Privacy Policy

This Privacy Policy describes what personal data Predikt collects, why, how long we keep it, with whom we share it, and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Controller

Predikt OÜ (Estonian company in incorporation), Tallinn, Estonia. Contact: privacy@predikt.markets. Until the Estonian entity is registered (target before 1 July 2026), the data controller for the operating period is Antoine de la Fouchardière as a natural person.

2. Data we collect

• Email address if you sign up to the waitlist or create an account. Used solely to communicate about the service.
• Wallet address if you connect a wallet. This is public on-chain data; we never receive your private key.
• Trade audit logs: timestamps, market IDs, sizes, builder-fee amounts. Required for fee reconciliation and tamper-evident audit obligations.
• Country code derived from your IP at edge proxy time. We do not store the raw IP; only the country (ISO 3166-1 alpha-2). Used for geo-restriction enforcement.
• Browser session cookies for authentication and theme/language preferences. See Cookies.
• Error telemetry via Sentry (free tier, EU region): stack traces and user-agent, no PII. Used solely to fix bugs.

We do not collect: government ID, payment card data (Predikt has no fiat on-ramp), social-network friends list, contacts, location more precise than country, biometric data.

3. Lawful bases (GDPR Art. 6)

• Contract (Art. 6(1)(b)): processing necessary to provide the service you requested (account, trade routing, audit log).
• Legal obligation (Art. 6(1)(c)): retention for sanctions screening, regulatory cooperation, tax reporting where applicable.
• Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, tamper-evident audit log. Balanced against your rights.
• Consent (Art. 6(1)(a)): marketing emails, optional analytics. You can withdraw consent anytime by emailing privacy@predikt.markets.

4. Retention

• Trade audit logs: 5 years from trade date (MiCA-aligned).
• Account email: until account closure + 1 year (security window).
• Error telemetry: 90 days.
• Waitlist email (pre-launch): until launch + 90 days, then deleted unless converted to an account.

5. Sharing

We share data only with the following processors, each bound by a Data Processing Agreement (Art. 28 GDPR):

• Supabase (EU region) — database, auth, edge functions.
• Vercel — hosting and edge proxy.
• Cloudflare — CDN and IP-geo lookup.
• Privy — embedded wallet provider.
• Sentry — error telemetry (EU region).
• Google Cloud (Vertex AI) — Gemini Pro inference for AI fair-value content.
• Resend — transactional email (waitlist confirmation only).

We do not sell, rent, or share your data with advertising networks, data brokers, or unrelated third parties.

6. International transfers

Some processors (Vercel, Cloudflare, Privy, Google Cloud, Sentry) are US-headquartered. Transfers rely on Standard Contractual Clauses (SCCs) + supplementary technical measures (encryption in transit and at rest). We prefer EU regions where available (Supabase EU, Sentry EU, Vercel EU edge).

7. Your rights (GDPR Art. 13–22)

• Access — request a copy of your data.
• Rectification — correct inaccurate data.
• Erasure — “right to be forgotten”, subject to legal retention obligations (trade logs cannot be deleted within the 5-year window).
• Restriction — pause processing while we investigate a dispute.
• Portability — receive your data in machine-readable format.
• Objection — to legitimate-interest processing, on grounds related to your situation.
• Withdraw consent — for marketing emails and optional analytics, anytime.

Email privacy@predikt.markets with your request. We respond within 30 days (Art. 12(3)).

8. Complaints

You may lodge a complaint with your national data protection authority. For France, the CNIL (cnil.fr). For other EU countries, see edpb.europa.eu.

9. Children

Predikt is not offered to anyone under 18. If we learn that we have collected data from a minor, we delete it immediately.

10. Changes

Material changes are notified by banner 30 days before they take effect. Past versions are archived and linked at the bottom of this page.

Draft note (2026-05-27): This Privacy Policy is a working draft. Estonian DPO appointment, French CNIL representative (where required), and ROPA documentation in progress.