OYA LOYALTY PLATFORM - PRIVACY POLICY
1. INTRODUCTION
This Privacy Policy explains how the Oya Loyalty Platform ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our loyalty program. We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy has been designed to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. DATA CONTROLLER
For the purposes of the GDPR and other applicable data protection laws, Oya Loyalty Platform serves as the data controller for the personal information processed through our Platform. As the data controller, we determine the purposes and means of processing your personal data as described in this Privacy Policy.
3. INFORMATION WE COLLECT
In accordance with Article 13 and 14 of the GDPR, we inform you that we collect and process the following categories of personal data:
Wallet Information
When you connect your Solana wallet to our Platform, we collect your public wallet address. This information is used for authentication, reward distribution, and tracking on-chain activity where applicable. We do not have access to your private keys or the ability to initiate transactions without your explicit approval.
Personal Information
You may optionally provide additional personal information when creating or updating your profile, including your name, email address, profile picture, username or display name, and other optional demographic information.
Social Media Data
If you choose to connect your social media accounts (such as Twitter), we may collect your social media handles and account names, public profile information, engagement metrics (e.g., likes, retweets, follows) as permitted by the connected social platforms, and content you share or interact with through these platforms.
Behavioural and Activity Data
We collect information about your interactions with the Platform, including your completion status of tasks and missions, points earned and redeemed, participation in campaigns or giveaways, referral activities, leaderboard rankings, and reward redemption history.
Technical Data
We automatically collect certain technical information when you use our Platform. This includes your IP address, device type and identifiers, browser type and version, operating system, access times and dates, pages viewed and features used, referring websites or applications, and network connection information.
This data collection is classified as personal data under Article 4(1) of the GDPR when it can be linked to an identified or identifiable natural person. This processing is conducted in accordance with the terms of service and privacy policies of the respective social media platforms, and we only access data for which you have granted explicit permission.
4. LEGAL BASIS FOR PROCESSING
In compliance with Article 6 of the GDPR, we process your personal information based on the following legal grounds:
Contract Performance (Art. 6(1)(b) GDPR)
Processing necessary to provide the Platform services as outlined in our Terms of Use, including managing your account, tracking reward points, and facilitating redemptions.
Legitimate Interests (Art. 6(1)(f) GDPR)
Processing that serves our legitimate business interests, such as improving and optimizing our Platform, ensuring network and information security, preventing fraud and unauthorized access, marketing our services to existing users, and analysing usage patterns to enhance user experience.
We have conducted balancing tests to ensure that these legitimate interests do not override your fundamental rights and freedoms.
Consent (Art. 6(1)(a) GDPR)
Processing based on your specific, informed, and unambiguous consent, such as connecting social media accounts, receiving marketing communications, participating in optional surveys or research, and processing certain types of cookies and similar technologies.
You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Legal Obligation (Art. 6(1)(c) GDPR)
Processing required to comply with applicable laws and regulations, including tax laws, consumer protection laws, and data protection laws.
5. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes, in accordance with the principle of purpose limitation (Article 5(1)(b) GDPR):
Platform Operation and Improvement
We use your information to authenticate users via wallet connection, track and verify participation in tasks and campaigns, manage points, rewards, and referral systems, and display leaderboard rankings. This data also helps us improve the Platform's functionality and user experience, troubleshoot technical issues, and monitor Platform performance to ensure a seamless experience.
Personalization
Your information enables us to customize your experience based on your preferences and activity. We can recommend relevant campaigns, tasks, or rewards that align with your interests and personalize content and offers to make your experience more engaging and relevant.
Communication
We use your contact information to send notifications about rewards, point balances, and account activity. We also provide updates about campaigns, missions, or Platform changes, respond to your inquiries and support requests, and send marketing communications subject to your preferences and consent.
Analytics and Research
Your data helps us analyse user behaviour and engagement patterns to better understand how our Platform is used. We evaluate the effectiveness of campaigns and rewards, generate aggregated, non-identifying insights about Platform usage, and develop new features and functionalities based on user needs and preferences.
Legal and Security
We process your information to protect against fraudulent or unauthorized activity, enforce our Terms of Use, comply with legal obligations, and establish, exercise, or defend legal claims when necessary.
6. DATA SHARING AND DISCLOSURE
In compliance with Articles 13(1)(e) and 14(1)(e) of the GDPR, we inform you that we may share your information with the following categories of recipients:
Service Providers (Data Processors)
We work with third-party service providers who help us operate, improve, and secure our Platform. These providers include cloud hosting and storage providers, analytics and data processing services, customer support tools, communication and email service providers, and blockchain infrastructure providers.
These service providers act as data processors under Article 28 of the GDPR and are bound by data processing agreements that require them to process personal data only on our documented instructions, implement appropriate technical and organizational security measures, assist us in fulfilling our obligations to data subjects, delete or return all personal data after the end of the provision of services, and submit to audits and inspections.
Business Partners (Joint Controllers)
We may share limited information with business partners who provide rewards or collaborate on campaigns through our Platform. This sharing is limited to what is necessary for the specific collaboration. Where applicable, we establish joint controller arrangements in accordance with Article 26 of the GDPR, defining our respective responsibilities for compliance.
Legal Requirements
We may disclose your information when required by law, such as in response to a subpoena, court order, or other legal process, or to establish or exercise our legal rights or defend against legal claims, in accordance with Article 6(1)(c) of the GDPR.
Business Transfers
If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information and provide choices regarding your information where applicable.
7. INTERNATIONAL DATA TRANSFERS
In accordance with Chapter V of the GDPR (Articles 44-50), we may transfer, store, and process your information in countries other than your own. Our servers may be located outside the European Economic Area (EEA).
When we transfer personal data outside the EEA, we ensure that adequate safeguards are in place through one or more of the following mechanisms:
Adequacy Decisions (Art. 45 GDPR)
We may transfer data to countries that the European Commission has determined provide an adequate level of data protection.
Standard Contractual Clauses (Art. 46(2)(c) GDPR)
We implement the European Commission's approved standard contractual clauses with recipients in countries without adequacy decisions.
Binding Corporate Rules (Art. 47 GDPR)
Where applicable, transfers within a corporate group may be governed by approved binding corporate rules.
Derogations (Art. 49 GDPR)
In limited circumstances, we may rely on specific derogations such as your explicit consent, the necessity for contract performance, or important public interest grounds.
You have the right to obtain a copy of the appropriate safeguards by contacting us using the information in the "Contact Us" section.
8. DATA RETENTION
In accordance with the storage limitation principle (Article 5(1)(e) GDPR), we retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include the length of time we have an ongoing relationship with you, whether there is a legal obligation to which we are subject (e.g., certain laws require us to keep records for a specific period), and whether retention is advisable in light of our legal position (such as for statutes of limitations, litigation, or regulatory investigations).
When we no longer need your personal information, we will securely delete or anonymize it in accordance with our data retention policies and applicable laws.
9. DATA SECURITY
In compliance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include encryption of personal data during transmission and at rest, ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, process for regularly testing, assessing, and evaluating the effectiveness of security measures, and measures to ensure that persons authorized to process personal data have committed themselves to confidentiality.
Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
You are responsible for maintaining the security of your wallet credentials, including private keys and recovery phrases. Never share these with anyone, including our staff.
10. YOUR RIGHTS AS A DATA SUBJECT
In accordance with Articles 15-22 of the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to the personal data and specific information about how it is being processed.
Right to Rectification (Art. 16 GDPR)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.
Right to Erasure ('Right to be Forgotten') (Art. 17 GDPR)
You have the right to obtain the erasure of personal data concerning you without undue delay where one of the specified grounds applies, including when the data is no longer necessary, when you withdraw consent and there is no other legal ground for processing, or when you object to processing and there are no overriding legitimate grounds.
Right to Restriction of Processing (Art. 18 GDPR)
You have the right to obtain restriction of processing where one of the specified conditions applies, including when you contest the accuracy of the data, when processing is unlawful but you oppose erasure, or when we no longer need the data but you require it for legal claims.
Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller without hindrance.
Right to Object (Art. 21 GDPR)
You have the right to object at any time to processing of your personal data based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes.
Rights Related to Automated Decision Making and Profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in limited circumstances authorized by the GDPR.
Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
To exercise these rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within one month, with the possibility of extending this period by two additional months where necessary, taking into account the complexity and number of requests.
If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.
11. BLOCKCHAIN DATA
Please be aware that any information you submit to the Solana blockchain through our Platform (such as transactions or smart contract interactions) will become public record and cannot be removed or modified. This is inherent to the nature of blockchain technology. We are not responsible for personal information you choose to submit to the blockchain.
This type of data processing may fall under the exemption in Article 17(3)(e) of the GDPR, which recognizes that the right to erasure may not apply when processing is necessary for the establishment, exercise, or defence of legal claims.
12. CHILDREN'S PRIVACY
The Oya Loyalty Platform is not directed to individuals under 16 years of age (or the applicable age of digital consent in your jurisdiction as specified in Article 8 of the GDPR), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age of consent, we will take steps to delete such information as quickly as possible.
If you believe that a child under the applicable age of consent may have provided us with personal information, please contact us immediately.
13. COOKIES AND SIMILAR TECHNOLOGIES
In accordance with the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) and relevant national laws, we use cookies and similar tracking technologies to collect information about your interactions with our Platform.
Cookies are small text files that are stored on your device when you visit a website. We use several types of cookies on our Platform. Essential cookies are necessary for the Platform to function properly and are exempt from consent requirements as they are strictly necessary for providing the service explicitly requested by you. Analytical/performance cookies help us understand how visitors interact with the Platform by collecting and reporting information anonymously. Functionality cookies allow the Platform to remember choices you make and provide enhanced features. Targeting/advertising cookies record your visit to the Platform, the pages you visit, and the links you follow to deliver personalized content.
Where required by law, we obtain your consent before placing non-essential cookies on your device. You can control cookies through your browser settings and other tools. However, if you block certain cookies, you may not be able to use all features of the Platform.
Our cookie banner provides you with clear information about the cookies we use and gives you the option to accept all cookies, reject non-essential cookies, or access detailed cookie settings to make granular choices.
14. DATA PROTECTION IMPACT ASSESSMENT
In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, particularly when using new technologies or considering the nature, scope, context, and purposes of the processing.
Our DPIAs assess the necessity and proportionality of processing operations and include measures to mitigate risks to data subjects.
15. FINANCIAL INCENTIVE DISCLOSURE
The Oya Loyalty Platform constitutes a financial incentive program. By participating in our loyalty program, you are sharing personal information in exchange for rewards, discounts, and other benefits.
The value of your data to our business is related to our ability to understand customer preferences, improve our products and services, provide targeted marketing, and increase customer retention. The material terms of our financial incentive program are described in our Terms of Use, particularly in the sections regarding Loyalty Points and Rewards Redemption.
You may opt out of the program at any time by disconnecting your wallet and requesting account deletion through our support channels. This will result in the forfeiture of any accumulated points and benefits.
16. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the updated Privacy Policy on our Platform and updating the "Last Updated" date.
For significant changes, we will provide additional notice, such as displaying a prominent notice on our Platform or sending you an email notification, in accordance with the transparency principle (Article 5(1)(a) GDPR).
Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review the Privacy Policy whenever you access the Platform to stay informed about our information practices.
17. RECORDS OF PROCESSING ACTIVITIES
In accordance with Article 30 of the GDPR, we maintain records of our processing activities that contain all the information required by the regulation. These records include the name and contact details of the controller, any joint controllers, representatives, and the Data Protection Officer; the purposes of the processing; a description of the categories of data subjects and personal data; the categories of recipients to whom the personal data has been or will be disclosed; transfers of personal data to third countries or international organizations; the envisaged time limits for erasure of the different categories of data; and a general description of the technical and organizational security measures.
These records are available to supervisory authorities upon request.
18. DATA BREACH NOTIFICATION
In accordance with Articles 33 and 34 of the GDPR, we have implemented procedures to address personal data breaches. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
If the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in clear and plain language. We maintain documentation of all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken.
19. CALIFORNIA PRIVACY RIGHTS
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. This section describes your California privacy rights and explains how to exercise those rights.
Right to Know
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. This includes the categories of personal information we collected about you, the categories of sources for the personal information, our business or commercial purpose for collecting that information, the categories of third parties with whom we share that information, and the specific pieces of personal information we collected about you.
Right to Delete
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.
Right to Opt-Out of Sale or Sharing
While we do not sell personal information in the traditional sense, certain data sharing practices may be considered "sales" or "sharing" under the CCPA/CPRA's broad definition. You have the right to opt-out of such practices.
Right to Correction
You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Limit Use and Disclosure of Sensitive Personal Information
You have the right to limit the use and disclosure of sensitive personal information to those uses necessary to perform the services.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your California privacy rights. However, we may offer you certain financial incentives permitted by the CCPA/CPRA that can result in different prices, rates, or quality levels for our services.
To exercise your California privacy rights, please submit a verifiable consumer request to us using the contact information provided below.
20. CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Email: legal@oyaplay.io
We will respond to your inquiry within the timeframe required by applicable data protection laws (one month for GDPR requests, with the possibility of extension where necessary).
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.
21. ADDITIONAL PRIVACY CONSIDERATIONS
We take into account several additional privacy considerations in our operations:
Privacy by Design and Default
We implement the principles of privacy by design and privacy by default as required by Article 25 of the GDPR. This means that we integrate data protection into our processing activities from the earliest stages of design and ensure that, by default, only personal data necessary for each specific purpose is processed.
Processor Obligations
When acting as a data processor for our business customers, we comply with the obligations set out in Article 28 of the GDPR. We process personal data only on documented instructions from the controller, ensure that persons authorized to process the data have committed themselves to confidentiality, and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Special Categories of Personal Data
We generally do not collect or process special categories of personal data as defined in Article 9 of the GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation). If we were to process such data, we would do so only with your explicit consent or where another legal basis under Article 9(2) of the GDPR applies.
Third-Party Links and Services
Our Platform may contain links to third-party websites, applications, or services that are not operated by us. These third parties have their own privacy policies, and we have no responsibility or liability for their content, activities, or privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Platform.
Blockchain Technology Considerations
As a platform that integrates with blockchain technology, we want to emphasize certain privacy implications:
The Solana blockchain is a public, immutable ledger. Any transaction data written to the blockchain, including wallet addresses and transaction amounts, becomes publicly visible and cannot be deleted or modified. This is an inherent characteristic of blockchain technology.
Smart contracts deployed on the blockchain are also public and their code can be viewed by anyone. While we implement security best practices in our smart contracts, users should be aware of the public nature of this technology.
Your wallet address, while pseudonymous, may potentially be linked to your identity if you have previously connected it to services that collect identifying information. We recommend users understand these implications when interacting with blockchain technology.