Privacy Policy

Last updated: 2026-04-07

1. Controller

Simon Metlicovec
Birmensdorferstrasse 71
8902 Urdorf, Zurich
Switzerland
Email: admin@seekerburnclub.xyz

2. Scope and Legal Framework

This policy explains how Seeker Burn Club processes personal data when you use our website, Android app, and API. It covers seekerburnclub.xyz and the Seeker Burn Club mobile app.

Our primary legal framework is the Swiss Federal Act on Data Protection (nFADP/DSG) and its ordinance (DSV), in force since 1 September 2023. Where our services are used by individuals in the EU/EEA, the EU General Data Protection Regulation (GDPR) applies in addition.

3. Data We Collect

We process the following categories of personal data:

• Wallet data: Your public Solana wallet address — this is your primary identifier on the platform.
• Authentication data: Cryptographic challenge nonces, SIWS (Sign In With Solana) signatures, JWT session token hashes, and session timestamps.
• Transaction data: On-chain transaction signatures, burn and deposit amounts, platform fees, slot numbers, and block timestamps.
• Device and network data: IP address, user agent string, and device fingerprint — collected during authentication, burn submissions, and for security logging.
• Profile and gamification data: Streak counts, badge status, lifetime burn totals, last burn dates, badge NFT mint addresses, and NFT transaction signatures.
• XP and progression data: Experience points, level, XP ledger entries (source, amount, timestamp), and level-up history.
• Challenge data: Daily and weekly challenge assignments, completion status, and progress timestamps.
• Lucky Burns data: Wheel spin outcomes, item drops, drop timestamps, and daily drop counts.
• Inventory and buff data: Items held in your inventory, active buffs, buff activation and expiry timestamps, and Shield Shop purchase records.
• Referral data: Referral codes, referrer/referee relationships, qualification status, and timestamps.
• Security logs: Event type, severity level, wallet address, IP address, device fingerprint, and event details — recorded for abuse prevention and incident response.

4. Purposes of Processing

• Service delivery: Authenticating your wallet, recording and verifying burns and deposits, tracking streaks and badges, displaying leaderboards, processing referrals, minting NFT badges, operating the XP and leveling system, processing Lucky Burns rewards, managing your inventory and active buffs, operating the Shield Shop, and generating daily and weekly challenges.
• Security and abuse prevention: Rate limiting, detecting multi-account abuse, preventing duplicate transaction submissions, and monitoring for attacks against the API or on-chain integrations.
• Platform monitoring: Aggregated, non-identifying statistics (daily burn totals, active burner counts) for platform health.

5. Legal Basis

Under Swiss nFADP: Data processing is lawful unless it violates the personality rights of the data subject (Art. 30–31 nFADP). We process data based on:

• Performance of a contractual relationship (your use of the platform).
• Overriding legitimate interests (IT security, abuse prevention, fraud detection).

Under EU GDPR (for EU/EEA users):

• Art. 6(1)(b) — necessary for performing the service you use.
• Art. 6(1)(f) — legitimate interests in security, fraud prevention, and platform reliability.
• Art. 6(1)(c) — compliance with legal obligations, where applicable.

6. On-chain Data

Solana blockchain transactions are public and practically immutable. When you submit a burn or deposit, the transaction data (wallet address, amounts, signatures) is recorded on the Solana blockchain permanently. This on-chain storage is governed by the blockchain protocol itself — we cannot modify or delete it. Your wallet address may constitute pseudonymous personal data under data protection law.

7. Data Retention

• Auth challenges: Expire and are deleted after 5 minutes (TTL-based).
• Sessions: Valid for 24 hours, then expired. Revoked sessions retained up to 90 days for security auditing, then deleted.
• Security logs: Retained for 12 months, then deleted.
• Burn and deposit records: Retained for the life of the platform — they serve as proof of activity, streak history, and leaderboard data. On-chain references are permanent regardless.
• Profile and badge data: Retained as long as your account exists. On deletion request, off-chain profile data is removed within 30 days. On-chain NFT data is permanent.
• XP, challenge, and inventory data: Retained as long as your account exists. On deletion request, removed within 30 days alongside profile data.
• Lucky drop history: Retained for the life of the platform as part of your activity record.
• Shield Shop purchases: Retained for the life of the platform as transaction records.
• Referral data: Retained as long as both referrer and referee accounts exist.
• Aggregated daily statistics: Retained indefinitely (contain no personal data).

8. Recipients and Service Providers

Your data may be processed by the following service providers:

• Hosting and infrastructure: Railway (Railway Corporation, San Francisco, USA) — backend application, PostgreSQL database, and Redis cache all run on Railway.
• Solana RPC provider: Helius (USA) — used to read and verify on-chain transactions. RPC requests may include wallet addresses and transaction signatures.
• DNS and web hosting: The static website is served via standard web hosting infrastructure. DNS and CDN providers may process IP addresses and request metadata in the normal course of delivery.

We do not sell personal data. We do not use advertising cookies, tracking pixels, or third-party analytics services.

9. International Data Transfers

Our infrastructure providers are located in the United States. The US does not currently have an unqualified adequacy decision under the nFADP (per the FDPIC's country list). We rely on:

• Standard contractual clauses (SCCs) or equivalent safeguards with our providers where available.
• The fact that much of the data processed (wallet addresses, transaction signatures) is already publicly available on the Solana blockchain.

For EU/EEA users: the EU-US Data Privacy Framework may provide additional adequacy coverage where providers are certified participants.

10. Your Rights

Under Swiss nFADP:

• Right of access (Art. 25 nFADP) — request what personal data we hold about you.
• Right to correction (Art. 32(1) nFADP) — request correction of inaccurate data.
• Right to deletion (Art. 32(2)(c) nFADP) — request deletion of your data, subject to legal retention obligations and technical limits (on-chain data cannot be deleted).
• Right to data portability (Art. 28 nFADP) — request your data in a commonly used electronic format.

Under GDPR (for EU/EEA users): You additionally have the right to restriction of processing, the right to object, and the right to lodge a complaint with your local supervisory authority.

To exercise any right, contact us at admin@seekerburnclub.xyz. We will respond within 30 days.

11. Complaint Route

If you believe your data protection rights have been violated, you can lodge a complaint with:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
• EU/EEA: Your local data protection supervisory authority.

12. Cookies and Local Storage

The website uses technically necessary local storage (session management, UI state). We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

13. Automated Decision-Making

The platform uses automated logic to calculate streaks, award badges, rank leaderboards, and detect abuse patterns. These processes may affect your access to features (for example, account restriction upon detected abuse). No decisions with significant legal effects are made solely through automated processing without human review.

14. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. The current version is always available at /privacy. Material changes are reflected in the "Last updated" date above.