Privacy Policy

For the purposes of this Privacy Policy, the following definitions apply:

• "Controller": Epinikia Foundation, the Swiss legal entity responsible for determining the purposes and means of processing your personal data.
• "Personal Data": any information relating to an identified or identifiable natural person ("Data Subject"), as defined under the Swiss nFADP and the EU GDPR.
• "Processing": any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, or deletion.
• "Third Party": any natural or legal person, public authority, agency, or body other than the Data Subject, the Controller, and persons who, under the direct authority of the Controller, are authorised to process Personal Data.
• "On-Chain Data": transaction records, wallet addresses, and cryptographic identifiers published to a public distributed ledger as a structural consequence of using the Game.
• "Wallet Address": a pseudonymous public-key identifier used to interact with the Game's smart contracts on the underlying blockchain network.

The data controller responsible for your Personal Data is Epinikia Foundation, a legal entity incorporated under Swiss law and domiciled in the Canton of Zug, Switzerland. The Game is accessible at epinikiagame.com.

All data protection inquiries must be addressed in writing to: privacy@epinikiagame.com

The Foundation acts as sole Controller for all off-chain Personal Data collected through the Game's web application, APIs, and communication channels. For On-Chain Data, the Foundation acts as a data processor operating within the constraints of the underlying decentralised protocol, and cannot delete or alter such data once committed to the ledger.

The Foundation collects and processes the following categories of Personal Data:

3.1 Account and Identity Data

• Email address (collected via Google OAuth sign-in);
• Display name or username as provided during account setup;
• Profile identifiers assigned by the Game's authentication system;
• Referral codes generated by or assigned to the User.

3.2 Blockchain and Transaction Data

• Wallet addresses connected to the Game;
• On-chain transaction hashes, draw participations, and ticket submissions;
• $EPI token balances, staking positions, and reward history;
• Smart contract interaction logs as publicly recorded on the distributed ledger.

3.3 Technical and Usage Data

• IP addresses and geolocation data derived therefrom;
• Browser type, version, and operating system;
• Session identifiers, access timestamps, and device fingerprint data;
• Pages visited, features used, and in-application navigation events;
• HTTP request metadata transmitted by the User's browser or client.

3.4 Communications Data

• Content of support requests and correspondence submitted via email or the Game interface;
• Responses to surveys, feedback forms, or user research programs, where participation is voluntary.

3.5 Compliance and Verification Data

• Identity verification documents and information collected during KYC/AML processes, where triggered by regulatory requirements or prize claim procedures;
• Sanctions screening results and politically exposed person (PEP) status checks.

The Foundation does not collect, process, or store payment card data, bank account numbers, or any financial instruments beyond the blockchain data described above. The Foundation does not knowingly collect Personal Data from persons under the age of 18.

The Foundation processes Personal Data on the following legal bases, as applicable under the Swiss nFADP and the EU GDPR:

4.1 Performance of a Contract (Art. 6(1)(b) GDPR / nFADP §31)

Processing necessary to create and manage your account, operate draw participation, attribute prizes, and provide all core Game functionalities.

4.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR / nFADP §31)

Processing required to comply with applicable Swiss and international law, including anti-money laundering regulations (AMLA), Know Your Customer (KYC) requirements, sanctions screening obligations, and mandatory data retention periods imposed by tax or accounting law.

4.3 Legitimate Interests (Art. 6(1)(f) GDPR / nFADP §31)

Processing carried out in the Foundation's legitimate interests, including: fraud detection and prevention, system security monitoring, abuse investigation, product improvement, analytics, and enforcement of the Terms of Service. These interests are balanced against your rights and freedoms and do not override your fundamental data protection rights.

4.4 Consent (Art. 6(1)(a) GDPR / nFADP §31)

Where the Foundation relies on your consent — for example, to send marketing communications or to place non-essential cookies — you may withdraw that consent at any time without prejudice to the lawfulness of processing based on consent prior to its withdrawal. Withdrawal of consent does not affect processing carried out on other legal bases.

The Foundation does not sell, rent, or trade your Personal Data to any third party for commercial purposes. Personal Data may be shared in the following circumstances only:

5.1 Service Providers and Sub-Processors

The Foundation may engage trusted third-party service providers to operate elements of the Game infrastructure, including cloud hosting providers, authentication services (including Google OAuth), analytics platforms, email delivery providers, and fraud detection tools. All sub-processors are bound by data processing agreements consistent with applicable data protection law and may only process Personal Data on documented instructions from the Foundation.

5.2 Regulatory and Law Enforcement Disclosure

The Foundation may disclose Personal Data to governmental authorities, regulators, law enforcement agencies, or courts where required to do so by applicable law, regulation, legal process, or enforceable governmental request. Where legally permitted, the Foundation will notify the affected User of such disclosure.

5.3 Fraud Prevention and Security

Where the Foundation reasonably suspects fraudulent activity, exploitation, or criminal conduct, Personal Data may be shared with relevant authorities, industry fraud prevention bodies, or blockchain analytics firms to the extent strictly necessary to investigate and remediate such conduct.

5.4 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of all or part of the Foundation's assets, Personal Data may be transferred to the successor entity, subject to equivalent data protection obligations. Users will be notified of any such transfer affecting their Personal Data.

5.5 On-Chain Transparency

Wallet addresses, transaction hashes, and draw participation records are inherently public by virtue of their publication on the distributed ledger. The Foundation has no ability to remove or alter such data. Users who connect a wallet to the Game do so with full awareness that their on-chain activity is publicly visible and permanently recorded.

The Foundation is incorporated in Switzerland, a jurisdiction recognised by the European Commission as providing an adequate level of data protection. Personal Data processed by the Foundation is primarily stored within Switzerland or the European Economic Area.

Where Personal Data is transferred to sub-processors located in third countries that have not received an adequacy decision, the Foundation ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognised under Swiss law. Copies of applicable transfer mechanisms are available upon request at privacy@epinikiagame.com.

The Foundation retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention schedules apply:

• Account and Identity Data: retained for the duration of the active account and for a period of 5 years following account deletion or termination, to comply with anti-fraud, legal, and regulatory obligations;
• Transaction and Prize Data: retained for a minimum of 10 years from the date of the relevant transaction, in accordance with Swiss accounting and anti-money laundering retention requirements;
• KYC/AML Verification Data: retained for a minimum of 10 years from the date of verification, as mandated by Swiss AMLA obligations;
• Technical and Usage Data: retained for a period of 13 months from the date of collection for analytics and security purposes, after which they are anonymised or deleted;
• Support Communications: retained for 3 years from the date of the last communication, or longer if the subject matter relates to an ongoing legal dispute or regulatory inquiry.

On-Chain Data, by the nature of distributed ledger technology, is permanently and immutably recorded. The Foundation cannot delete or modify such data and accepts no liability in respect thereof.

Subject to applicable law and the exceptions provided therein, you have the following rights in relation to your Personal Data:

• Right of Access (Art. 15 GDPR / nFADP §25): the right to obtain confirmation of whether and how your Personal Data is being processed, and to receive a copy thereof;
• Right to Rectification (Art. 16 GDPR / nFADP §32): the right to request correction of inaccurate or incomplete Personal Data without undue delay;
• Right to Erasure (Art. 17 GDPR / nFADP §32): the right to request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, subject to overriding legal retention obligations;
• Right to Restriction of Processing (Art. 18 GDPR): the right to request that processing of your Personal Data be restricted in certain circumstances, including where you contest its accuracy or object to its processing;
• Right to Data Portability (Art. 20 GDPR / nFADP §28): the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible;
• Right to Object (Art. 21 GDPR / nFADP §30): the right to object, on grounds relating to your particular situation, to processing based on the Foundation's legitimate interests. The Foundation will cease such processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms;
• Right to Withdraw Consent: where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of prior processing;
• Right to Lodge a Complaint: the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EEA residents, with the competent supervisory authority in your Member State of habitual residence or place of work.

To exercise any of the above rights, submit a written request to privacy@epinikiagame.com. The Foundation will respond within 30 calendar days of receipt of a verifiable request. This period may be extended by a further 60 days where necessary, given the complexity or number of requests, provided the Foundation notifies you of such extension within the initial 30-day period.

The Foundation reserves the right to verify your identity before processing any data subject rights request. Requests that are manifestly unfounded or excessive may be refused or subject to a reasonable administrative fee.

The Foundation implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation:

• Encryption of Personal Data at rest and in transit using industry-standard protocols;
• Strict access controls and role-based permissions limiting Personal Data access to authorised personnel on a need-to-know basis;
• Regular security assessments, penetration testing, and code audits of application and smart contract infrastructure;
• Logging and monitoring of all access to systems containing Personal Data;
• Incident response procedures including breach notification protocols consistent with applicable law.

Notwithstanding the above, no transmission of data over the internet or any wireless network can be guaranteed to be entirely secure. The Foundation cannot guarantee the absolute security of Personal Data and accepts no liability for security breaches attributable to circumstances beyond its reasonable control, including vulnerabilities in third-party infrastructure, force majeure events, or User negligence (including but not limited to sharing credentials or falling victim to phishing).

In the event of a Personal Data breach that is likely to result in a high risk to your rights and freedoms, the Foundation will notify you without undue delay in accordance with applicable law.

The Game uses cookies and similar tracking technologies to operate its core functionality, analyse usage patterns, and maintain session integrity. The following categories of cookies are used:

• Strictly Necessary Cookies: essential to the operation of the Game, including authentication session management and security tokens. These cannot be disabled without impairing core functionality and do not require consent;
• Analytics Cookies: used to collect aggregated, pseudonymous information about how users interact with the Game, enabling the Foundation to improve performance and user experience. These are deployed only with your consent where required by law;
• Preference Cookies: used to remember your settings and personalisation choices (e.g. display theme) across sessions.

The Foundation does not deploy third-party advertising or cross-site tracking cookies. You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using the Game.

The Foundation employs automated fraud detection systems that analyse on-chain and off-chain behavioural patterns to identify prohibited conduct as defined in the Terms of Service. These systems may result in automated decisions including account suspension, prize withholding, or access restriction, without prior human review in the first instance.

Where such an automated decision materially affects your rights — including the withholding of a prize or permanent account suspension — you have the right to request human review of the decision by contacting legal@epinikiagame.com. The Foundation will respond to such requests within 15 business days. Human review is not available for decisions mandated exclusively by applicable law (e.g. regulatory sanctions screening).

The Foundation does not engage in profiling for commercial advertising purposes.

The Game is strictly prohibited for persons under the age of 18. The Foundation does not knowingly collect, process, or store Personal Data from minors. If the Foundation becomes aware that Personal Data has been collected from a person under 18, it will take immediate steps to delete such data and permanently close the associated account.

If you believe that a minor has provided Personal Data to the Game, please notify the Foundation immediately at privacy@epinikiagame.com.

The Foundation reserves the right to modify this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or the Foundation's processing activities. Material changes will be notified via epinikiagame.com and, where feasible, by email to the address registered to your account.

The date of the most recent revision is indicated at the top of this Policy. Continued use of the Game following notification of material changes constitutes your acknowledgement of the updated Policy. If you do not agree with the amended Policy, you must cease using the Game and may request account deletion in accordance with Section 8.

For all data protection matters, including the exercise of your data subject rights, questions regarding this Policy, or to report a potential privacy incident, please contact:

• Data protection inquiries: privacy@epinikiagame.com
• Legal affairs: legal@epinikiagame.com
• General support: support@epinikiagame.com

Standard response time: within 30 calendar days. Urgent data protection matters (including breach notifications): within 72 hours.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or with the supervisory authority of your EEA Member State of residence.