Skip to content

Privacy Policy

Privacy Policy 1. Introduction This Privacy Policy explains how Neostake ("Neostake", "we", "us", "our") collects, uses, stores, discloses, and otherwise processes personal data in connection with the Neostake platform, website, applications, and related services (collectively, the "Platform"). We process personal data in accordance with the General Data Protection Regulation ("GDPR") and applicable German data protection law. 2. Controller The controller responsible for the processing of personal data described in this Privacy Policy is: Neostake Paul Gasselseder, Philipp Grömer, and Moritz Strachon c/o MDC#neostake Welserstraße 3 87463 Dietmannsried Germany Email: privacy@neostake.de If you have any privacy-related questions, you can contact us at: privacy@neostake.de 3. Categories of Personal Data We Process Depending on how you use the Platform, we may process the following categories of personal data: 3.1 Account and Registration Data - full name - university email address - username - password hash, where applicable - university name - field of study / degree program - expected graduation year - optional course-related information - account creation date - account status and verification data 3.2 Platform Activity Data - predictions submitted by you - market participation data - positions, scores, rankings, and leaderboard data - oracle score and related performance metrics - timestamps of actions - prize eligibility and prize history - communication preferences - content you upload, submit, report, or create on the Platform - reporting and moderation history relating to your account or content 3.3 Technical and Device Data - IP address - browser type and version - operating system - device identifiers - device type - language and regional settings - referring URL - pages visited - app or website interaction events - cookie or similar identifier data - log data and request metadata 3.4 Support and Communication Data - emails or messages sent to us - support requests - reports of bugs, abuse, unlawful content, or misconduct - attachments you send us 3.5 Verification and Prize Fulfillment Data - identity verification information, where required - shipping name and shipping address - proof of eligibility - communication relating to prize delivery 3.6 Security and Abuse-Prevention Data - anti-fraud and anti-abuse signals - account linkage indicators - account deletion and cooling-off period identifiers - bot-protection signals (e.g. Cloudflare Turnstile interaction tokens) - technical logs relevant to security and integrity - moderation and enforcement signals 4. Purposes and Legal Bases of Processing We process personal data only where we have a legal basis under Article 6 GDPR. 4.1 Providing the Platform and Performing the Contract Purpose: - creating and managing user accounts - enabling participation in markets - calculating scores and leaderboards - operating competitions and prize cycles - communicating essential service information - processing account deletion requests Legal basis: Art. 6(1)(b) GDPR 4.2 Platform Integrity, Security, Abuse Prevention, Bot Protection, and Content Moderation Purpose: - detecting and preventing fraud, collusion, manipulation, multi-accounting, and abuse - distinguishing automated traffic from real users (bot protection on signup and similar flows) - enforcing platform rules and cooling-off periods - reviewing reports about unlawful or abusive content - taking moderation and enforcement action - maintaining system security - investigating suspicious activity Legal basis: Art. 6(1)(f) GDPR Legitimate interest: protecting the integrity, fairness, security, proper operation, and legal compliance of the Platform, protecting our email-sending reputation, and protecting users and third parties against abuse and unlawful content 4.3 Analytics and Product Improvement Purpose: - measuring product usage - understanding feature adoption - improving usability, reliability, and performance - identifying technical issues and user experience problems Legal basis: Art. 6(1)(a) GDPR, where analytics cookies or similar non-essential technologies are used or where consent is otherwise required by law Analytics and product-improvement processing under this Section is not required to create or maintain a user account or to use the core functionality of the Platform. Refusing or withdrawing consent for analytics does not prevent you from using the core Platform, although some optional analytics-dependent features or settings may be unavailable. 4.4 Error Monitoring, Logging, and Incident Response Purpose: - detecting errors and crashes - troubleshooting incidents - monitoring application health, logs, uptime, and technical anomalies - protecting system stability and security Legal basis: Art. 6(1)(f) GDPR Legitimate interest: ensuring the stability, security, and reliable operation of the Platform 4.5 Prize Fulfillment and Eligibility Verification Purpose: - verifying prize eligibility - contacting winners - arranging shipping or handover of prizes - preventing prize abuse Legal basis: Art. 6(1)(b) GDPR and, where necessary, Art. 6(1)(f) GDPR Legitimate interest: ensuring proper and fair prize allocation 4.6 Transactional Email and Account Communication Purpose: - sending magic links, sign-in codes, password reset emails - sending account-related notifications - sending prize, leaderboard, or rule notifications Legal basis: Art. 6(1)(b) GDPR for service-essential emails Art. 6(1)(f) GDPR or Art. 6(1)(a) GDPR for non-essential operational notifications, depending on type and applicable law 4.7 Legal Compliance and Defense of Legal Claims Purpose: - complying with legal obligations - responding to lawful requests by authorities - enforcing contractual rights - establishing, exercising, or defending legal claims Legal basis: Art. 6(1)(c) GDPR and/or Art. 6(1)(f) GDPR 5. Use of Service Providers and Recipients We use service providers that process personal data on our behalf as processors under Art. 28 GDPR where applicable. We have concluded data processing agreements where required. The following list summarizes the main recipients and their role. 5.1 AWS — Hosting, CDN, and Transactional Email We use Amazon Web Services ("AWS") to host and operate the Platform and related systems. AWS provides core infrastructure (compute, container orchestration, databases, object storage, parameter store, logging) in the European regions Stockholm (eu-north-1) and Frankfurt (eu-central-1). In addition, we use: - Amazon CloudFront as a content delivery network (CDN) to serve static assets and proxied resources. CloudFront processes IP addresses and request metadata at edge locations worldwide, including locations outside the EEA, in order to deliver content with low latency. - Amazon Simple Email Service (SES) to send transactional emails such as magic links, account notifications, and prize-related communications. SES processes recipient email addresses, message content, sending metadata, and delivery/bounce/complaint events. SES is operated from European AWS regions where possible. 5.2 Supabase — Database, Backend Infrastructure, Authentication, Storage We use Supabase for database hosting, backend infrastructure, authentication, storage, and related technical services. Depending on the relevant feature, Supabase may process account data, platform data, authentication-related data, database records, files, and technical metadata. Our Supabase project is hosted in the European region Frankfurt, Germany. 5.3 Cloudflare — Bot Protection (Turnstile) We use Cloudflare Turnstile to distinguish real users from automated bots on signup and similar abuse-sensitive flows. When you load such a page, your browser communicates with Cloudflare and may transmit: - IP address - browser and device characteristics - a short-lived challenge/verification token - limited interaction signals Cloudflare uses these signals to assess whether the request originates from a human or an automated client. Cloudflare, Inc. is established in the United States and operates a global edge network. Where personal data is transferred to the United States, this transfer is safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses under Art. 46 GDPR. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the Platform, our email-sending reputation, and other users from abuse). 5.4 PostHog — Product Analytics We use PostHog for product and usage analytics. Depending on our configuration, PostHog may process: - usage events - page views - clicks and feature interactions - device and browser information - IP address or truncated IP information - user or pseudonymous identifier - session-related metadata We use PostHog to understand how users interact with the Platform, improve product design, detect usability issues, and evaluate feature performance. PostHog is configured to use European hosting (PostHog EU, Frankfurt). PostHog analytics is activated only after your consent where required by law. We configure PostHog with privacy-focused settings where possible, including limiting the collection of unnecessary personal data. 5.5 Sentry — Error Tracking and Performance Monitoring We use Sentry to detect, log, and analyze errors, crashes, and application performance issues. Depending on the incident and our configuration, Sentry may process: - technical error data - stack traces - device and browser information - IP address - page URL - timestamps - user or account identifiers where necessary for debugging - limited request metadata We use Sentry to identify and fix bugs, monitor system health, and improve reliability and security. We configure Sentry to avoid the collection of unnecessary personal data and to minimize sensitive payload data wherever reasonably possible. 5.6 Better Stack — Logging, Monitoring, Incident Response We use Better Stack for monitoring, logging, uptime checks, and operational alerting. Depending on the relevant service, Better Stack may process: - infrastructure and application log entries - technical event data - status and uptime data - request metadata - IP address - timestamps - system diagnostics We use Better Stack to monitor the availability, stability, performance, and security of the Platform and to react to incidents. We configure Better Stack to avoid the collection of unnecessary personal data wherever reasonably possible. 5.7 Enzuzo — Consent Management We use Enzuzo to display and manage our cookie consent banner and related privacy disclosures. When the banner is displayed, Enzuzo may process technical and consent-related data such as IP address, browser characteristics, and your consent choices. 5.8 Featurebase — Feedback and Roadmap Widget Where the Platform embeds Featurebase widgets (e.g. for feedback, feature requests, or roadmap), Featurebase may receive technical data such as IP address, browser characteristics, and interaction events directly from your browser. Featurebase is loaded on demand and is used to allow users to send us product feedback. 5.9 YouTube / Google — Video Embeds Where the Platform embeds YouTube videos, your browser communicates with YouTube and other Google services in order to load the player and stream video content. YouTube and Google may receive your IP address, browser characteristics, and viewing-related metadata. Where reasonably possible, we use the youtube-nocookie domain to reduce tracking. YouTube is operated by Google LLC, a U.S. company. Transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses. 5.10 Giphy — GIF Search and Embedding Where the Platform offers GIF search and embedding (e.g. in posts or comments), your browser communicates with Giphy APIs to retrieve GIF metadata, search results, and media. Giphy may receive IP address, browser characteristics, and request metadata. Giphy is operated from the United States and transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses. 5.11 Imgflip — Meme Templates Where the Platform offers meme creation features, your browser may communicate with Imgflip to retrieve meme templates and related metadata. Imgflip may receive IP address, browser characteristics, and request metadata. 5.12 Polymarket — Market Data Where the Platform displays third-party market data, your browser may communicate with Polymarket APIs (api.polymarket.com, clob.polymarket.com) to retrieve market and pricing information. Polymarket may receive IP address, browser characteristics, and request metadata. 5.13 News-Source Favicon Proxy News source logos are served through our own same-origin proxy. Your browser does not directly contact third-party favicon services such as Google's gstatic. Where our backend cannot resolve a favicon from the source itself, it may fall back to a third-party lookup service from our server, in which case only our server's IP address is exposed. 5.14 AI and Content Moderation Providers (Server-Side) For certain server-side features (e.g. AI-assisted content generation, content moderation, scraping for news ingestion), we use providers including but not limited to OpenAI, Anthropic, Sightengine, VirusTotal, Firecrawl, Jina Reader, and our own Crawl4AI deployment. These providers receive only the data we send them server-side from our backend and do not see your IP address. We avoid sending personal data to AI providers wherever reasonably possible. 5.15 Communication and Operations We use Discord and Slack for internal operational notifications and, where applicable, for community channels. Where we use these services in connection with personal data (e.g. forwarding moderation alerts), they act as recipients in line with this Privacy Policy. 5.16 Other Recipients We may disclose personal data: - to postal and shipping providers for prize fulfillment, - to professional advisers, auditors, or insurers where necessary, - to business, sponsorship, prize, or event partners where necessary to administer, provide, sponsor, or deliver competitions, prizes, events, or related Platform features, - to courts, authorities, law enforcement, or regulators where legally required, - to rights holders or injured parties where legally required or legally permissible in connection with unlawful content or rights violations, - in connection with a business restructuring, merger, asset transfer, or similar transaction, subject to applicable law. 6. International Data Transfers Our core infrastructure is operated in the European Economic Area ("EEA"). The Platform itself is hosted on AWS in EU regions (eu-north-1, eu-central-1) and our Supabase project is hosted in Frankfurt, Germany. Product analytics is configured to use PostHog EU. However, some of the recipients listed in Section 5 are established in the United States or operate global edge networks. This applies in particular to: - Cloudflare (bot protection), - Amazon CloudFront (CDN edge locations worldwide), - YouTube / Google (video embeds), - Giphy (GIF search and embedding), - Imgflip (meme templates), - AI providers used server-side, where applicable. Where personal data is transferred to a country outside the EEA, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place, such as: - an adequacy decision (including the EU-U.S. Data Privacy Framework, where the recipient is certified), - Standard Contractual Clauses under Art. 46(2) GDPR, - or another lawful transfer mechanism. You may request further information about the relevant safeguards by contacting us. 7. Cookies and Similar Technologies We use cookies and similar technologies for: - essential platform functionality, - security and bot protection, - authentication, - preferences, - analytics, - performance monitoring. Strictly necessary cookies and similar technologies (including those required to keep you signed in, to remember consent choices, and to operate bot protection on signup) may be used without consent where legally permitted. Analytics and similar non-essential technologies are used only with your consent where required by law. You can manage your preferences through our consent banner provided by Enzuzo or through the in-Platform privacy settings, where available. You can also adjust browser settings, but disabling certain cookies may affect Platform functionality. A current list of cookies and similar technologies, including their lifetime and purpose, is available through the consent banner. 8. Data Retention We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The applicable retention period depends on the type of data, the purpose for which it is processed, and any statutory retention obligations, limitation periods, ongoing disputes, abuse-prevention needs, or legal-defense requirements. 8.1 Account Data We retain account and profile data for as long as your account remains active. If you delete your account, we will generally delete or anonymize account and profile data without undue delay, unless continued retention is necessary for legal obligations, legal claims, abuse prevention, enforcement of Platform rules, or other lawful purposes described in this Privacy Policy. 8.2 Platform Activity Data We retain market participation data, predictions, scores, leaderboard data, competition history, reporting history, and moderation-related platform data for as long as your account remains active. After account deletion, we will generally delete or anonymize such data without undue delay unless continued retention is necessary for legal obligations, the establishment, exercise, or defense of legal claims, abuse prevention, integrity protection, moderation enforcement, evidence preservation, or other lawful purposes described in this Privacy Policy. 8.3 Prize and Verification Data We retain prize fulfillment and verification data for as long as necessary to administer the relevant prize and to comply with legal, tax, accounting, shipping, fraud-prevention, or defense-of-claims obligations. Once the relevant purpose has ended and no further retention is required or permitted by law, such data will be deleted or anonymized without undue delay. 8.4 Support, Abuse Reports, and Moderation Data We retain support requests, abuse reports, unlawful-content reports, moderation records, and related correspondence for as long as reasonably necessary to handle the request, enforce the Platform rules, protect users and third parties, prevent repeated abuse, preserve evidence, and establish, exercise, or defend legal claims. Once those purposes no longer apply, such data will be deleted or anonymized without undue delay unless further retention is legally required or justified by an ongoing dispute, investigation, or abuse issue. 8.5 Logs, Monitoring, Analytics, and Security Data We generally retain logs, monitoring data, analytics data, error data, uptime data, and similar technical or security-related records only for as long as reasonably necessary for security, stability, troubleshooting, abuse prevention, product improvement, and legal defense purposes. Where appropriate, more specific retention periods may be applied internally for particular categories of logs or monitoring data. 8.6 Account Deletion, Cooling-Off, and Abuse-Prevention Data If you delete your account, we may retain limited identifiers, account-linkage indicators, and related abuse-prevention or enforcement data for as long as reasonably necessary to enforce cooling-off periods, prevent fraud, detect repeated violations, maintain leaderboard integrity, or defend legal claims. We restrict such retained data to what is reasonably necessary for those purposes and delete or anonymize it once those purposes no longer apply, unless further retention is required or permitted by law. 8.7 Statutory Retention and Legal Claims Where personal data is subject to statutory retention obligations or is reasonably necessary for the establishment, exercise, or defense of legal claims, we may retain the relevant data for the period required or permitted by applicable law and delete or anonymize it thereafter. 8.8 Anonymized Data We may retain anonymized or sufficiently aggregated data for statistical, security, integrity, and product improvement purposes. Truly anonymized data is no longer personal data. 9. Sources of Personal Data We collect personal data: - directly from you when you register, use the Platform, upload content, contact us, report content, or claim a prize, - automatically from your device or browser when you use the Platform, - from service providers or technical systems used to operate the Platform, - from publicly available or platform-designated external sources relevant for market resolution or score calculation, - from university systems or university APIs where relevant for affiliation or eligibility checks, - from anti-abuse, fraud-prevention, bot-protection, and security signals generated by our infrastructure or service providers, - from shipping or logistics providers where relevant to prize fulfillment. 10. Requirement to Provide Data Certain personal data is necessary for creating and operating your account and for providing the Platform. If you do not provide required data, we may be unable to create your account, allow participation in certain features, or fulfill prizes. Providing optional data is voluntary. 11. Automated Processing and Automated Decision-Making We use automated systems to support: - score calculation, - leaderboard ranking, - fraud detection, - abuse prevention, - duplicate-account and multi-account detection, - bot detection on signup and similar flows, - technical moderation workflows. In particular, automated systems may flag accounts as suspicious, restrict certain functions, block signups that fail bot-protection checks, or trigger temporary cooling-off periods. Where such automated steps could have a meaningful effect on a user, we provide a way to contact us for human review at privacy@neostake.de or through the in-Platform support channels. We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects within the meaning of Art. 22 GDPR, unless legally permitted and subject to the applicable safeguards. 12. Your Rights Subject to the applicable legal requirements, you have the following rights: - Right of access under Art. 15 GDPR - Right to rectification under Art. 16 GDPR - Right to erasure under Art. 17 GDPR - Right to restriction of processing under Art. 18 GDPR - Right to data portability under Art. 20 GDPR - Right to object under Art. 21 GDPR - Right to withdraw consent at any time with effect for the future, where processing is based on consent - Right to lodge a complaint with a supervisory authority If you object to processing based on our legitimate interests, we will stop processing the relevant data unless we have compelling legitimate grounds overriding your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. Right to Object: Where we process your personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing on grounds relating to your particular situation at any time under Art. 21 GDPR. To exercise your rights, contact: privacy@neostake.de 13. Supervisory Authority You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement. 14. Security We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Such measures may include access controls, least-privilege principles, encryption, logging, backups, environment separation, bot-protection mechanisms, and processor management. However, no system is completely secure, and we cannot guarantee absolute security. 15. Children and Minors The Platform is intended for adult users. We do not knowingly collect personal data from children under 18. If we become aware that personal data of a person under 18 has been collected without the legally required consent, we will take appropriate steps to delete the data and close the account. Some Platform features (in particular prize participation, prize fulfillment, and certain financial-style features) may additionally require users to be at least 18 years old. Where this is the case, the relevant feature will indicate the requirement, and access may be restricted accordingly. 16. Changes to this Privacy Policy We may update this Privacy Policy from time to time, for example to reflect legal, technical, or operational changes. We will publish the updated version on the Platform and, where appropriate, notify users by email or through the Platform. The "Last Updated" date at the top of this Privacy Policy indicates the latest revision date. 17. Contact If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: Neostake Paul Gasselseder, Philipp Grömer, and Moritz Strachon c/o MDC#neostake Welserstraße 3 87463 Dietmannsried Germany Email: privacy@neostake.de