Privacy Policy

1. Data controller

The controller of your personal data is:

This Policy forms an integral part of our Terms of Service. Capitalised terms not defined here have the meaning given to them in those terms. It should also be read together with our Marketplace Terms, our Game Rules, our Responsible Gaming page and our Cookies Policy.

2. Data collected, purposes and legal bases

We process your data for specified purposes, each relying on a legal basis within the meaning of Article 6 (and, where relevant, Article 9) of the GDPR.

3. Identity verification (KYC) and biometric data, French residents

If you reside in France and wish to acquire or use NFT cards (blue, pink and yellow rarities), the JONUM regime requires us to verify your identity and that you are of legal age. This verification is carried out by our specialist provider Didit Identity Spain, S.L. (Barcelona, Spain).

The verification process comprises: optical character recognition (OCR) of your identity document, a passive liveness check, a facial comparison between your selfie and the document photo (face match), and analysis of your IP address.

Allocation of roles: the biometric data (selfie image, facial template) is processed and retained by Didit, acting as a processor; its servers process this data within the European Economic Area (EEA). CyLimit neither receives nor stores any biometric image: through a signed webhook, we receive only the decoded textual identity data (last name, first name, date of birth, document country / type / number), retained only if verification succeeds, together with an identity fingerprint (identityHash). For details of the biometric processing, please refer to Didit's privacy policy.

The identity data resulting from KYC is retained by CyLimit for the period required by our legal and regulatory obligations (see the section "Retention periods").

4. JONUM territorial compliance data, French residents

To determine whether the JONUM regime applies to you and to enforce it, we process data specific to users identified as French residents only.

This compliance data is retained for the period required by the JONUM regulation and our supervisory obligations (see the section "Retention periods"). To learn more about the protective measures, see our Responsible Gaming page.

5. The blockchain and your data

NFT cards (blue, pink and yellow rarities) are non-fungible tokens (ERC-721) issued on a single public blockchain: Base, an Ethereum layer-2 network developed by Coinbase. Your wallet is a Coinbase embedded account (ERC-4337): CyLimit retains only the public address of that wallet, never the keys giving access to it.

Only the following appear on the blockchain: the public address of your wallet, the identifier (tokenId) of your NFTs and the metadata of transactions (purchases, sales, transfers). No other personal data is recorded there by CyLimit.

"White" cards and free cards are not NFTs: they are off-chain game items recorded only in CyLimit's database. Any transfer of NFTs or cryptocurrencies to an external wallet is subject to the terms and privacy policy of the relevant third party (in particular Coinbase); we encourage you to review them before any such transaction.

6. Recipients and processors

We use providers (processors or independent controllers) to deliver, maintain and secure our Services. Each accesses only the data strictly necessary for its task and is bound by contractual data-protection commitments.

• Account authentication and session management.
• Provision of the embedded wallet and cryptocurrency conversion (purchase and withdrawal), by a provider acting as an independent controller for its own obligations.
• Card payments and payment-fraud prevention, by a payment provider acting as an independent controller.
• Identity verification (KYC) and biometric data processing for French residents (see section 3).
• Monitoring and indexing of blockchain transactions (deposit detection).
• Hosting of NFT metadata.
• Sending of transactional emails (confirmations, notifications) and, based on your opt-in consent, marketing emails.
• Internal operational and alerting tools, which may contain your email or identity, within the limits of data minimisation.
• Application hosting and database, within the European Union.

Your data may also be accessed by authorised members of the CyLimit team, and disclosed to the competent authorities (in particular the French national gaming authority and the judicial authorities) where required by law and after verifying the legitimacy of the request.

7. Transfers outside the European Union

Your data is hosted primarily within the European Union. Some of our providers may, however, process data outside the European Economic Area, in particular in the United States.

Where a transfer outside the EEA takes place, we ensure that it is governed by at least one of the following mechanisms:

• an adequacy decision of the European Commission (Article 45 of the GDPR), in particular the EU-US Data Privacy Framework for certified US providers;
• standard contractual clauses adopted by the European Commission (Article 46 of the GDPR);
• adherence to an approved code of conduct or certification mechanism.

8. Retention periods

We retain your data for the period necessary for the purposes described, after which we delete or anonymise it, unless a legal obligation requires longer retention.

9. Your rights

In accordance with the GDPR, you have the following rights over your data: the right of access, rectification, erasure, restriction, objection, portability, withdrawal of your consent (without retroactive effect) and the right to give instructions on the fate of your data after your death.

To exercise your rights, write to us at contact@cylimit.com or by post to CYLIMIT, 6 rue d'Armaillé, 75017 Paris, France. We may ask you for proof of identity. We respond within one (1) month, extendable by two (2) months for complex requests.

You may also lodge a complaint with the French data protection authority (CNIL), 3 place de Fontenoy, 75007 Paris (www.cnil.fr), or with the data protection authority of your EU Member State of residence.

10. Deleting your account

You may request deletion of your account by email to contact@cylimit.com. As of today, deletion is handled manually by our teams, generally within approximately 30 days (extendable to three months for complex requests).

Some data is retained beyond account deletion in respect of our legal obligations (JONUM and KYC compliance, accounting). In order to preserve the history and traceability of the cards you have owned, the username associated with those cards may be replaced by a random string of characters (pseudonymisation). Data already recorded on the blockchain remains immutable.

11. Use by minors

Access to the free, non-NFT features of the platform (in particular play with "white" cards) is subject to no age restriction.

By contrast, the acquisition and holding of NFT cards (blue, pink and yellow rarities), and, for French residents, the application of the JONUM regime, are reserved for persons aged 18 or over. Legal age is verified during KYC from the date of birth on the identity document. Any French-resident account identified as a minor during KYC is blocked for these features.

12. Cookies and local storage

We use only cookies and storage strictly necessary for the operation of the Services: the authentication cookie (__session), your Coinbase wallet session and the storage of your referral code.

For more details, see our Cookies Policy.

13. Security

We implement technical and organisational measures designed to protect the confidentiality, integrity and security of your data: secrets management via a dedicated vault, password hashing, storage of sensitive supporting documents in a private, encrypted space, and restriction of access to authorised staff.

We recommend that you choose a strong, unique password, never share it, and keep your wallet access details in a safe place. As no security measure is infallible, we cannot guarantee absolute security, but we undertake to respond diligently to any incident.

14. Data protection contact, updates and governing law

For any question concerning this Policy or your data, you may contact our dedicated data-protection point of contact at contact@cylimit.com or by post to CYLIMIT, 6 rue d'Armaillé, 75017 Paris, France.

We may amend this Policy to reflect changes in our Services or in applicable law. Any significant change will be communicated to you. The applicable version is the one published on our website at the time you use the Services.

This Policy is governed by French law and the law of the European Union. If you are a consumer resident in another EU Member State, you retain the benefit of the mandatory provisions of your country of residence. See also our Legal Notice.