Privacy Policy

Last updated: May 2026 · GDPR + CCPA considered · No PII collected · No KYC

LootXX collects the minimum data required to operate the game and detect fraud. We collect no personally identifiable information (PII). There is no KYC, no name, no email, no identity verification of any kind.

1. What We Collect

Data Type	Purpose	Retention
Wallet public key	Identify account; link chip balance	Indefinite (account record)
Deposit history	Verify on-chain deposits; credit chips	Indefinite (financial record)
Withdrawal history	Process withdrawals; prevent double-spend	Indefinite (financial record)
Hand history	Settle bets; audit game outcomes; dispute resolution	1 year for audit, then anonymized
IP address	Fraud detection, rate limiting, jurisdiction screening	1 year for audit, then purged
Session tokens	Authenticate WebSocket connections	Expires when session ends

2. What We Do NOT Collect

Name, email address, phone number, or any contact information
Government ID, passport, driver's license, or any KYC document
Date of birth (age is self-certified on first /play visit)
Payment card or bank account details (all transactions are on-chain)
Device fingerprints or persistent tracking identifiers

3. localStorage (Browser Storage)

We store one item in your browser's localStorage: lootxx_age_confirmed. This records that you confirmed you are 21+ and not in a restricted jurisdiction. It stays on your device only and is never transmitted to our servers.

4. Blockchain Data

Your wallet public key and all on-chain transactions are permanently recorded on the Solana blockchain. This is inherent to the technology. We do not control or delete blockchain records.

5. IP Address Usage

IP addresses are logged for up to 1 year solely for fraud detection, abuse prevention, audit purposes, and jurisdiction screening. After 1 year, IP logs are automatically purged. We do not sell, share, or use IPs for marketing.

6. Data Sharing

We do not sell, rent, or share your data with third parties, except:

Legal compliance: If required by a valid court order (note: we hold no PII).
Infrastructure providers: Database and server providers process data under confidentiality obligations.

7. Your Rights (GDPR / CCPA)

Since we hold no PII, most data-subject rights are fulfilled by the absence of that data. You may:

Right to Access: Request your chip balance and hand history records.
Right to Deletion: Request deletion of your chip balance account record (note: blockchain records cannot be deleted).
Right to Portability: Request an export of your hand history in CSV format.
CCPA Do Not Sell: We do not sell personal information. No opt-out required.

Submit requests via support. Response within 30 days.

8. Security

All data is stored in encrypted databases. API connections use TLS 1.2+. Private keys are never stored — we only store your public key.

9. Contact

Contact support for privacy questions.