Privacy Policy

1. Overview

This Privacy Policy describes how Moon Market (“we,” “us,” or “our”) collects, uses, shares, and protects information when you access or use our prediction markets aggregation and trading terminal (the “Platform”), including all associated websites, mobile applications, APIs, and services.

We are committed to protecting your privacy and minimizing data collection. As a wallet-based platform, we do not require email addresses, legal names, or other personally identifiable information for basic usage. Our architecture is designed around the principle of data minimization — we collect only what is necessary to operate the Platform and provide you with its features.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Platform immediately.

2. Information We Collect

2.1 Information You Provide Directly

• Wallet Address— Your public Solana or EVM-compatible wallet address when you connect via a supported wallet provider (Phantom, Solflare, MetaMask, Crossmint, etc.)
• Display Name— An optional public username you choose to associate with your wallet address
• Trading Notes & Journal Entries— Market notes, analysis, and journal entries you create within the Platform
• Preferences & Settings— Theme selections, notification preferences, display configurations, keyboard shortcut customizations, and language settings
• Risk Acknowledgments— Timestamps and version identifiers when you accept risk disclosures, Terms of Service, or feature-specific consent gates
• Copy Trading Configuration— If you use copy trading, the risk parameters you configure (maximum position size, exposure limits, loss thresholds)
• Auto-Trading Rules— If you use automated trading, the user-defined rules, entry/exit conditions, and risk limits you create

2.2 Information Collected Automatically

• Trade Activity— Records of trades executed through the Platform, including market, direction, position size, entry/exit prices, timestamps, and outcomes
• Portfolio Data— Position balances, realized and unrealized profit/loss calculations, and trade performance metrics
• Watchlist Data— Markets you choose to follow or monitor
• Alert Configuration— Price alerts, market movement notifications, and signal subscriptions you set up
• Achievement & Gamification Progress— XP earned, level progression, badge unlocks, and milestone completions
• Referral Data— If you share P&L cards or referral links, we track the referring wallet address and referral link usage for attribution purposes
• Device & Browser Information— Browser type, operating system, screen resolution, and device category (mobile, desktop, tablet) for responsive design and optimization purposes only
• Usage Patterns— Aggregated, non-identifying interaction data such as feature usage frequency, page views, and session duration, used exclusively for Platform improvement

2.3 Information We Do NOT Collect

• Email addresses (unless voluntarily provided for optional notifications)
• Legal names, government-issued identification, or Know Your Customer (KYC) data
• Private keys, wallet seed phrases, or recovery phrases — never, under any circumstance
• IP addresses for tracking, profiling, or advertising purposes
• Third-party cookies for advertising, retargeting, or behavioral profiling
• Biometric data, location data, or device identifiers for tracking
• Social media account credentials or contact lists

3. How We Use Your Information

We use the information we collect for the following purposes:

• Platform Operation— To provide market data aggregation, execute trades on supported venues, manage your portfolio, and deliver core Platform functionality
• Account Management— To authenticate your wallet connection, maintain session state, and synchronize your settings across devices
• Leaderboard & Social Features— To display public rankings, trader profiles, and performance statistics (wallet-address based, pseudonymous)
• Personalization— To save your preferences, watchlists, alerts, and display settings across sessions
• P&L Share Cards & Referrals— To generate shareable performance cards, attribute referrals to the correct wallet, and display referral statistics
• Intelligence & Analytics Tools— To deliver sentiment analysis, arbitrage scanning, signal intelligence, and statistical model outputs for your informational use
• Copy Trading— To display leader trader activity and enable follower replication of trades, subject to user-configured risk parameters
• Security & Abuse Prevention— To enforce rate limiting, detect fraudulent activity, prevent unauthorized access, and maintain Platform integrity
• Compliance & Audit— To maintain audit trails for automated trades, risk acknowledgments, and consent records as required for regulatory compliance
• Platform Improvement— To analyze aggregated, non-identifying usage statistics for the purpose of improving Platform performance, reliability, and user experience

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data on the following legal bases:

• Contractual Necessity— Processing necessary to perform our obligations under the Terms of Service (e.g., executing trades, maintaining your account, portfolio tracking)
• Legitimate Interest— Processing for Platform security, fraud prevention, abuse detection, and service improvement, where our interests do not override your fundamental rights
• Consent— Where required, such as for optional notifications, referral tracking, and public leaderboard participation. You may withdraw consent at any time through Settings
• Legal Obligation— Processing necessary to comply with applicable laws, regulations, or valid legal process

5. Data Storage & Security

5.1 Storage Architecture

• Local Storage (Browser)— Watchlists, alerts, notes, preferences, and theme settings are stored in your browser's localStorage by default. This data never leaves your device unless cloud sync is enabled.
• Encrypted Local Storage— Trading credentials for third-party venues (e.g., Polymarket CLOB API keys) are encrypted using AES-256-GCM before local storage. Private keys are never stored by the Platform.
• Cloud Storage (Supabase)— When connected, your data syncs to a secure PostgreSQL database hosted by Supabase with Row Level Security (RLS) policies enforcing strict per-user data isolation. Only you can access your data.
• Session Management— Authentication sessions use HMAC-SHA256 signed JSON Web Tokens (JWTs) stored in httpOnly, Secure, SameSite cookies. Tokens are short-lived and automatically refresh.

5.2 Security Measures

• All data in transit is encrypted via TLS 1.3
• Sensitive credentials are encrypted at rest using AES-256-GCM envelope encryption
• Database access is protected by Row Level Security (RLS) — users can only query their own records
• API endpoints are protected by per-IP and per-user rate limiting
• Authentication nonces expire after 5 minutes to prevent replay attacks
• No plaintext secrets or private keys are ever stored or logged

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share information only in the following limited and necessary cases:

• Public Profiles & Leaderboards— Your wallet address (or display name if set), XP level, trading statistics, and achievement badges are visible on public leaderboard and profile pages. You may opt out of leaderboard visibility in Settings.
• P&L Share Cards— When you generate and share a P&L card, the card contains your display name (or truncated wallet address), trade performance data, and your personal referral link/QR code. You control when and where these cards are shared.
• Third-Party Prediction Market Venues— When you execute trades, your wallet address and order details are transmitted to the respective prediction market venue (Polymarket, dFlow, Kalshi). These venues have their own privacy policies and data handling practices.
• Copy Trading (Leader Visibility)— If you opt into being a leader trader, your wallet address, display name, trading activity, and performance statistics will be publicly visible to potential followers. Leaders cannot see the specific identities of their followers.
• Infrastructure Providers— We use Vercel (hosting), Supabase (database), and Solana/EVM RPC providers for Platform operation. These providers process data on our behalf under Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.
• Legal Requirements— We may disclose information if required by law, regulation, subpoena, court order, or other valid legal process. We will make reasonable efforts to notify affected users unless prohibited by law.

7. Your Rights

7.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access— Request a copy of all personal data we hold about you. Available via Settings → Data Management → Export All Data, or by contacting us directly.
• Right to Rectification— Update your display name, preferences, and settings at any time through the Platform
• Right to Erasure (“Right to Be Forgotten”)— Request deletion of all your personal data. For local data: Settings → Clear All Local Data. For cloud data: contact us for complete account erasure across all database tables.
• Right to Data Portability— Download all your data in a structured, machine-readable JSON format via Settings → Data Management
• Right to Restrict Processing— Request that we limit processing of your data while a complaint or correction request is pending
• Right to Object— Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent— Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint— You have the right to file a complaint with your local data protection authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)

7.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know— Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share data
• Right to Delete— Request deletion of personal information we have collected from you, subject to certain exceptions
• Right to Opt-Out of Sale— We do not sell personal information. However, you may submit a “Do Not Sell My Personal Information” request and we will confirm compliance
• Right to Non-Discrimination— We will not discriminate against you for exercising any of your CCPA rights

7.3 Exercising Your Rights

To exercise any of the above rights, you may use the in-app data management tools in Settings, or contact us through our official channels. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). We may request wallet signature verification to confirm your identity before processing data access or deletion requests.

8. Cookies & Tracking Technologies

We use minimal, essential cookies only:

• session— httpOnly, Secure, SameSite authentication cookie. Essential for maintaining your login state. Not used for tracking.
• auth_nonce— Temporary cookie for wallet authentication challenge-response. Expires after 5 minutes.

We do not use:

• Advertising or retargeting cookies
• Analytics trackers (Google Analytics, Mixpanel, Amplitude, etc.)
• Social media pixels or tracking beacons (Facebook Pixel, Twitter Pixel, etc.)
• Cross-site tracking or interest-based advertising technologies
• Fingerprinting or device recognition technologies

9. Data Retention

• Local Data— Retained in your browser until you clear it manually via Settings → Clear All Local Data, or clear your browser storage
• Cloud Data— Retained as long as your account is active. Upon account deletion request, all associated data is permanently purged from our database within 30 days
• Audit Logs— Trade execution logs and consent records may be retained for up to 5 years for regulatory compliance and dispute resolution purposes
• Aggregated Analytics— Non-identifying, aggregated usage statistics may be retained indefinitely as they cannot be linked back to any individual user

10. International Data Transfers

The Platform is hosted on globally distributed infrastructure (Vercel Edge Network) and our database may be located in the United States. If you access the Platform from outside the United States, your data may be transferred to, stored, and processed in the United States or other jurisdictions.

For transfers from the EEA/UK/Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection safeguards are in place.

11. Children's Privacy

The Platform is not intended for use by anyone under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete that information. If you believe a minor has provided us with personal data, please contact us immediately.

12. Blockchain & On-Chain Data

Please note that blockchain transactions are inherently public and immutable. When you execute trades through the Platform, transaction data is recorded on the relevant blockchain (Solana, Polygon, Ethereum, etc.) and cannot be modified or deleted by us or any party. This includes wallet addresses, transaction amounts, timestamps, and smart contract interactions.

We have no control over, and are not responsible for, the public nature of blockchain data. This Privacy Policy governs only the data we collect and process off-chain within our Platform infrastructure.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or Platform features. The “Last updated” date at the top of this page will be revised accordingly.

For material changes that significantly affect how we collect, use, or share your data, we will provide prominent notice through the Platform (e.g., a banner notification or in-app alert) at least 14 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries, data access requests, deletion requests, or concerns about our data practices, please contact us through our official channels:

• Discord — Moonsters official server (Privacy channel)
• X (Twitter) — @MoonstersNFT

We aim to respond to all privacy inquiries within 30 days. For GDPR and CCPA requests, we will acknowledge receipt within 72 hours.