These documents are working drafts published transparently while LightChallenge completes its independent legal review. Material terms are not expected to change, but minor wording may be updated. The version date appears at the top of each page.

Privacy Policy

Effective date: 2026-05-09

1. Who we are

LightChallenge is a non-custodial competition protocol. The hosted webapp at lightchallenge.app, the testnet environment at uat.lightchallenge.app, the iOS mobile app, the Discord bot, and the off-chain workers are operated by the LightChallenge team. For privacy questions: privacy@lightchallenge.app.

2. What we collect

Information you give us directly

  • Wallet address — every action you take is associated with your blockchain wallet address.
  • Display name & profile — optional. If you set one, it is shown publicly next to your activity.
  • Email — optional, only if you ask us to send you notifications. Stored separately from your wallet identity where possible.

Information we receive from third-party integrations

When you connect a service (Strava, Garmin, Fitbit, Steam, Riot, Discord, etc.) we receive a scoped OAuth access token from that provider. We use this token only to fetch the specific data needed to evaluate the challenges you have joined. The token is encrypted at rest using AES-256-GCM and is never shared with third parties.

The data we fetch typically includes:

  • Fitness providers — workout activity records (start/end time, duration, distance, type, route, heart-rate, calories) for the duration of an active challenge.
  • Gaming providers — match history, KDA / score / win-loss records, ranked tier, hours played.
  • Discord — your Discord user ID and server membership for server-gated challenges.

Information we collect automatically

  • On-chain interactions — your wallet's interactions with our contracts are public on the LightChain blockchain. We index them.
  • Server logs — IP address, user-agent, request timestamps, latency. Used for security monitoring and rate-limiting. Retained for 90 days.
  • Aggregated analytics — page-view counts and feature-usage stats. We do not use third-party advertising or behavioural tracking trackers.

3. How we use this information

  • To run the verification pipeline and produce verdicts on challenges you have joined.
  • To display your activity and standings to you and (where you have made it public) to other users.
  • To send notifications you have opted into (e.g. challenge starts, verdict ready, claim due).
  • To prevent fraud, abuse, multi-account exploitation, and Sybil attacks.
  • To respond to support requests, dispute appeals, and law-enforcement requests where legally required.
  • To operate, maintain, and improve the service.

4. Legal bases (GDPR)

For users in the European Economic Area or the United Kingdom, the legal bases on which we process your personal data are:

  • Contract — performing our agreement with you to operate the service for you.
  • Legitimate interest — fraud prevention, security monitoring, and product improvement.
  • Consent — for optional integrations and email notifications. You may withdraw consent at any time.
  • Legal obligation — where required by applicable law.

5. How we share information

We do not sell your personal data. We share it only:

  • Publicly on-chain — your wallet address, stake amount, and verdict outcome are recorded on the LightChain blockchain and are visible to anyone with access to the chain. This is inherent to using a public blockchain and cannot be undone.
  • With infrastructure providers — Vercel (hosting), Fly.io (workers), Neon (database), Anthropic (AI assistance for the in-app helper). These providers are bound by data-processing agreements.
  • With law enforcement — only when compelled by valid legal process, and we will notify you where legally permitted.
  • With your consent — e.g. if you opt in to share your activity to a public leaderboard.

6. Data retention

  • Wallet activity, verdicts, on-chain events — retained indefinitely (cannot be deleted from the blockchain).
  • Encrypted OAuth tokens — retained while the integration is connected; deleted within 30 days of disconnection.
  • Evidence payloads — retained for 18 months after the relevant challenge finalises, for audit, dispute, and improvement purposes.
  • Server logs — 90 days.
  • Email + display name — until you delete your account.

7. Your rights

Subject to your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing based on legitimate interest. You may exercise these rights by emailing privacy@lightchallenge.app from the email address associated with your account, or by signing a message from your wallet at our request.

Note that deletion does not extend to information published on the blockchain or required for fraud prevention and legal compliance.

8. International data transfers

Our infrastructure operates in the EU (primary region: Amsterdam) and the United States. By using the service you understand and consent to the transfer of your data to these regions, and to any region where our infrastructure providers operate, with appropriate safeguards (e.g. Standard Contractual Clauses) in place.

9. Children

The service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

10. Cookies & local storage

We use a minimal set of first-party cookies and browser local storage to maintain your wallet-connection session, your theme preference, and anti-CSRF state. We do not use third-party advertising cookies. Opting out of these would prevent the webapp from functioning correctly.

11. Security

We use TLS in transit, encryption at rest for sensitive fields, role separation across our wallet fleet, and a public security disclosure program. See our security page for details and how to report a vulnerability.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the website and (where we have your email) by email. The effective date at the top of this page indicates the latest version.

13. Contact

For privacy questions, data-subject requests, or to lodge a complaint:
privacy@lightchallenge.app