PRIVACY POLICY

1. Introduction and Data Controller

CryptoGames Inc. ("we," "us," or "our") operates the CryptoGames Global Mystery Box Service (the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal data. We are the data controller of your personal data.

1.2 Brand Relationship

The Service operates under the BONK and Bonkuji brands, which are licensed to CryptoGames Inc. from a separate brand owner. CryptoGames Inc. is the sole data controller of your personal data. The brand owner has no access to, control over, or responsibility for the processing of your personal data.

All privacy inquiries, data subject requests, and complaints should be directed to CryptoGames Inc. at the contact details provided in Section 15.

2. Data We Collect

2.1 Data You Provide

• Wallet address: We use Privy, a third-party authentication service, for login. As a result, we collect only your wallet address as account credentials. We do not collect name, email address, date of birth, username, or password directly.
• Delivery data (if applicable): If you request physical product delivery, we collect your name, email address, and shipping address as entered within the Service.
• Payment data: payment method details processed via Stripe, our PCI-DSS compliant payment processor. We do not store full card numbers.
• Communications: messages you send to our support team.

2.2 Data Collected Automatically

• Technical data: IP address, browser type, operating system, device identifiers.
• Usage data: pages visited, features used, transaction history, click-stream data.
• Cookies and similar tracking technologies: see Section 8 (Cookie Policy).

2.3 Data from Third Parties

• Blockchain analytics data (wallet risk scores) from our sanctions screening provider.
• Fraud signals from Stripe and other payment processors.

3. Legal Basis for Processing (GDPR)

4. How We Use Your Data

• To create and manage your account (via Privy authentication) and provide the Service.
• To process purchases via Stripe.
• To screen your Wallet Addresses against OFAC Sanctions Lists and other applicable sanctions lists.
• To detect and prevent fraud, money laundering, and unauthorized access.
• To respond to your support inquiries.
• To send transactional notifications (purchase confirmations, account alerts).
• To send marketing communications, with your opt-in consent.
• To analyze Service usage and improve our features.
• To comply with legal and regulatory requirements.

5. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with:

6. International Data Transfers

As a Japanese company operating globally, your personal data may be transferred to Japan and other countries outside the EEA. We ensure appropriate safeguards are in place:

• Japan: The European Commission has issued an adequacy decision for Japan under GDPR (Article 45). Transfers to Japan are permitted without additional safeguards.
• United States and other third countries: Transfers are made pursuant to the EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), 2021 version, as required by Article 46(2)(c) GDPR.

You may request a copy of the applicable transfer safeguards by contacting us via our contact form: https://forms.gle/BEfBg4tU6tRG1KJ5A.

7. Data Retention

After retention periods expire, we securely delete or anonymize your data. Legal obligations may require us to retain certain data for longer periods.

8. Cookie Policy

8.1 What Are Cookies

Cookies are small text files placed on your device. We use cookies and similar technologies (pixels, local storage) to operate the Service, analyze usage, and (with your consent) serve targeted advertising.

8.2 Cookie Categories

8.3 Managing Cookie Preferences

For EEA users, we present a cookie consent banner on your first visit. You can adjust your preferences at any time via the Cookie Settings link in the footer. Withdrawing consent for non-essential cookies does not affect prior processing.

9. Your Rights Under GDPR

GDPR Note: The rights below apply to EEA, UK, and Swiss residents.

We will respond to your request within 1 month (extendable by 2 months for complex requests).

To exercise your rights, submit a request via our contact form: https://forms.gle/BEfBg4tU6tRG1KJ5A. We may ask you to verify your identity before processing your request.

10. Automated Decision-Making

GDPR Note: This section describes automated processing that may significantly affect you (GDPR Art. 22).

We use automated systems to screen users and transactions for compliance with international sanctions regulations (OFAC and other applicable lists). This screening checks wallet addresses and user information against sanctions lists maintained by government authorities.

These automated checks may result in:

• Temporary restriction of your account pending further review;
• Permanent denial of access to the Service if your wallet address or identity matches a sanctioned entity;
• Reporting to regulatory authorities as required by applicable law.

If you believe an automated decision was made in error, you have the right to request human review of the decision. Please contact us via our contact form: https://forms.gle/BEfBg4tU6tRG1KJ5A. We will review your case and respond within 30 days.

We implement these measures to comply with our legal obligations under U.S. and international sanctions laws. This processing is based on legal obligation (GDPR Art. 6(1)(c)) and, where applicable, legitimate interests (Art. 6(1)(f)).

11. OFAC Compliance and Sanctions Screening

As part of our regulatory compliance obligations, we process your Wallet Addresses to screen against:

• The OFAC Specially Designated Nationals and Blocked Persons (SDN) List;
• The OFAC Non-SDN Consolidated Sanctions List;
• EU, UN, and other applicable international sanctions lists; and
• Blockchain analytics tools that identify Wallet Addresses associated with sanctioned entities.

Screening results, including match determinations, are retained for at least 5 years as required by OFAC record-keeping obligations. If your account is flagged, you may be contacted for additional verification. In confirmed cases of sanctions violations, we may be required to report to OFAC and/or freeze associated assets.

12. Children's Privacy

The Service is not directed to persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will promptly delete it. For EEA users aged 13–15, processing of personal data requires verified parental consent in accordance with GDPR Article 8.

13. Security

We implement industry-standard technical and organizational security measures to protect your personal data, including encryption of data in transit and at rest, access controls, and regular security assessments. However, no security measure is 100% infallible. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you as required under GDPR Article 34.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or via a prominent notice on the Service. The effective date at the top of this Policy reflects the most recent version. Continued use of the Service after changes are effective constitutes your acceptance of the updated Policy.

15. Contact Information

For any inquiries, requests, or complaints relating to this Privacy Policy or the processing of your personal data, please contact us using the details below: