Privacy Policy
LEGAL TODO: Counsel must verify (a) GDPR + CCPA compliance language is accurate for our actual data flows; (b) the third-party sub-processor list (Clerk, CoinsPaid, LiveKit, Honeycomb, Cloudflare, Resend/Postmark, Sentry, PostHog) matches the contracts we have in place at launch.
This policy describes the personal data thrust.com collects and how we use it.
1. Data we collect at sign-in
- Email address — provided when you sign up via Clerk (email, social login, or passkey). We store your Clerk user ID and the email address itself.
- Social login profile — if you sign in with Google, Apple, or another social provider via Clerk, we receive your display name and avatar. We do not receive or store your social-provider password.
- IP address + approximate location — used for geo eligibility checks at sign-in and on every tournament entry. We store the US state derived from your IP for geofencing enforcement. We block 11 US states (AZ, AR, CT, DE, LA, MT, SC, SD, TN, VT, PR) and consumer-VPN ASNs.
2. Data we collect during matches
- Match event journal — every input you make during a Tower Stack match (taps, timing, ws connect/disconnect events) is recorded with timestamps. The journal makes match outcomes auditable and replay-deterministic. Match journals are stored in Cloudflare R2 and retained for 90 days in full, then as aggregated metadata only.
- Device fingerprint + session telemetry — collected for anti-cheat behavioral analysis. Includes tap-timing distributions, device model, and screen resolution. Used solely for cheat detection; never shared with third parties for advertising.
3. Data we collect for compliance
- Deposit + withdrawal records — every fund movement is journaled in our durable ledger along with timestamps, rail (crypto/card/PayPal/ACH/wire), and counterparty identifiers. For crypto, counterparty is your provided destination address. For fiat rails, we store masked beneficiary identifiers only (last 4 digits of account/IBAN; masked routing numbers). Raw account numbers and IBANs are never persisted.
- CoinsPaid custody data — CoinsPaid (our Estonia-licensed virtual currency service provider) generates and manages deposit addresses on your behalf, handles multi-crypto confirmation and auto-conversion to USDC, and performs built-in AML monitoring. CoinsPaid receives your deposit/withdrawal addresses and amounts.
- AML review cases — if your deposit or withdrawal triggers a velocity threshold or sanctions hit, we open an internal review case carrying the user ID, amount, and reason.
4. How we use the data
- To run tournaments + settle outcomes
- To enforce eligibility (geo, ban status, self-exclusion, AML)
- To respond to disputes by replaying the event journal
- To detect and prevent cheating via behavioral analysis and replay re-simulation
- To comply with regulatory requests (subpoenas, OFAC sanctions screening, financial-crime investigations)
- For aggregate operational telemetry — error rates, latency, tournament volume — sent to Honeycomb. We do not use telemetry for advertising or share it with marketing partners.
5. Sub-processors
- Clerk — email, social, and passkey authentication.
- CoinsPaid — crypto custody, deposit address generation, AML monitoring, withdrawal disbursement (Estonia-licensed VCSP).
- Cloudflare — edge compute, CDN, R2 object storage for match journals.
- Honeycomb — operational telemetry (OpenTelemetry traces + metrics).
- Resend / Postmark — transactional email (account verification, withdrawal confirmations, friend-challenge invitations). PII limited to email address + display name.
- Sentry — error monitoring (PII scrubbed before transmission).
- PostHog — product analytics (PII scrubbed; no raw user identifiers transmitted).
- LiveKit — real-time video relay for features that use live audio or video.
- Base (Coinbase) — public blockchain network for on-chain fairness-audit anchors (DailyAnchor.sol Merkle root). Withdrawal transactions are executed via CoinsPaid, not directly on-chain by us.
6. Account data we keep
We limit personally identifiable information to the records needed to run accounts, payments, safety checks, and support:
- Account profile — email, display name, account status, and consent records in users and tos_attestations.
- Payment settings — saved withdrawal destinations and masked payout details.
- Social features — friend connections and invitation history in friendships.
- Notifications — delivery preferences and web push enrollment details in push_subscriptions.
7. Data retention + deletion
- Match journals — 90 days full retention in R2, then aggregated metadata only. Aggregated metadata retained for 7 years for regulatory audit.
- Account data — persists for the active life of the account. On deletion request, a 30-day soft-delete window begins; after 30 days, PII fields are permanently purged per the ACCOUNT-LIFECYCLE policy. Financial records subject to regulatory retention (deposits, withdrawals, tournament outcomes) are retained in anonymized form for 7 years.
- IP geolocation logs — roll off after 90 days.
- Telemetry — rolls off per Honeycomb's retention default (60 days).
8. Your rights
Depending on your jurisdiction, you may have the right to request a copy of your data, correct inaccurate data, or request deletion. Under GDPR Article 17, you may request erasure of personal data where no overriding legal basis for retention exists. Under CCPA, California residents may request to know what personal information is collected, request deletion, and opt out of the sale of personal information (we do not sell personal information).
Note that financial records subject to regulatory retention (deposits, withdrawals, match outcomes) cannot be deleted on request; we will inform you which fields are retained and why. To exercise any of these rights, email privacy@thrust.com with your account email. We will verify your identity and respond within 30 days.
9. Contact
Privacy questions: privacy@thrust.com. Subpoenas + law-enforcement requests: legal@thrust.com.