LEGAL · UNDER REVIEW

Privacy Policy

Last updated: 27 April 2026

Under counsel review. Skills Battle’s privacy policy is operational — every data flow described below matches the live system. Independent counsel review is in progress; substantive updates will be flagged in the change-log and surfaced at sign-in.

The short version

  • We never see, store, or touch card numbers — there is no card rail today, and when card top-ups launch they will be handled end-to-end by the processor.
  • We never hold a private key — our crypto processor (Cryptomus) generates the Tron deposit addresses and watches the chain. We see the on-chain txid and the confirmed amount only.
  • We don’t sell your data. There is no ad-tech on this site.
  • We use your IP only to detect country (for geo-block); it is not retained.
  • You can request your data or its deletion any time at [email protected].

What we collect

  • Email address — your account identifier and how you sign in.
  • Display name & avatar color — deterministically derived from your account by default. You may set a custom display name.
  • Game history — maze seeds, move events, match outcomes, timestamps. Used for fair-play audits and your match history page.
  • Payment references — Cryptomus invoice IDs, Tron deposit addresses, and on-chain txids for USDT deposits and withdrawals. We use these to reconcile your in-platform balance. We never see or store card numbers, your seed phrase, or your private keys.
  • IP country — checked per request to enforce geo-restriction. Country code only; raw IP is never written to disk.
  • Notification handles (email, Telegram chat ID, web-push subscription, Discord webhook) — only when you opt in to alerts.
  • Identity documents — only if you submit verification (above the withdrawal threshold). Forwarded to our identity provider for review and discarded after the result.

What we do NOT collect

  • Your card numbers, CVV, or banking login. We run no card rail today; when card top-ups launch those will go straight to the processor, never to us.
  • Your seed phrase, private keys, or wallet credentials. We never custody crypto keys — our payment processor handles on-chain custody at the deposit step.
  • Your wallet’s on-chain history beyond the specific deposit transactions you send us.
  • Government ID, except when you actively submit it for KYC.
  • Browser fingerprinting, ad-network identifiers, or cross-site cookies.
  • Contacts, location beyond country, or device address book.

How long we keep data

Account and game history persist while your account is active. You may request a full export or deletion at any time. Some financial records — including payment references — are retained for the period required by accounting and AML regulation in our operating jurisdiction, even after you close your account.

Service providers

We use the following processors. Each is contractually bound to use your data only as instructed by us:

  • Cryptomus — USDT payment processing on the Tron network (TRC-20). Generates per-deposit addresses, watches the chain, and signs IPN callbacks to us once a transfer confirms.
  • Sentry — error monitoring; auth cookies are stripped before send.
  • PostHog — product analytics; account identifiers are hashed client-side.
  • Neon / Supabase — managed Postgres for account, balance, game, and invoice data.
  • Upstash — managed Redis for sessions and queues.
  • Persona / Sumsub / Veriff — identity verification (only when you submit a doc).

Geo / international access

RivalSkills operates as a global, international platform. We do not maintain a default geo-block. You are responsible for confirming that skill-based wagering is lawful where you are accessing the service from; if it is not, please don’t play. We may add per-jurisdiction blocks in the future if required by counsel or by a specific regulator, in which case affected users will be notified at sign-in.

Cookies & local storage

We use a single first-party session cookie to keep you signed in. Local storage holds your UI preferences (audio mute, age-gate ack, deposit limits, self-exclusion timer). We do not use third-party cookies, advertising pixels, or tracking beacons.

Your rights

Subject to your local data-protection law (GDPR, UK GDPR, CPRA, POPIA) you may request access to your data, correction, deletion, portability, restriction, or objection to processing. Email [email protected]. We respond within 30 days.

Security incidents

If we learn of a breach affecting your account or notification handles, we notify affected users within 72 hours of detection — consistent with GDPR Article 33 even when not strictly required by your local law.

Contact

Email [email protected] for privacy questions, data requests, or to flag a concern. See also Terms of Service and Responsible Gaming.