Privacy Policy

2. Data Controller

We collect information in several categories depending on your level of engagement with the Platform. Not all categories apply to all users, and certain data is collected only at specific stages of participation.

3.1 Core Account Data (Collected at Signup)

When you create an account, register for a Challenge, or link a wallet or other supported-venue identifier, we may collect:

• Email address
• Full name, display name, username, and, where applicable, your Registered Wallet address or other supported-venue identifier
• Account credentials (passwords are stored in hashed form; we also maintain authentication and security logs)
• IP address, device type, browser information, operating system, and application or extension version information
• Usage data, including login timestamps, platform activity, session duration, dashboard or browser-extension interaction logs, and related diagnostic or security logs

3.2 Trading and Performance Data

We collect data related to your simulated trading activity and, for Hyperscaled or other supported-venue products, qualifying trading activity that is mirrored, copied, translated, or otherwise evaluated for Challenge or Program purposes, including:

• Simulated trading activity, mirrored or translated activity, order history, position data, and related wallet-linked or supported-venue activity records
• Profit and loss (PnL), returns, drawdowns, validated simulated performance, and other risk metrics
• Strategy behavior, execution logs, trading patterns, timestamps, instrument selection, and integrity or anti-abuse signals
• Evaluation results, scoring, eligibility status, Pass/Fail determinations, scaling status, and related review notes

3.3 Payment and Billing Data

When you pay a Challenge Entry Fee or make other transactions through Vanta Trading or Hyperscaled, we may collect:

• Billing name and billing address, where applicable to the payment method used
• Transaction history, invoice records, wallet addresses used for payment or payout, blockchain transaction hashes, chain/network, token type, amount, timestamps, and payment or payout status, as applicable

For Vanta Trading, credit and debit card details are processed directly by our third-party payment processor (currently Stripe or a comparable provider) and are not stored on our servers. We receive only limited payment details such as tokenized references, last four digits, and transaction confirmations.

For Hyperscaled and other on-chain payment flows, we do not receive or store private keys or seed phrases, but we may receive and record blockchain payment details associated with your transaction, and those transactions may also be publicly visible on the relevant blockchain or network.

3.4 Post-Challenge, Payout, and KYC Data (Conditional)

If you pass a Challenge and become eligible for an invitation to a Scaled Trader Program or otherwise become payout-eligible, we may collect additional information as part of Know Your Customer (“KYC”) and Anti-Money Laundering (“AML”) compliance procedures. This data is collected only from payout-eligible individuals or where otherwise required for compliance, fraud prevention, or onboarding. Such data may include:

• Government-issued identification (e.g., passport, driver’s license)
• Date of birth
• Residential address
• Nationality, tax residency, and related tax or beneficial-ownership information, as applicable
• Bank account details or cryptocurrency payout wallet address, depending on the payout rail used
• Results of compliance screening (including identity verification, liveness, sanctions, AML, fraud-prevention, and related compliance checks, as applicable)

Government-issued identification, date of birth, and bank account details are sensitive personal information under certain privacy laws. We use this information only for the purposes described in Section 4 and do not use or disclose it for purposes beyond what is reasonably necessary for compliance, fraud prevention, onboarding, and payout administration.

We may use third-party services, such as Stripe Connect or Sumsub, to conduct identity verification and compliance checks. Depending on the flow, we may collect this information directly or the applicable provider may collect it on our behalf subject to its own terms and privacy notice.

3.5 Communications Data

If you contact us for support or otherwise communicate with us, we may collect:

• Support tickets and email correspondence
• Communications through integrated platforms such as Discord or Slack, to the extent initiated by you

3.6 Automatically Collected Technical Data

We automatically collect certain technical information when you visit or use the Platform, including our websites, dashboards, and browser extensions, where applicable:

• IP address and approximate geolocation
• Browser type and version, device type, operating system, and application or extension version information
• Referring URLs, pages viewed, clickstream data, and interaction data across our websites, dashboards, or extensions
• Cookies, pixel tags, and similar tracking technologies (see Section 8 below)

We use the information we collect for the following purposes:

5. EU/UK Legal Bases and Required Disclosures

If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we process your personal data only where we have a valid legal basis under the GDPR or UK GDPR.

Legitimate Interests Statement. Where we rely on legitimate interests as a legal basis, our interests include ensuring the security and integrity of the Platform and the Challenge; preventing fraud, abuse, manipulation, multi-accounting, and strategy cloning or correlation; analyzing and improving our services; and exercising or defending legal claims. We balance these interests against your rights and freedoms and do not process personal data where our interests are overridden by the impact on you.

We do not sell your personal information. We may share your information in the following circumstances:

7. International Data Transfers

We use cookies, pixel tags, web beacons, and similar tracking technologies to collect information about your interactions with the Platform.

8.1 Types of Cookies

We use the following categories of cookies and similar technologies:

• Strictly Necessary Cookies. These cookies are essential for the Platform to function (e.g., session authentication, security tokens). They cannot be disabled without affecting Platform functionality and do not require your consent.
• Analytics and Performance Cookies. These cookies help us understand how visitors interact with the Platform, diagnose technical issues, and improve our services.
• Marketing and Advertising Cookies. If used, these cookies track your activity across sites to deliver relevant advertising.

8.2 Consent for Non-Essential Cookies (EU/UK Users)

Where required by Applicable Law (including the ePrivacy Directive and UK PECR), we deploy non-essential cookies (analytics and marketing) only with your prior consent, obtained through our cookie consent banner or preferences center. You may update your preferences at any time by visiting Cookie Preferences. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

8.3 Do Not Track

We do not currently respond to “Do Not Track” browser signals. Where available, you may manage your tracking preferences through our cookie preferences center.

We retain your personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. Retention periods vary by data category and the legal basis for processing:

• Account, trading, and wallet-linked data is retained for the duration of your account and for a reasonable period thereafter (generally no longer than three years for audit, compliance, and dispute resolution purposes, unless a longer period is required by Applicable Law).
• Payment and transaction records are retained as required by Applicable Law, payment-network rules, blockchain or payment recordkeeping requirements, and tax obligations (typically five to seven years).
• KYC/AML data is retained for the period required by Applicable Law, which may be five years or more following the end of the business relationship.
• Communications data (support tickets, correspondence) is retained for as long as necessary to resolve the matter and for a reasonable period thereafter for quality assurance and dispute resolution.
• Usage and technical data is generally retained in aggregated or anonymized form and may be retained indefinitely for analytics purposes. Aggregated or anonymized data that can no longer be linked to an identifiable individual is not considered personal data.

When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention procedures. Public blockchain or decentralized-network data may remain available outside Vanta’s control.

Depending on your jurisdiction, you may have certain rights regarding your personal information. This section describes rights that may be available to you. Not all rights are available in all jurisdictions.

10.1 General Rights

Subject to Applicable Law, you may have the right to:

• Access your personal information and obtain a copy of the data we hold about you
• Correct inaccurate or incomplete personal information
• Delete your personal information, subject to certain exceptions (e.g., legal retention obligations, ongoing disputes)
• Portability — receive your personal information in a structured, commonly used, machine-readable format
• Opt out of non-transactional marketing communications at any time

10.2 Additional Rights for EU/UK Data Subjects

If you are located in the EEA, United Kingdom, or Switzerland, you additionally have the right to:

• Restrict processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data following a challenge to its accuracy)
• Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal
• Lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the United Kingdom, the CNIL in France, or your relevant national authority in the EEA)

To exercise any of these rights, please contact us using the information in Section 15. We will respond to your request within the time frames required by Applicable Law (generally within thirty days for GDPR/UK GDPR requests). We may need to verify your identity before processing your request.

11. Automated Decision-Making and Profiling

This section applies to California residents and supplements the rest of this Policy with information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

12.1 Categories of Personal Information Collected

In the preceding twelve months, we have collected the following categories of personal information (as defined by the CCPA/CPRA):

• Identifiers: name, email address, username, IP address, account credentials, Registered Wallet address, and other account or supported-venue identifiers
• Financial information: billing address, transaction history, invoices, on-chain payment details, and payout information. (Payment card data is processed by Stripe or another payment processor and not stored by us.)
• Internet or network activity: browsing history on the Platform, login data, usage data, cookies, clickstream data, and platform or extension interaction data
• Geolocation data: approximate location derived from IP address
• Professional or employment-related information: simulated trading performance data, strategy behavior, evaluation results, and program eligibility or payout status
• Sensitive personal information (conditional): government-issued ID, date of birth, and, where applicable, bank account details, crypto wallet address, or comparable verification information, collected only from payout-eligible individuals or others requiring enhanced verification

12.2 Categories Disclosed for a Business Purpose

We may disclose the following categories to service providers and third parties for business purposes:

• Identifiers (to payment processors, cloud providers, analytics providers, KYC vendors, support providers, and similar service providers)
• Financial information (to payment processors, payout providers, and accounting or tax providers where applicable)
• Internet or network activity (to analytics, security, and infrastructure providers)
• Sensitive personal information (to KYC/AML verification providers and payment or payout onboarding providers, only for payout-eligible individuals)

12.3 Sale and Sharing

We do not sell personal information as defined by the CCPA/CPRA.

12.4 Sensitive Personal Information

We may collect sensitive personal information (government ID, date of birth, bank/crypto details) only from payout-eligible individuals or others who require enhanced verification, and only for the following purposes:

• Identity verification, KYC/AML compliance, sanctions screening, and fraud prevention as required by Applicable Law or reasonably necessary for program integrity
• Payout, tax, and onboarding administration under a separate Independent Contractor Agreement or related program documentation

We do not use or disclose sensitive personal information for purposes beyond what is reasonably necessary to provide the services or as otherwise permitted by the CCPA/CPRA.

12.5 Your California Rights

As a California resident, you have the right to:

• Know what categories and specific pieces of personal information we have collected about you
• Delete your personal information, subject to certain exceptions
• Correct inaccurate personal information
• Opt out of the sale or sharing of your personal information (if applicable)
• Limit the use of sensitive personal information to purposes authorized by the CCPA/CPRA
• Non-discrimination — we will not discriminate against you for exercising your privacy rights

12.6 How to Submit a Request

To submit a verifiable consumer request, contact us using the information in Section 15. You may also designate an authorized agent to submit a request on your behalf. If you use an authorized agent, we may require written proof of authorization and may verify your identity directly. We will respond to verified requests within forty-five days, with an extension of up to an additional forty-five days where reasonably necessary, as permitted by law.

Appeal. If we deny your request in whole or in part, you may appeal by contacting us at the details in Section 15 with the subject line “Privacy Appeal.” We will respond to your appeal within the time frame required by Applicable Law.

14. Children’s Privacy

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as promptly as practicable. If you believe we have inadvertently collected information from a child under 18, please contact us immediately using the information in Section 15.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, or if you wish to exercise any of your rights described in this Policy, please contact us:

16. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Effective Date” at the top of this Policy and, where required by Applicable Law, provide additional notice (such as email notification or a prominent notice on the Platform). We encourage you to review this Policy periodically. Your continued use of the Platform after a revised Policy takes effect indicates your awareness of the updated practices.

17. Important Clarifications

For the avoidance of doubt, the following clarifications apply to this Policy and the data practices described herein: