1. Introduction

This Privacy Policy (the "Policy") describes how [ENTITY_NAME] ("[ENTITY_NAME]", "we", or "us"), the operator of the 4rho prediction-market exchange (the "Service"), collects, uses, discloses, and retains personal information about you ("you") when you access or use the Service through the website at https://4rho.com, mobile-web surfaces, or our application programming interfaces (collectively, the "Platform").

[ENTITY_NAME] is the controller of the personal information described in this Policy. This Policy applies to personal information processed in connection with the Platform; it does not apply to information recorded on the Polygon Network, which is public by design (see Section 5).

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. Your use of the Platform is also governed by our Terms of Service at /legal/terms.

2. Information We Collect

We collect three categories of personal information:

2.1 Information you provide

Authentication information — when you authenticate through Privy, we receive your email address (if you use email-link login) or your externally-owned Wallet address (if you connect a self-custodial wallet such as MetaMask). For email-link users, Privy provisions an embedded Wallet on your behalf, and we receive that Wallet's public address.
Profile information — display name and any other details you provide through your account settings.
Support correspondence — the contents of any ticket you open through the in-app support inbox, including any attachments and follow-up messages.
Verification information — if a future regulated path is added, any identification documents or verification artifacts you submit in response to a request from us.

2.2 Information collected automatically

Network and device information — your Internet Protocol (IP) address; coarse geolocation derived from the IP address (country, region, city) by our geoip-enricher worker; user agent; browser and operating-system identifiers.
Device fingerprint — a SHA-256 hash of coarse browser attributes (the X-4rho-Fingerprint header), used as a fraud signal. The hash is generated client-side by frontend/src/lib/auth/fingerprint.ts and rotates approximately every thirty (30) days.
Usage information — pages and Markets you view, Orders you place, fills attributed to your Wallet, the date and time of each action, and Sentry error telemetry generated when the Platform encounters an error.
Sign-in information — every authentication attempt is appended to the user_sign_ins log, including timestamp, IP, derived country/region/city, and any autonomous-system identifier returned by our GeoIP provider.

2.3 Information from third parties

Privy — we receive your authenticated identity, linked accounts, and Wallet address from Privy.
Polygon Network — every Order, fill, Resolution, and redemption is recorded on the Polygon PoS public blockchain and is therefore publicly observable. We may correlate on-chain data with your account.
Referral and affiliate partners — if you arrived through a referral link or promotion, we receive the corresponding referral code and attribution metadata.
Sanctions-screening providers — we may receive screening results for your Wallet address and country in connection with our compliance program.

3. How We Use Your Information

We use the information described in Section 2 to:

Operate the Platform — match Orders against the off-chain order book, settle matched Orders on-chain, deploy Markets, propose and finalize Resolutions, and process redemptions.
Maintain your account — authenticate you, surface your Order and position history, deliver service-related communications, and provide customer support through the in-app inbox.
Prevent fraud and abuse — log sign-ins, screen for sanctions exposure, evaluate the synchronous signup-cluster gate, run the wash-trade scanner, run the disposable-email refresher, and investigate suspected violations of our Terms of Service.
Comply with applicable law — respond to lawful subpoenas, court orders, and regulatory requests; meet our obligations under sanctions, anti-money-laundering, tax, and consumer-protection law.
Secure the Platform — detect, investigate, and respond to security incidents, including by analyzing Sentry error telemetry, admin audit logs, and worker heartbeats.
Improve the Platform — analyze aggregated, de-identified usage patterns to make the Platform faster, more reliable, and more useful.
Communicate with you — send transactional notices, security alerts, and (with your consent where required) marketing communications about new features and Markets. You can opt out of marketing communications at any time using the unsubscribe link or your account settings.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you without human review.

4. Cookies and Similar Technologies

The Platform uses cookies and similar technologies to authenticate you, remember your preferences, and detect fraud. The cookies set by 4rho are:

Cookie	Purpose	Lifetime	Required
`4rho_session`	Authentication session	Session	Yes
`4rho_referral`	Referral attribution	7 days	No
`4rho_promo_code`	Promotion attribution	7 days	No
`4rho_fp`	Device fingerprint (fraud signal)	30 days	Yes (security)
`4rho_cookie_consent`	Records your cookie-consent choice	1 year	Yes

The cookies marked Required are strictly necessary for the Platform to function and are set without consent on the legal basis of legitimate interest. The cookies marked No under "Required" are set only after you grant consent through the cookie-consent banner displayed on your first visit. You can revisit your choice at any time using the "Cookie preferences" link in the footer.

We use first-party performance and error-monitoring tools (Vercel Speed Insights and Sentry) that do not set third-party advertising cookies and do not track you across other websites. We do not use the Platform for behavioral advertising and do not permit third parties to do so on our properties.

We share personal information in the following limited circumstances:

Service providers — we share information with third parties that provide infrastructure and operational services on our behalf, including Privy (authentication), Sentry (error monitoring), Vercel (frontend hosting), Railway (backend hosting), Neon (managed Postgres), our GeoIP provider, our sanctions-screening provider, and our fiat on/off-ramp partner. These providers are bound by contractual obligations to use the information only as needed to provide their services.
Public blockchain data — every Order you place that results in a fill, every settlement, every Resolution, and every redemption is recorded on the Polygon PoS public blockchain and is observable by anyone in the world. Your Wallet address is therefore associated with your trading history on a permanent, public ledger. You should treat your Wallet address as pseudonymous, not anonymous.
Compliance and legal process — we may disclose information in response to a lawful subpoena, court order, regulatory inquiry, or similar legal process; to comply with our legal obligations; or to protect the rights, property, or safety of [ENTITY_NAME], our Users, or the public.
Corporate transactions — if [ENTITY_NAME] is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, your information may be transferred as part of that transaction, subject to a successor's obligation to honor the commitments in this Policy.

We do not sell your personal information. We do not "share" your personal information for cross-context behavioral advertising as that term is defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

6. Data Retention

We retain personal information for as long as your account is active, plus a tail period needed to satisfy our legal, regulatory, and audit obligations. The default retention periods are:

Category	Retention
Account record (Wallet, email, display name)	Life of account + 7 years
Sign-in log (`user_sign_ins`)	13 months
Audit logs (HMAC-chained admin actions)	7 years
User session events / telemetry	30 days
Support tickets and messages	Life of account, then 2 years after account closure
Sentry error telemetry	90 days
Cookies	As described in Section 4

On-chain data — Orders, fills, Resolutions, and redemptions recorded on the Polygon Network — is permanent and outside our control. Closing your account does not remove that data from the blockchain.

When the retention period for a category expires, we delete or de-identify the information in our systems. Where deletion is not technically feasible (for example, immutable backups), we isolate and restrict the information until deletion is possible.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, disclosure, alteration, and destruction. Our current controls include:

Transport security — TLS 1.2 or higher for all connections to the Platform.
Storage security — managed Postgres at Neon with encryption at rest; principle-of-least-privilege access controls.
Wallet custody — for embedded Wallets, key custody is performed by Privy under your direction; for externally-owned Wallets, the private key never leaves your device. [ENTITY_NAME] does not hold your Wallet's private key.
Order integrity — Orders are signed by your Wallet using EIP-712 typed-data signatures and verified on-chain at settlement.
Administrative controls — administrative access is gated by role-based access control (RBAC) with time-bound, TOTP-verified just-in-time elevation for destructive actions, and every admin action is recorded in an HMAC-chained audit log.
Operational monitoring — Sentry-monitored worker heartbeats and error telemetry are reviewed for anomalies.

No security control is perfect. We cannot guarantee that the Platform or the Smart Contracts will be free from bugs, vulnerabilities, or unauthorized access. The Smart Contracts have not, as of the date of this Policy, been formally audited by an independent third-party security firm — see Section 2 of the Risk Disclosure at /legal/risk. You are responsible for safeguarding the credentials that control your Wallet.

8. Your Rights

The rights available to you depend on where you reside.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

access the personal information we hold about you;
rectify inaccurate or incomplete personal information;
erase your personal information, subject to retention exceptions required by law;
restrict the processing of your personal information in certain circumstances;
object to processing based on our legitimate interests or for direct marketing;
request portability of personal information you provided to us in a structured, commonly-used, machine-readable format;
withdraw consent for any processing based on consent, without affecting the lawfulness of prior processing; and
lodge a complaint with your local data-protection supervisory authority.

The legal bases on which we rely include performance of the contract (operating the Platform), legitimate interests (security, fraud prevention, service improvement), legal obligation (sanctions screening, recordkeeping), and consent (non-essential cookies, marketing).

8.2 Rights under the CCPA / CPRA (California Users)

If you are a California resident, you have the right to:

know what personal information we have collected about you, including the categories of information, the categories of sources, the purposes of collection, and the categories of third parties with whom we share it;
delete personal information we have collected from you, subject to retention exceptions required by law;
correct inaccurate personal information;
opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising — note that we do not sell or share your personal information for those purposes;
limit the use and disclosure of sensitive personal information; and
exercise these rights without discrimination in service or pricing.

You may designate an authorized agent to make a request on your behalf. We will require the agent to demonstrate written authorization and may require you to verify your identity directly with us.

8.3 How to Exercise Your Rights

You can exercise any of the rights above by submitting a request through the in-app support inbox at /support/tickets/new with category "Privacy Request".

To verify your identity, we will ask you to authenticate through the email address or Wallet linked to your account. For sensitive requests (such as access or deletion of your full account record), we may ask you to sign a verification message with your Wallet. We will respond to verifiable requests within forty-five (45) days, with one extension of up to forty-five (45) additional days if reasonably necessary.

We do not charge a fee for responding to a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, as permitted by applicable law.

9. International Transfers

[ENTITY_NAME] is established in [JURISDICTION] and processes personal information in the United States and other jurisdictions in which our service providers operate. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data- transfer restrictions, your personal information will be transferred to and processed in jurisdictions that may not provide the same level of data-protection law as your home jurisdiction.

For transfers of personal information from the EEA, UK, or Switzerland to a country that has not been deemed adequate, we rely on the Standard Contractual Clauses approved by the European Commission (and, where applicable, the UK Addendum) and implement supplementary technical and organizational measures as required by Schrems II.

10. Children's Privacy

The Platform is not directed to anyone under the age of eighteen (18), and we do not knowingly collect personal information from anyone under eighteen. If we learn that we have collected personal information from a person under eighteen, we will delete that information and terminate the associated account. If you believe a minor has provided personal information to us, please contact us through the in-app support inbox.

11. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, will provide reasonable advance notice through a banner on the legal pages and an email to the address linked to your Wallet.

Your continued access to or use of the Platform after the effective date of an updated Policy constitutes acknowledgment of the update.

12. Contact

Questions about this Policy or requests under Section 8 can be sent via the in-app support inbox at /support/tickets/new with category "Privacy Request".

You may also contact our Data Protection Officer or privacy team directly at:

[ENTITY_NAME] Attn: Privacy Team / Data Protection Officer [REGISTERED_ADDRESS] Email: [DPO_EMAIL]

1. Introduction

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. Your use of the Platform is also governed by our Terms of Service at /legal/terms.

2. Information We Collect

We collect three categories of personal information:

2.1 Information you provide

Authentication information — when you authenticate through Privy, we receive your email address (if you use email-link login) or your externally-owned Wallet address (if you connect a self-custodial wallet such as MetaMask). For email-link users, Privy provisions an embedded Wallet on your behalf, and we receive that Wallet's public address.
Profile information — display name and any other details you provide through your account settings.
Support correspondence — the contents of any ticket you open through the in-app support inbox, including any attachments and follow-up messages.
Verification information — if a future regulated path is added, any identification documents or verification artifacts you submit in response to a request from us.

2.2 Information collected automatically

Network and device information — your Internet Protocol (IP) address; coarse geolocation derived from the IP address (country, region, city) by our geoip-enricher worker; user agent; browser and operating-system identifiers.
Device fingerprint — a SHA-256 hash of coarse browser attributes (the X-4rho-Fingerprint header), used as a fraud signal. The hash is generated client-side by frontend/src/lib/auth/fingerprint.ts and rotates approximately every thirty (30) days.
Usage information — pages and Markets you view, Orders you place, fills attributed to your Wallet, the date and time of each action, and Sentry error telemetry generated when the Platform encounters an error.
Sign-in information — every authentication attempt is appended to the user_sign_ins log, including timestamp, IP, derived country/region/city, and any autonomous-system identifier returned by our GeoIP provider.

2.3 Information from third parties

Privy — we receive your authenticated identity, linked accounts, and Wallet address from Privy.
Polygon Network — every Order, fill, Resolution, and redemption is recorded on the Polygon PoS public blockchain and is therefore publicly observable. We may correlate on-chain data with your account.
Referral and affiliate partners — if you arrived through a referral link or promotion, we receive the corresponding referral code and attribution metadata.
Sanctions-screening providers — we may receive screening results for your Wallet address and country in connection with our compliance program.

3. How We Use Your Information

We use the information described in Section 2 to:

Operate the Platform — match Orders against the off-chain order book, settle matched Orders on-chain, deploy Markets, propose and finalize Resolutions, and process redemptions.
Maintain your account — authenticate you, surface your Order and position history, deliver service-related communications, and provide customer support through the in-app inbox.
Prevent fraud and abuse — log sign-ins, screen for sanctions exposure, evaluate the synchronous signup-cluster gate, run the wash-trade scanner, run the disposable-email refresher, and investigate suspected violations of our Terms of Service.
Comply with applicable law — respond to lawful subpoenas, court orders, and regulatory requests; meet our obligations under sanctions, anti-money-laundering, tax, and consumer-protection law.
Secure the Platform — detect, investigate, and respond to security incidents, including by analyzing Sentry error telemetry, admin audit logs, and worker heartbeats.
Improve the Platform — analyze aggregated, de-identified usage patterns to make the Platform faster, more reliable, and more useful.
Communicate with you — send transactional notices, security alerts, and (with your consent where required) marketing communications about new features and Markets. You can opt out of marketing communications at any time using the unsubscribe link or your account settings.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you without human review.

4. Cookies and Similar Technologies

The Platform uses cookies and similar technologies to authenticate you, remember your preferences, and detect fraud. The cookies set by 4rho are:

Cookie	Purpose	Lifetime	Required
`4rho_session`	Authentication session	Session	Yes
`4rho_referral`	Referral attribution	7 days	No
`4rho_promo_code`	Promotion attribution	7 days	No
`4rho_fp`	Device fingerprint (fraud signal)	30 days	Yes (security)
`4rho_cookie_consent`	Records your cookie-consent choice	1 year	Yes

We share personal information in the following limited circumstances:

Service providers — we share information with third parties that provide infrastructure and operational services on our behalf, including Privy (authentication), Sentry (error monitoring), Vercel (frontend hosting), Railway (backend hosting), Neon (managed Postgres), our GeoIP provider, our sanctions-screening provider, and our fiat on/off-ramp partner. These providers are bound by contractual obligations to use the information only as needed to provide their services.
Public blockchain data — every Order you place that results in a fill, every settlement, every Resolution, and every redemption is recorded on the Polygon PoS public blockchain and is observable by anyone in the world. Your Wallet address is therefore associated with your trading history on a permanent, public ledger. You should treat your Wallet address as pseudonymous, not anonymous.
Compliance and legal process — we may disclose information in response to a lawful subpoena, court order, regulatory inquiry, or similar legal process; to comply with our legal obligations; or to protect the rights, property, or safety of [ENTITY_NAME], our Users, or the public.
Corporate transactions — if [ENTITY_NAME] is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, your information may be transferred as part of that transaction, subject to a successor's obligation to honor the commitments in this Policy.

6. Data Retention

We retain personal information for as long as your account is active, plus a tail period needed to satisfy our legal, regulatory, and audit obligations. The default retention periods are:

Category	Retention
Account record (Wallet, email, display name)	Life of account + 7 years
Sign-in log (`user_sign_ins`)	13 months
Audit logs (HMAC-chained admin actions)	7 years
User session events / telemetry	30 days
Support tickets and messages	Life of account, then 2 years after account closure
Sentry error telemetry	90 days
Cookies	As described in Section 4

7. Data Security

Transport security — TLS 1.2 or higher for all connections to the Platform.
Storage security — managed Postgres at Neon with encryption at rest; principle-of-least-privilege access controls.
Wallet custody — for embedded Wallets, key custody is performed by Privy under your direction; for externally-owned Wallets, the private key never leaves your device. [ENTITY_NAME] does not hold your Wallet's private key.
Order integrity — Orders are signed by your Wallet using EIP-712 typed-data signatures and verified on-chain at settlement.
Administrative controls — administrative access is gated by role-based access control (RBAC) with time-bound, TOTP-verified just-in-time elevation for destructive actions, and every admin action is recorded in an HMAC-chained audit log.
Operational monitoring — Sentry-monitored worker heartbeats and error telemetry are reviewed for anomalies.

8. Your Rights

The rights available to you depend on where you reside.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

access the personal information we hold about you;
rectify inaccurate or incomplete personal information;
erase your personal information, subject to retention exceptions required by law;
restrict the processing of your personal information in certain circumstances;
object to processing based on our legitimate interests or for direct marketing;
request portability of personal information you provided to us in a structured, commonly-used, machine-readable format;
withdraw consent for any processing based on consent, without affecting the lawfulness of prior processing; and
lodge a complaint with your local data-protection supervisory authority.

8.2 Rights under the CCPA / CPRA (California Users)

If you are a California resident, you have the right to:

know what personal information we have collected about you, including the categories of information, the categories of sources, the purposes of collection, and the categories of third parties with whom we share it;
delete personal information we have collected from you, subject to retention exceptions required by law;
correct inaccurate personal information;
opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising — note that we do not sell or share your personal information for those purposes;
limit the use and disclosure of sensitive personal information; and
exercise these rights without discrimination in service or pricing.

You may designate an authorized agent to make a request on your behalf. We will require the agent to demonstrate written authorization and may require you to verify your identity directly with us.

8.3 How to Exercise Your Rights

You can exercise any of the rights above by submitting a request through the in-app support inbox at /support/tickets/new with category "Privacy Request".

We do not charge a fee for responding to a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, as permitted by applicable law.

9. International Transfers

10. Children's Privacy

11. Changes to This Policy

Your continued access to or use of the Platform after the effective date of an updated Policy constitutes acknowledgment of the update.

12. Contact

Questions about this Policy or requests under Section 8 can be sent via the in-app support inbox at /support/tickets/new with category "Privacy Request".

You may also contact our Data Protection Officer or privacy team directly at:

[ENTITY_NAME] Attn: Privacy Team / Data Protection Officer [REGISTERED_ADDRESS] Email: [DPO_EMAIL]

1. Introduction

2. Information We Collect

2.1 Information you provide

2.2 Information collected automatically

2.3 Information from third parties

3. How We Use Your Information

4. Cookies and Similar Technologies

5. How We Share Your Information

6. Data Retention

7. Data Security

8. Your Rights

8.1 Rights under the GDPR (EEA / UK Users)

8.2 Rights under the CCPA / CPRA (California Users)

8.3 How to Exercise Your Rights

9. International Transfers

10. Children's Privacy

11. Changes to This Policy

12. Contact

1. Introduction

2. Information We Collect

2.1 Information you provide

2.2 Information collected automatically

2.3 Information from third parties

3. How We Use Your Information

4. Cookies and Similar Technologies

5. How We Share Your Information

6. Data Retention

7. Data Security

8. Your Rights

8.1 Rights under the GDPR (EEA / UK Users)

8.2 Rights under the CCPA / CPRA (California Users)

8.3 How to Exercise Your Rights

9. International Transfers

10. Children's Privacy

11. Changes to This Policy

12. Contact