Privacy Policy

The controller of personal data described in this Policy is XRPro Labs. You can reach our privacy team at support@xrpro.gg. If you are in the European Economic Area or the United Kingdom, requests can also be sent to the same address; if a Data Protection Officer is appointed, that designation will be reflected here.

Account data: email address, display name, password hash, two-factor authentication metadata, language preference, and verification status.

Transactional data: deposits, withdrawals, vault allocations, accrued yield, referral attributions, ticket purchases, and the on-chain addresses and transaction hashes associated with those events.

Device and usage data: IP address, browser user-agent, device type, approximate location derived from IP, pages visited, links clicked, time spent, and error or performance telemetry.

Communications: the content of messages you send to support, replies to our emails, and any feedback or survey responses you submit.

Compliance data: where required by law, sanctions and PEP screening results, risk scores from blockchain analytics providers, and any documentation you provide in response to a compliance review.

We do not deliberately collect special category data (such as health, biometric, or political opinions) and ask that you do not submit such data unless we explicitly request it for a clearly stated purpose.

We process personal data to: (a) operate and secure the Service; (b) authenticate users and prevent unauthorised access; (c) execute deposits, withdrawals, yield distributions, and referral payouts; (d) send transactional emails and account notifications; (e) provide customer support; (f) run analytics that help us improve the Service; (g) comply with our legal, regulatory, tax, and accounting obligations; (h) detect, investigate, and prevent fraud, money laundering, sanctions evasion, and other unlawful activity; and (i) enforce our Terms of Service and protect our rights.

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases: contract (operating your account, processing deposits and withdrawals); legal obligation (anti-money-laundering, sanctions screening, tax reporting); legitimate interests (security, fraud prevention, product improvement, direct communications about the Service); and consent (optional marketing, certain analytics, and any cookies that are not strictly necessary). You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We use strictly necessary cookies to operate the Service (for example, to keep you logged in) and may use analytics or performance cookies to understand how the Service is used. Where required by law, we ask for consent via a cookie banner before placing non-essential cookies. You can manage cookie preferences through your browser settings; disabling certain cookies may affect functionality.

We share personal data only as necessary and only with categories of recipients that include: (a) infrastructure and hosting providers; (b) database, authentication, and email-delivery providers; (c) payment processors and on-ramp partners; (d) blockchain analytics and sanctions-screening providers; (e) professional advisers (legal, accounting, audit); and (f) law enforcement, regulators, or other authorities when required by law or to protect rights, property, or safety. We do not sell personal data.

In the event of a corporate transaction (such as a merger, acquisition, financing, or sale of assets) personal data may be transferred as part of the transaction, subject to appropriate confidentiality protections.

Personal data may be processed in countries other than your country of residence, including the United States and the European Union. Where transfers leave the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or the recipient's certification under a recognised framework. You can request a copy of the safeguard in place by contacting us.

We retain personal data only for as long as needed for the purposes described in this Policy or as required by law. As a guideline: account and transactional records are typically retained for the lifetime of the account plus the longer of seven years or any retention period mandated by applicable financial-services or tax law; security and access logs are typically retained for up to 24 months; support correspondence is typically retained for up to 36 months; marketing data is retained until you opt out or become inactive. When personal data is no longer needed, it is deleted or irreversibly anonymised.

Subject to local law, you have rights to access the personal data we hold about you, request correction or deletion, object to or restrict certain processing, request portability of data you provided to us, and lodge a complaint with your local data protection authority. To exercise any of these rights, contact support@xrpro.gg. We may need to verify your identity before responding and will reply within the period required by applicable law.

Please note that on-chain data (such as wallet addresses and transaction hashes) is recorded on public blockchains that we do not control and cannot delete.

We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit and at rest where appropriate, access controls, monitoring, secret rotation, regular security reviews, and security awareness training for personnel. No system is perfectly secure; in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by applicable law.

The Service is not directed at children under the age of 18, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us so we can delete it.

We may send you product updates, newsletters, or invitations to events. You can opt out at any time using the unsubscribe link in any email or by contacting us. Transactional emails (such as security alerts, withdrawal status, and legal notices) cannot be opted out of while you maintain an account.

We may use automated tools to flag suspicious transactions, sanctions exposure, or breaches of our Terms. Where an automated decision has a significant effect on you, we provide a path to human review by contacting support@xrpro.gg.

We may update this Policy from time to time. Material changes will be communicated by email or through the dashboard at least 14 days before they take effect, except where a shorter notice period is required for legal or security reasons.

For privacy questions or to exercise your rights, contact support@xrpro.gg. For security disclosures, contact support@xrpro.gg. For general support, contact support@xrpro.gg.