Privacy Policy

FanFolio ("we," "us," or "our") operates the fanfolio.market website and the FanFolio mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our mobile application. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy.

This Privacy Policy is effective as of 03/06/2026 and applies to all information collected through the Service, as well as any related services, communications, or events.

2a. Information You Provide

We collect information that you voluntarily provide when you register for and use the Service, including:

• Account Information: When you create an account, we collect your email address, first and last name, username, and password. Your password is cryptographically hashed before storage and is never stored in plain text.
• Identity Verification (KYC): To comply with applicable regulations, we may require identity verification. This process is handled by our third-party provider, ComplyCube, and may involve the collection and processing of a government-issued identification document and a facial image for biometric comparison.
• Phone Verification: If you opt into phone verification, we collect your phone number. During the verification process, your number is stored as a pending phone number and, upon successful verification, is saved as your confirmed phone number.
• Financial Information: If you initiate a Redemption of FanCash, we collect external wallet addresses necessary to process the transaction. We do not store full payment card details.
• Communications: When you contact us for support or submit feedback, we collect the content of your messages along with any associated contact information.

2b. Information Collected Automatically

When you access or use the Service, we automatically collect certain information about your device and usage patterns, including:

• Session Data: Device type, application version, session start and end times.
• Device and Network Information: User agent string, IP address, and geolocation data (country, region, and city derived from your IP address).
• Page Visit Data: The pages you visit within the Service, including entry and exit times for each page.
• API Request Logging: We log API requests including the endpoint accessed, HTTP method, response status code, and request duration for performance monitoring and security purposes.
• Onboarding Data: Out-of-box experience (OOBE) session identifiers and action event data to help us understand and improve the new user experience.
• Client-Side Storage: We use browser localStorage and sessionStorage to store session identifiers, authentication tokens, and tracking data caches necessary for the operation of the Service.

2c. Information from Third Parties

We may receive information about you from third-party services we integrate with, including:

• Circle: Transaction identifiers, transfer status updates, and blockchain transaction hashes related to FanCoin Purchases and FanCash Redemptions.
• ComplyCube: Identity verification status and check results associated with the KYC process.

We use the information we collect for the following purposes:

• Operating the Service: To provide, maintain, and improve the Service, including processing FanCoin Purchases, FanCash Redemptions, and virtual trades.
• Identity and Phone Verification: To verify your identity through our KYC process via ComplyCube and to verify your phone number through one-time passwords (OTPs) sent via AWS SNS.
• Fraud Prevention: To detect and prevent fraudulent activity, enforce our one-account-per-person policy, and protect the integrity of the platform.
• Analytics and Personalization: To analyze usage trends, personalize your experience, and improve the overall quality of the Service.
• Communications: To send you service-related notifications, respond to your inquiries, and provide customer support.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, including anti-money laundering and know-your-customer requirements.

We do not sell your personal information to third parties. We may share your information in the following circumstances:

• Service Providers: We share information with third-party service providers who perform services on our behalf, including Circle (payment processing), ComplyCube (identity verification), and AWS SNS (phone verification via SMS). These providers are contractually obligated to use your information only for the purposes of providing their services to us.
• Social Features: Certain information, such as your username and prestige level, may be displayed on public leaderboards and other social features within the Service. No personally identifiable information (such as your real name, email, or phone number) is shared through these features.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency request).
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention practices include:

• Active Accounts: Your account data is retained for the duration of your account's activity on the platform.
• Closed Accounts: When you close your account, we set an internal closure flag. Account data is retained in accordance with applicable regulatory requirements. We do not automatically scrub personally identifiable information upon account closure.
• Financial Records: Transaction records, including FanCoin Purchase and FanCash Redemption history, are retained as required by applicable financial regulations.
• Phone Verification Data: OTP hashes are cleared after successful verification. Attempt counters and rate-limiting data are reset periodically.

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS (for web requests) and WSS (for WebSocket connections).
• Password Security: Passwords are hashed using bcrypt before storage and are never stored or transmitted in plain text.
• Phone OTP Security: One-time passwords for phone verification are hashed using bcrypt, have a defined expiry window, and are subject to attempt lockout to prevent brute-force attacks.
• Third-Party Security: Identity verification data (KYC) is collected and processed by ComplyCube, a PCI-compliant third-party provider. We do not store raw identity documents on our servers.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: You have the right to request a copy of the personal information we hold about you.
• Correction: You have the right to request that we correct any inaccurate or incomplete personal information.
• Deletion: You have the right to request the deletion of your personal information, subject to certain legal exceptions.
• Account Closure: You may close your account at any time through the Service's settings.
• Opt-Out of Promotional Communications: You may opt out of receiving promotional emails by following the unsubscribe instructions in those communications. Service-related communications (such as account notifications) are not subject to opt-out.

California Residents: Under the California Consumer Privacy Act (CCPA), California residents have additional rights, including the right to know what personal information is collected, the right to request deletion of personal information, and the right to opt out of the sale of personal information. As stated above, we do not sell your personal information. To exercise any of these rights, please contact us using the information provided in the Contact Us section below.

The Service uses browser localStorage and sessionStorage rather than traditional cookies to maintain session state and improve your experience. The following data is stored locally on your device:

• Session Tokens: Session identifiers (sessionId, previousSessionId) are stored in localStorage to maintain your browsing session across page loads.
• Authentication Tokens: Access tokens and refresh tokens are stored in session and local storage to keep you signed in and to securely authenticate API requests.
• Tracking Data Cache: Unsent analytics data (unsentTrackingData) is cached in localStorage and transmitted to our servers when connectivity is available.
• Activity Flags: Values such as lastActiveTime and hasAuthSession are stored to manage session lifecycle and user activity detection.

We do not use third-party advertising cookies. No data stored locally is shared with advertising networks or data brokers.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers. If you believe we have collected information from a minor, please contact us immediately using the information in the Contact Us section below.

The Service is operated and hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using the Service, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the changes taking effect. The "Effective Date" at the top of this Privacy Policy indicates when it was last revised.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us through our Support page or by email at support@fanfolio.market.