Privacy Policy

We collect the following categories of personal data:

• Account data — username, email address, password hash, and account settings.
• Verification data — when KYC is required, your legal name, date of birth, address, and government-ID and proof-of-address documents (handled by our verification provider).
• Transaction data — deposits, balance changes, plays, prizes, claims, and crypto withdrawal addresses.
• Shipping data — recipient name and postal address you provide to claim physical prizes.
• Technical data — IP address, device and browser information, approximate location (derived from IP), and activity logs.
• Usage & communications — pages viewed, features used, support messages, and notification preferences.

We use personal data to:

• Operate your account, process plays, credit prizes, and fulfill claims and withdrawals;
• Verify age and identity and prevent fraud, abuse, and money laundering;
• Provide support and respond to your requests;
• Send service messages and, with your consent, marketing or promotional notifications;
• Improve, secure, and analyze the platform;
• Comply with legal, tax, accounting, and regulatory obligations.

Where data-protection law (such as the GDPR) applies, we process personal data on the basis of: contract (to provide the service you request); legal obligation(AML/KYC, tax, accounting); legitimate interests (security, fraud prevention, product improvement), balanced against your rights; and consent (for marketing and non-essential cookies), which you can withdraw at any time.

We share personal data only as needed, with:

• Service providers — identity-verification, payment/crypto, hosting, email, analytics, and shipping partners, under contract and only for the purposes we specify;
• Authorities — when required by law, regulation, or valid legal process, or to protect rights and safety;
• Corporate transactions — in connection with a merger, acquisition, or asset sale, subject to this Policy.

We do not sell your personal data.

We keep personal data for as long as your account is active and as needed to provide the service. After closure, we retain certain records to meet legal, tax, and AML obligations (typically up to 5–7 years for transaction and verification records), then delete or anonymize them. Backups are purged on a rolling schedule.

We use technical and organizational measures — encryption in transit, access controls, hashing of credentials, and least-privilege handling of verification documents — to protect your data. No system is perfectly secure; you are responsible for protecting your login and enabling multi-factor authentication.

Depending on where you live, you may have the right to:

• Access, correct, or delete your personal data;
• Object to or restrict certain processing, and withdraw consent;
• Receive a portable copy of data you provided;
• Opt out of marketing at any time;
• Lodge a complaint with your local data-protection authority.

To exercise any right, email privacy@graildrop.io. We may need to verify your identity first. Some data (e.g. AML records) cannot be deleted while a legal obligation to keep it remains.

We may process and store data in countries other than yours. Where we transfer personal data internationally, we use appropriate safeguards (such as standard contractual clauses) to ensure a comparable level of protection.

GrailDrop is strictly for adults aged 18+. We do not knowingly collect data from anyone under 18. If we learn that an account belongs to a minor, we will close it and delete the associated data.

We may update this Policy from time to time. We will post the revised version with a new “last updated” date and, for material changes, notify you in-app or by email.