Privacy Policy · Problyx

1. Data we collect

Account data: email address, username, hashed password, profile picture (optional). Usage data: markets created, predictions executed, comments posted, login timestamps. Technical data: IP address (hashed and stored only for anti-abuse rate limiting), browser type, device identifiers. Communications: emails you send to support and feedback you submit through the platform.

2. How we use your data

We use your data to operate the platform (authentication, markets, leaderboards), to enforce community standards (anti-multi-account detection, rate limiting), to communicate service updates, and to improve the product through aggregated analytics. We do not sell your personal data to third parties.

3. Legal basis for processing

We process your data on the following legal bases under GDPR: contractual necessity (operating your account), legitimate interest (fraud prevention, platform security), and consent (marketing emails, optional cookies). You may withdraw consent at any time.

4. Data sharing and third-party providers

We share data only with the service providers necessary to run the platform: Vercel (frontend hosting and Vercel Blob storage for user-uploaded avatars), Railway (backend hosting, PostgreSQL database, and Redis cache), Resend (transactional email such as verification, password reset, and account notifications from no-reply@problyx.com), Google (OAuth sign-in when you choose 'Continue with Google' — Google receives only the data needed to authenticate you), and DiceBear (default fallback avatars served from a public API when you have not uploaded a custom one; only your username is sent so the avatar can be deterministically generated). All providers operate under data processing agreements and process data only on our instructions. We do not sell your personal data to third parties.

5. Data retention

We retain your account data for as long as your account is active. Hashed signup IPs are retained for 24 hours for rate-limit enforcement, then deleted. Closed account data is retained for up to 90 days for fraud prevention before being permanently deleted. Aggregated analytics with no personal identifiers may be retained indefinitely.

6. Your rights

Under GDPR you have the right to: access your data, request correction or deletion, restrict or object to processing, request data portability, and lodge a complaint with the Spanish Data Protection Agency (AEPD). To exercise any right, email info@problyx.com — we will respond within 30 days.

7. Cookies and tracking

We use essential cookies for authentication (httpOnly access and refresh tokens) and theme preferences. We do not use third-party advertising cookies. We may use first-party analytics in the future and will request explicit consent before doing so.

8. Security

We use industry-standard practices to protect your data: passwords are hashed with bcrypt, JWTs are signed with RSA keys, all traffic is TLS-encrypted, and database access is restricted to the application backend. No system is perfectly secure — if you suspect a breach, contact info@problyx.com immediately.

9. International transfers

Our infrastructure is hosted in the EU and US. When data is transferred outside the EU, we rely on Standard Contractual Clauses approved by the European Commission to ensure equivalent protection.

10. Minors

Problyx is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete the account.

11. Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.

12. Contact and data protection officer

For privacy questions or to exercise your GDPR rights, email info@problyx.com.