Privacy Policy

This Privacy Policy applies to personal information we collect from and about users of the Services, including visitors to our website, account holders, NFT holders, players, and prospective users.

It does not apply to third-party services that we do not own or control, including third-party wallet providers (such as Phantom, Solflare, Backpack, or MetaMask), blockchain networks (such as Solana and Polygon), block explorers, NFT marketplaces, or external websites linked from the Services. Each of those third parties operates under its own privacy policy, and we encourage you to review them.

We collect the following categories of information:

(a) Information you provide directly.

• Account details such as your email address, display name, password (stored only in hashed form), and any profile information you choose to add.
• Wallet information including the public blockchain address(es) of any Solana, Polygon, or other wallet you connect or that we generate on your behalf as a custodial wallet during sign-in.
• Communications such as the contents of emails, support tickets, survey responses, and feedback you send to us.
• User-submitted content such as club names, in-game chat (where available), and any other content you submit through the Services.

(b) Information collected automatically.

• Device and technical data including IP address, device identifiers, browser type and version, operating system, language preferences, time zone, screen resolution, and referring URLs.
• Usage data including the pages, features, and in-game actions you access, timestamps, session duration, click paths, error logs, and crash reports.
• Cookies and similar technologies including first-party and third-party cookies, local storage, session storage, service worker caches, and pixels, used to keep you signed in, remember preferences, secure your session, and measure usage. See Section 9 for details.

(c) Information from third parties.

• Wallet and blockchain data obtained when you connect a wallet, including your public address, signed messages used to authenticate you, and publicly available transaction history relevant to the Services (for example, NFTs you hold, on-chain match entries, training events, and transfers).
• Authentication and identity providers if you sign in through a third-party service, we receive the limited profile information that provider shares with us.
• Analytics and infrastructure partners such as Google (Firebase Analytics, Authentication, Hosting, and Firestore), who provide aggregated and event-level data about how the Services are used.

(d) Information we do not collect. We do not collect, request, or have access to your wallet seed phrase or private keys at any time. Anyone asking you to share these claiming to represent us is not authorised by us.

We process personal information for the following purposes:

• Providing the Services including account creation, wallet linking, displaying your clubs and NFTs, matching you with opponents, recording match results, and processing deposits, withdrawals, and prize payouts.
• Authentication and security including verifying wallet ownership through signed messages, preventing fraud, abuse, multi-accounting, collusion, and money laundering, and protecting the integrity of our smart contracts.
• Customer support including responding to your questions, investigating reported issues, and processing data subject requests.
• Service improvement including analytics, debugging, A/B testing, performance monitoring, and product research.
• Communications including sending you transactional messages, security alerts, service announcements, and (with your consent where required by law) marketing and promotional communications.
• Legal and regulatory compliance including complying with applicable laws, court orders, sanctions regimes, tax obligations, and lawful government requests, and enforcing our Terms and Conditions.

Where the EU/UK General Data Protection Regulation (GDPR) or equivalent legislation applies, we rely on the following legal bases to process your personal information:

• Performance of a contract — to deliver the Services you have requested and to administer your account.
• Legitimate interests — to keep the Services secure, prevent fraud and abuse, improve our product, and pursue our reasonable business interests where these are not overridden by your rights.
• Consent — for non-essential cookies, certain marketing communications, and any other processing for which we ask your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — to comply with laws and regulations applicable to us.

The Services interact with public blockchains (including Solana and Polygon). When you mint, transfer, train, deposit, withdraw, enter a match, or otherwise transact through our smart contracts, the relevant information — including your wallet address, the smart contract address, amounts, timestamps, and transaction metadata — is recorded on the public blockchain.

Blockchain transactions are, by their nature, public, permanent, and immutable. We cannot delete, alter, or rectify information that has been written to a public blockchain. Anyone, including third-party analytics services, may read this information and potentially associate it with your identity. You should be aware of this before transacting and only transact with information you are comfortable being public.

Where we offer custodial wallets generated during sign-in, we hold the keys to those wallets in a secure manner so that we can sign transactions on your behalf when you instruct us. You may withdraw assets from a custodial wallet to a wallet you control at any time where the Services permit.

We do not sell your personal information. We share personal information only in the following circumstances:

• Service providers and processors who perform functions on our behalf, including hosting (Google Firebase), authentication, analytics, customer support tooling, email delivery, error monitoring, RPC and blockchain infrastructure providers, and payment processors. These parties are bound by written agreements to process personal information only on our instructions and to keep it confidential and secure.
• Other users and the public in respect of information that is inherently public, such as your wallet address, on-chain transactions, club names, match results, league standings, and tournament participation.
• Legal and regulatory bodies where we are required to disclose information in response to a valid legal request, court order, regulatory demand, or to enforce our rights, prevent fraud, or protect the safety of any person.
• Corporate transactions in connection with a merger, acquisition, reorganisation, financing, or sale of assets, in which case personal information may be transferred as part of the transaction subject to standard confidentiality arrangements.
• With your consent or at your direction.

We operate internationally. Personal information may be transferred to, stored in, and processed in countries outside your country of residence, including New Zealand, the United States, and other jurisdictions where we or our service providers operate. These countries may have data protection laws that differ from those of your country. Where required by law, we use appropriate safeguards for cross-border transfers, including Standard Contractual Clauses approved by the European Commission, equivalent UK transfer mechanisms, and supplementary measures where applicable.

We retain personal information for as long as necessary to provide the Services and to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law. The exact retention period depends on the type of data and the purpose for which it was collected. Typical retention guidelines include:

• Account data — for the lifetime of your account and a reasonable period afterwards for backup, anti-fraud, and legal-defence purposes.
• Transactional records — for the period required by applicable tax, accounting, and anti-money-laundering laws (typically up to 7 years).
• Support communications — for as long as necessary to address your enquiry and a reasonable period afterwards.
• Analytics and usage data — in aggregated or de-identified form for as long as useful, and in identifiable form generally for no longer than 26 months.
• On-chain data — cannot be deleted by us and will remain on the blockchain indefinitely.

We use cookies, local storage, service workers, and similar technologies to operate, secure, and improve the Services. We use the following categories:

• Strictly necessary — required to operate the Services, including keeping you signed in, remembering your active club, maintaining session security, and routing requests.
• Functional — to remember your preferences, such as language and display settings.
• Analytics and performance — to understand how users interact with the Services, measure traffic, diagnose errors, and improve performance. We currently use Google Firebase Analytics for this purpose.

You can control cookies through your browser settings and, where applicable, through the cookie banner shown on first visit. Blocking strictly necessary cookies will prevent parts of the Services from working correctly.

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, disclosure, alteration, and destruction. These include encryption in transit (TLS), access controls, least-privilege administration, audit logging, vendor due diligence, and secure development practices. No method of transmission over the internet or method of electronic storage is, however, 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your wallet credentials, seed phrases, private keys, and account passwords confidential and for using strong, unique passwords on any account associated with the Services.

Subject to applicable law and verification of your identity, you have the following rights in respect of your personal information:

• Access — to request a copy of the personal information we hold about you.
• Rectification — to request that inaccurate or incomplete personal information be corrected.
• Deletion — to request deletion of personal information, subject to our legal and operational retention obligations and the technical impossibility of deleting data written to a public blockchain.
• Restriction and objection — to request that we restrict or stop certain processing, including direct marketing.
• Portability — to receive a structured, commonly used, machine-readable copy of certain personal information you have provided.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint — with the data protection authority in your jurisdiction. In New Zealand this is the Office of the Privacy Commissioner (privacy.org.nz). In the EU/UK this is your national supervisory authority.

To exercise any of these rights, contact us at comms@muzzle.run. We will respond within the time frames required by applicable law. We may need to verify your identity before fulfilling your request.

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• The right to know the categories and specific pieces of personal information we have collected about you, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
• The right to request deletion of your personal information.
• The right to correct inaccurate personal information that we maintain about you.
• The right to limit the use and disclosure of sensitive personal information.
• The right not to be discriminated against for exercising your CCPA/CPRA rights.

We do not sell personal information and we do not share personal information for cross-context behavioural advertising. You may exercise your rights by contacting comms@muzzle.run.

The Services are intended for users who are 18 years of age or older (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child, we will take reasonable steps to delete it as soon as possible. If you believe a child has provided us with personal information, please contact comms@muzzle.run.

We may send you transactional communications related to your account, security, and use of the Services. With your consent where required, we may also send you marketing communications about new features, events, tournaments, and promotions.

You can opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email.
• Updating your preferences in your account settings, where available.
• Contacting us at comms@muzzle.run.

You cannot opt out of essential transactional and security communications while you continue to use the Services. Please allow up to 10 business days for your opt-out request to take effect.

We do not engage in automated decision-making that produces legal or similarly significant effects concerning you. Automated systems are used for fraud prevention, anti-collusion enforcement, and match engine outcomes, but human review is available on request for any action taken against your account.

The Services may contain links to or interoperate with third-party websites, applications, wallets, marketplaces, and blockchain services that we do not control. This Privacy Policy does not apply to those third parties. We are not responsible for their privacy practices, and we encourage you to read their privacy policies before providing any information to them.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes, we will update the Effective Date at the top of this page and, where required by law, provide additional notice (such as by email or in-app notification). Your continued use of the Services after the updated Policy takes effect constitutes your acknowledgement of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us at:

Phenomenal Enterprises Limited
Email: comms@muzzle.run

We will respond to all legitimate enquiries within the time frames required by applicable law.