measures per Schrems II]

10. Your rights

10.1 General

You generally have the right to:

  • Access the information we hold about you.
  • Correct inaccurate or incomplete information.
  • Request deletion of your information, subject to legal retention requirements and on-chain immutability.
  • Object to or restrict certain processing, including direct marketing.
  • Withdraw consent for processing based on consent.
  • Receive a copy of your data in a portable, machine-readable format.

To exercise these rights, contact privacy@orobas.gg. We will verify your identity before fulfilling a request. We will respond within thirty (30) days, or such shorter period as applicable law requires.

10.2 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights, including the right to:

  • Know what categories of personal information we collect, the sources, the purposes, and the third parties to whom we disclose it.
  • Request deletion of personal information, subject to applicable exceptions.
  • Correct inaccurate personal information.
  • Opt out of the “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under the CCPA.
  • Non-discrimination for exercising your CCPA rights.

To exercise your CCPA rights, contact privacy@orobas.gg or call our toll-free number at [CCPA TOLL-FREE: pending]. [LEGAL REVIEW: CCPA toll-free requirement applies above certain revenue / data thresholds]

10.3 Europe (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described above and additionally the right to lodge a complaint with your local data-protection authority. The list of EU authorities is at edpb.europa.eu; the UK authority is the Information Commissioner's Office (ico.org.uk).

Our representative in the EU is [EU REPRESENTATIVE: pending]. [LEGAL REVIEW: Art. 27 GDPR representative required if offering services to EU residents] Our UK representative is [UK REPRESENTATIVE: pending].

11. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect your information, including TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, audit logging of money-mutating operations, and a documented incident-response plan.

No method of transmission over the Internet or method of electronic storage is 100% secure. You are responsible for keeping your account credentials and your blockchain wallet keys secure. We cannot recover lost private keys or reverse unauthorized on-chain transactions.

We will notify affected users and applicable regulators of any personal-data breach within the timeframes required by applicable law.

12. Children

The Service is not intended for and is not directed to anyone under the age of eighteen (18). We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@orobas.gg.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post the updated Policy on the Service at least fourteen (14) days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

For questions about this Policy or our privacy practices:

  • Email: privacy@orobas.gg
  • Post: [ENTITY ADDRESS: pending]
  • Data Protection Officer: [DPO: pending] [LEGAL REVIEW: DPO required if core activities involve large-scale monitoring or special-category data]