Privacy Policy

1.1 Information You Provide Directly

Account and Authentication Information:

• Email address used for registration and authentication through Privy.
• Display name and optional profile information.
• Any payment or billing information (if applicable).

Communication Information:

• Messages, inquiries, and support tickets you submit to our team.
• Feedback, comments, or suggestions you provide.

Preference and Setting Information:

• Your copy trading settings, allocation limits, and risk parameters.
• Traders you choose to follow and your following/unfollowing history.
• Your display preferences, theme selection, and other UI settings.

1.2 Information Collected Automatically

Device and Browser Information:

• Device type, model, and operating system.
• Browser type, version, and user agent.
• Unique device identifiers (e.g., IDFA on iOS, Android Advertising ID).

Usage and Activity Information:

• Pages and features you access.
• Actions you take (e.g., viewing traders, adjusting allocations, executing trades).
• Time spent on pages, navigation patterns, and interaction sequences.
• Search queries and filter selections.

Log Data:

• IP address and approximate geographic location based on IP geolocation.
• Access times and timestamps of requests.
• Referring URLs and destination URLs.
• Error messages and technical information about requests.
• Information about network performance and latency.

Location Information:

• Approximate geographic location inferred from your IP address (city/country level, not precise).
• We do not collect precise GPS coordinates unless you explicitly authorize it.

1.3 Blockchain and Wallet Information

Because our Service involves cryptocurrency transactions, we collect and process certain blockchain-related data:

On-Chain Data (Public and Immutable):

• Your public Polygon wallet address(es) associated with your Proxy Wallet.
• All transactions executed from your Proxy Wallet on the Polygon blockchain (transaction hashes, amounts, counterparties, timestamps).
• Your current and historical holdings in your Proxy Wallet.
• Your Polymarket positions, trades, and market activity.

Off-Chain Data (Private and Managed by Us):

• Mapping of your Carbon Copy Markets account to your Proxy Wallet address(es).
• Your copy trading settings and allocation instructions for each Trader.
• Your performance metrics, profit/loss calculations, and portfolio summaries.
• Your trading history and copy activity logs.
• Analytics data about your interaction with the platform.

1.4 Information from Third-Party Services

We receive information from the following service providers:

Privy (Authentication and Wallet Provider):

• Your email address and authentication credentials.
• Your Proxy Wallet address and authentication state.
• Metadata about your Privy account and authentication events.

Cloud Infrastructure and Hosting Providers:

• Server access logs and infrastructure data necessary to operate the Service.
• Performance and uptime information.

2.1 Provide and Operate the Service

• Creating and managing your account and authentication.
• Executing copy trades on your behalf according to your settings and instructions.
• Displaying your portfolio, positions, performance metrics, and trading history.
• Processing transactions, managing allocations, and facilitating payments and withdrawals.
• Providing customer support, responding to inquiries, and resolving disputes.
• Sending transactional notifications (e.g., trade confirmations, account alerts, important updates).

2.2 Improve, Develop, and Optimize the Service

• Analyzing usage patterns, trends, and user behavior to understand how users interact with the Service.
• Identifying technical issues, bottlenecks, and opportunities for optimization.
• Developing new features, functionality, and improvements to the Service.
• Conducting research, analytics, and testing to enhance user experience.
• Troubleshooting errors and resolving technical problems.
• Performing A/B testing and feature experiments with user data.

2.3 Communicate with Users

• Sending service-related notifications and updates (e.g., maintenance, feature changes, policy updates).
• Responding to your requests, comments, questions, or complaints.
• Sending promotional communications, newsletters, or marketing materials (with your consent where required by law).
• Notifying you of changes to our policies, Terms of Service, or Privacy Policy.
• Soliciting feedback and conducting surveys.

2.4 Ensure Security, Compliance, and Legal Obligations

• Detecting, preventing, and addressing fraud, abuse, unauthorized access, and security threats.
• Monitoring for suspicious or unusual activity that may indicate violations of these Terms or applicable law.
• Enforcing our Terms of Service, Privacy Policy, and other agreements.
• Protecting the rights, privacy, safety, and property of Carbon Copy Markets, our users, and the public.
• Complying with legal obligations, court orders, subpoenas, and law enforcement requests.
• Conducting investigations and defending against legal claims.
• Maintaining audit trails and compliance records.

2.5 Legitimate Business Interests

• Protecting Carbon Copy Markets' business interests and intellectual property.
• Conducting business analytics, planning, and strategic decision-making.
• Managing our service providers and third-party relationships.
• Aggregating and analyzing data to inform business strategy and performance metrics.

3.1 Service Providers and Technology Partners

We share information with third-party service providers who perform functions on our behalf:

Privy (Authentication and Embedded Wallets):

• Email address, authentication credentials, and account verification status.
• Wallet address and transaction initiation instructions.
• Privy maintains its own privacy policy; please review it for details on how Privy processes your data.

Cloud Infrastructure and Hosting Providers:

• Application data necessary to operate the Service.
• Server logs and performance data.
• These providers maintain their own privacy policies.

Error Tracking and Monitoring:

• Technical debugging information for resolving system issues.
• Performance metrics and system health data.

All service providers are contractually obligated to use your data only to provide services to us and maintain appropriate security measures.

3.2 On-Chain Data and Public Blockchain

When you execute trades through our Service, transaction information is broadcast to the Polygon blockchain network. This includes:

• Your wallet address
• Transaction amount and recipient
• Transaction hash and timestamp

3.3 Legal Requirements and Authorities

We may disclose your information if required to do so by law or in response to valid legal requests from:

• Government agencies, law enforcement, or regulatory bodies.
• Courts, subpoenas, or legal process.
• Investigations of suspected illegal activity or violations of our Terms of Service.

In such cases, we will comply with applicable legal requirements and may or may not be able to notify you, depending on legal restrictions.

3.4 Protection of Rights and Safety

We may disclose your information to protect:

• The rights, privacy, safety, or property of Carbon Copy Markets.
• The rights, privacy, safety, or property of our users or the public.
• Against fraud, security threats, or unauthorized access.
• To enforce our Terms of Service and other agreements.

3.5 Business Transfers

If Carbon Copy Markets is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction:

• Your information may be transferred as part of that transaction.
• We will provide notice of any change in ownership or use of your personal information.
• Any successor company will be bound by this Privacy Policy (or a successor privacy policy, which will be disclosed to you).

3.6 With Your Explicit Consent

We may share your information with third parties when you explicitly consent to such sharing (e.g., if you authorize us to share performance data with a financial advisor).

3.7 Aggregated and Anonymized Data

We may share aggregated, anonymized, or statistical data that does not identify you personally, such as:

• Aggregate trading volumes or market trends across all users.
• Anonymized performance benchmarks or market analysis.
• General statistical information about platform usage.

Such data is not subject to this Privacy Policy as it does not identify individuals.

4.1 Types of Cookies We Use

We use cookies and similar tracking technologies (including local storage, pixels, web beacons) to:

Essential Cookies (Required for functionality):

• Maintain your authentication session and log-in state.
• Preserve your security credentials and anti-fraud tokens.
• Enable core platform functionality.
• Comply with security requirements.

Functional Cookies (Preferences and UX):

• Remember your display preferences (e.g., dark mode, language, theme).
• Store your UI preferences and settings.
• Enable features like "remember me" functionality.

Analytics Cookies (Understanding usage):

• Track user interactions, page views, and feature usage.
• Measure engagement and conversion metrics.
• Identify technical issues and performance problems.
• Understand how users navigate the platform.

Marketing and Advertising Cookies (if applicable):

• Track your interaction with marketing materials.
• Measure advertising effectiveness.
• Personalize advertising based on your interests.

4.2 Your Cookie Choices

• Browser Controls: You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being set.
• Cookie Disabling: If you disable essential cookies, some features of the Service may not function properly.
• Do Not Track: Some browsers include a "Do Not Track" feature. Our Service does not currently respond to Do Not Track signals, but you may have other options to control tracking through your browser or device settings.
• Opt-Out of Analytics: You can opt out of specific analytics services by installing their opt-out browser extensions.

5.1 Retention of Off-Chain Data

We retain your off-chain personal information (account data, settings, analytics, logs) according to the following principles:

During Active Use:

• We retain your account information, settings, and activity logs for as long as your account is active.

After Account Deletion:

• Once you delete your account, we will delete or anonymize most personal information within 30 days, except where we are required by law to retain it.

Legal and Compliance Retention:

• We retain information as required by applicable laws, regulations, or legal obligations (e.g., tax records, financial transaction logs).
• We may retain information for dispute resolution, legal defense, or enforcement of our agreements.
• Financial transaction records are typically retained for 7-10 years to comply with accounting and tax regulations.

Backup and Archive Data:

• Information may persist in backup copies for up to 90 days after deletion before being purged from backup systems.

Legitimate Business Purposes:

• We may retain aggregated, anonymized data indefinitely for analytics, research, and business intelligence purposes.

5.2 Retention of On-Chain Data

7.1 Universal Rights (All Users)

Right to Access:

• You have the right to request a copy of the personal information we hold about you, including the categories of information, sources, and how it is used.

Right to Correction:

• You have the right to request that we correct, amend, or update inaccurate, incomplete, or outdated personal information in our records.

Right to Deletion (with limitations):

• You have the right to request deletion of your personal information, subject to legal and regulatory exceptions.
• Exception: On-chain blockchain data cannot be deleted.
• Exception: We may retain information required by law or for legitimate business purposes (e.g., dispute resolution, fraud prevention, legal defense).

Right to Data Portability:

• You have the right to receive your personal information in a structured, commonly used, machine-readable format (e.g., CSV) and to transmit it to another service provider.

Right to Opt-Out of Communications:

• You can opt out of receiving promotional emails by following the "unsubscribe" link in those emails or by contacting us.
• You can adjust notification preferences in your account settings.

7.2 GDPR Rights (EEA, UK, and Switzerland Residents)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing:

We process your personal information based on:

• Contractual Necessity: To fulfill our obligations under the Terms of Service and provide the Service to you.
• Legitimate Interests: For fraud prevention, security, platform optimization, customer support, and business analytics.
• Compliance with Law: To comply with legal obligations, regulatory requests, and law enforcement.
• Your Consent: For marketing communications and optional analytics (where we've requested consent).

Right to Object:

• You have the right to object to processing of your personal information based on our legitimate interests, including for marketing and profiling purposes.

Right to Restrict Processing:

• You can request that we restrict or limit the processing of your personal information under certain circumstances (e.g., if you believe information is inaccurate, or processing is unlawful).

Right to Lodge a Complaint:

• You have the right to lodge a complaint with a data protection supervisory authority in your jurisdiction (e.g., your national Data Protection Authority).

Data Protection Officer Contact:

• If applicable, you can contact our legal team regarding GDPR compliance questions.

7.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know:

• You have the right to request disclosure of: (a) the categories of personal information we have collected about you, and (b) the specific pieces of personal information we have collected about you.

Right to Delete:

• You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information required for legal compliance, fraud prevention, or where we cannot reasonably verify the request).

Right to Correct:

• You have the right to request that we correct inaccurate personal information (CPRA).

Right to Opt-Out of "Sale" or "Sharing":

• Carbon Copy Markets does not "sell" or "share" personal information as defined by CCPA/CPRA. We do not sell data to data brokers or advertisers for monetary consideration. We may share information with service providers to perform services on our behalf, but this does not constitute a "sale" or "sharing" under CCPA.

Right to Limit Use:

• You can request that we limit our use of personal information to the purposes necessary to provide the Service (CPRA).

Right to Non-Discrimination:

• We will not discriminate against you for exercising your privacy rights. You will not be denied service, charged different prices, or provided different quality of service based on exercising CCPA rights.

Verification of Requests:

• To verify your identity before processing a rights request, we may require you to provide additional information, confirm your account details, or use a third-party verification service.

7.4 Other Jurisdictional Rights

Other jurisdictions (e.g., Canada's PIPEDA, Australia's Privacy Act, Brazil's LGPD) may grant you additional privacy rights. If you are unsure whether specific rights apply to you, please contact us.

7.5 How to Exercise Your Rights

To exercise any of the rights above, please contact us at:

Please include:

• Your name and the email associated with your account.
• A clear description of your request (access, correction, deletion, portability, opt-out, etc.).
• Any supporting documentation or identifying information.

We will respond to your request within the timeframe required by applicable law (typically 30-45 days). If we need additional information to verify your identity or process your request, we will contact you.

Note: Some requests may not be fully fulfillable due to legal obligations or technical limitations (e.g., blockchain data cannot be deleted), and we will explain any limitations in our response.

8.1 Cross-Border Data Processing

Your information may be transferred to, stored, and processed in countries other than the country in which you reside, including:

• United States: Our primary servers and processing infrastructure are located in the United States (Delaware-based company).
• Other Locations: We may also use cloud services, CDNs, and third-party vendors whose servers are located in various jurisdictions globally.

These countries may have data protection laws that are different from and potentially less protective than the laws of your country of residence.

8.2 Safeguards for International Transfers

When we transfer personal information internationally, we implement appropriate safeguards to protect your information:

• Standard Contractual Clauses (SCCs): For transfers involving GDPR-covered data, we use EU Standard Contractual Clauses or other mechanisms approved by data protection authorities.
• Adequacy Decisions: Where available, we rely on adequacy determinations (e.g., UK data protection authority recognition of US privacy frameworks).
• Your Consent: In some cases, your use of the Service constitutes consent to international transfers, as described in these Terms.

By using the Service, you acknowledge and consent to the transfer of your personal information to countries outside your country of residence, including the United States.

15.1 Our Commitment

In the event of a confirmed data breach or unauthorized access to personal information, we will:

• Conduct a prompt investigation to determine the scope and nature of the breach.
• Notify affected users and relevant authorities as required by applicable law.
• Take steps to secure our systems and prevent further unauthorized access.

15.2 Notification Procedures

To Users:

• We will notify you via email (to the email on file) as soon as practicable, typically within 72 hours of discovery of the breach (or as required by applicable law), unless law enforcement requests a delay.
• We will provide information about the types of data affected, steps you should take, and what we are doing to address the breach.

To Authorities:

• We will notify relevant data protection authorities and regulatory agencies as required by law (e.g., state attorneys general under CCPA, data protection authorities under GDPR).