Privacy Policy 1. Introduction This Privacy Policy explains how Neostake (“Neostake”, “we”, “us”, “our”) collects, uses, stores, discloses, and otherwise processes personal data in connection with the Neostake platform, website, applications, and related services (collectively, the “Platform”). We process personal data in accordance with the General Data Protection Regulation (“GDPR”) and applicable German data protection law. 2. Controller The controller responsible for the processing of personal data described in this Privacy Policy is: Neostake Paul Gasselseder, Philipp Grömer, and Moritz Strachon c/o MDC#neostake Welserstraße 3 87463 Dietmannsried Germany Email: privacy@neostake.de If you have any privacy-related questions, you can contact us at: privacy@neostake.de 3. Categories of Personal Data We Process Depending on how you use the Platform, we may process the following categories of personal data: 3.1 Account and Registration Data - full name - university email address - username - password hash - university name - field of study / degree program - expected graduation year - optional course-related information - account creation date - account status and verification data 3.2 Platform Activity Data - predictions submitted by you - market participation data - positions, scores, rankings, and leaderboard data - oracle score and related performance metrics - timestamps of actions - prize eligibility and prize history - communication preferences - content you upload, submit, report, or create on the Platform - reporting and moderation history relating to your account or content 3.3 Technical and Device Data - IP address - browser type and version - operating system - device identifiers - device type - language and regional settings - referring URL - pages visited - app or website interaction events - cookie or similar identifier data - log data and request metadata 3.4 Support and Communication Data - emails or messages sent to us - support requests - reports of bugs, abuse, unlawful content, or misconduct - attachments you send us 3.5 Verification and Prize Fulfillment Data - identity verification information, where required - shipping name and shipping address - proof of eligibility - communication relating to prize delivery 3.6 Security and Abuse-Prevention Data - anti-fraud and anti-abuse signals - account linkage indicators - account deletion and cooling-off period identifiers - technical logs relevant to security and integrity - moderation and enforcement signals 4. Purposes and Legal Bases of Processing We process personal data only where we have a legal basis under Article 6 GDPR. 4.1 Providing the Platform and Performing the Contract Purpose: - creating and managing user accounts - enabling participation in markets - calculating scores and leaderboards - operating competitions and prize cycles - communicating essential service information - processing account deletion requests Legal basis: Art. 6(1)(b) GDPR 4.2 Platform Integrity, Security, Abuse Prevention, and Content Moderation Purpose: - detecting and preventing fraud, collusion, manipulation, multi-accounting, and abuse - enforcing platform rules and cooling-off periods - reviewing reports about unlawful or abusive content - taking moderation and enforcement action - maintaining system security - investigating suspicious activity Legal basis: Art. 6(1)(f) GDPR Legitimate interest: protecting the integrity, fairness, security, proper operation, and legal compliance of the Platform and protecting users and third parties against abuse and unlawful content 4.3 Analytics and Product Improvement Purpose: - measuring product usage - understanding feature adoption - improving usability, reliability, and performance - identifying technical issues and user experience problems Legal basis: Art. 6(1)(a) GDPR, where analytics cookies or similar non-essential technologies are used or where consent is otherwise required by law Analytics and product-improvement processing under this Section is not required to create or maintain a user account or to use the core functionality of the Platform. Refusing or withdrawing consent for analytics does not prevent you from using the core Platform, although some optional analytics-dependent features or settings may be unavailable. 4.4 Error Monitoring, Logging, and Incident Response Purpose: - detecting errors and crashes - troubleshooting incidents - monitoring application health, logs, uptime, and technical anomalies - protecting system stability and security Legal basis: Art. 6(1)(f) GDPR Legitimate interest: ensuring the stability, security, and reliable operation of the Platform 4.5 Prize Fulfillment and Eligibility Verification Purpose: - verifying prize eligibility - contacting winners - arranging shipping or handover of prizes - preventing prize abuse Legal basis: Art. 6(1)(b) GDPR and, where necessary, Art. 6(1)(f) GDPR Legitimate interest: ensuring proper and fair prize allocation 4.6 Legal Compliance and Defense of Legal Claims Purpose: - complying with legal obligations - responding to lawful requests by authorities - enforcing contractual rights - establishing, exercising, or defending legal claims Legal basis: Art. 6(1)(c) GDPR and/or Art. 6(1)(f) GDPR 5. Use of Service Providers and Recipients We use service providers that process personal data on our behalf as processors under Art. 28 GDPR where applicable. We have concluded data processing agreements where required. 5.1 AWS / Hosting and Infrastructure We use Amazon Web Services (“AWS”) to host and operate the Platform and related systems. Depending on the relevant service, AWS may process account data, technical data, database-related data, log data, request metadata, and stored content. The Platform is hosted in European AWS regions. 5.2 Supabase (Database, Backend Infrastructure, Authentication, Storage) We use Supabase for database hosting, backend infrastructure, authentication, storage, and related technical services. Depending on the relevant feature, Supabase may process account data, platform data, authentication-related data, database records, files, and technical metadata. Our Supabase project is hosted in the European region Frankfurt, Germany. 5.3 PostHog (Product Analytics) We use PostHog for product and usage analytics. Depending on our configuration, PostHog may process: - usage events - page views - clicks and feature interactions - device and browser information - IP address or truncated IP information - user or pseudonymous identifier - session-related metadata We use PostHog to understand how users interact with the Platform, improve product design, detect usability issues, and evaluate feature performance. PostHog analytics is activated only after your consent where required by law. We configure PostHog with privacy-focused settings where possible, including limiting the collection of unnecessary personal data and using European hosting options where available. 5.4 Sentry (Error Tracking and Performance Monitoring) We use Sentry to detect, log, and analyze errors, crashes, and application performance issues. Depending on the incident and our configuration, Sentry may process: - technical error data - stack traces - device and browser information - IP address - page URL - timestamps - user or account identifiers where necessary for debugging - limited request metadata We use Sentry to identify and fix bugs, monitor system health, and improve reliability and security. We configure Sentry to avoid the collection of unnecessary personal data and to minimize sensitive payload data wherever reasonably possible. 5.5 Better Stack (Logging, Monitoring, Incident Response) We use Better Stack for monitoring, logging, uptime checks, and operational alerting. Depending on the relevant service, Better Stack may process: - infrastructure and application log entries - technical event data - status and uptime data - request metadata - IP address - timestamps - system diagnostics We use Better Stack to monitor the availability, stability, performance, and security of the Platform and to react to incidents. We configure Better Stack to avoid the collection of unnecessary personal data wherever reasonably possible. 5.6 Other Recipients We may disclose personal data: - to postal and shipping providers for prize fulfillment, - to professional advisers, auditors, or insurers where necessary, - to business, sponsorship, prize, or event partners where necessary to administer, provide, sponsor, or deliver competitions, prizes, events, or related Platform features, - to courts, authorities, law enforcement, or regulators where legally required, - to rights holders or injured parties where legally required or legally permissible in connection with unlawful content or rights violations, - in connection with a business restructuring, merger, asset transfer, or similar transaction, subject to applicable law. 6. International Data Transfers We aim to process personal data within the European Economic Area (“EEA”). The Platform is hosted in European infrastructure, including AWS in EU regions and Supabase in Frankfurt, Germany. Some service providers we use may be established outside the EEA or may permit limited remote access from third countries. Where this is the case, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place, such as: - an adequacy decision, - Standard Contractual Clauses, - or another lawful transfer mechanism. You may request further information about the relevant safeguards by contacting us. 7. Cookies and Similar Technologies We use cookies and similar technologies for: - essential platform functionality, - security, - authentication, - preferences, - analytics, - performance monitoring. Strictly necessary cookies and similar technologies may be used without consent where legally permitted. Analytics and similar non-essential technologies are used only with your consent where required by law. You can manage your preferences through our consent banner or settings interface, where available. You can also adjust browser settings, but disabling certain cookies may affect platform functionality. 8. Data Retention We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The applicable retention period depends on the type of data, the purpose for which it is processed, and any statutory retention obligations, limitation periods, ongoing disputes, abuse-prevention needs, or legal-defense requirements. 8.1 Account Data We retain account and profile data for as long as your account remains active. If you delete your account, we will generally delete or anonymize account and profile data without undue delay, unless continued retention is necessary for legal obligations, legal claims, abuse prevention, enforcement of Platform rules, or other lawful purposes described in this Privacy Policy. 8.2 Platform Activity Data We retain market participation data, predictions, scores, leaderboard data, competition history, reporting history, and moderation-related platform data for as long as your account remains active. After account deletion, we will generally delete or anonymize such data without undue delay unless continued retention is necessary for legal obligations, the establishment, exercise, or defense of legal claims, abuse prevention, integrity protection, moderation enforcement, evidence preservation, or other lawful purposes described in this Privacy Policy. 8.3 Prize and Verification Data We retain prize fulfillment and verification data for as long as necessary to administer the relevant prize and to comply with legal, tax, accounting, shipping, fraud-prevention, or defense-of-claims obligations. Once the relevant purpose has ended and no further retention is required or permitted by law, such data will be deleted or anonymized without undue delay. 8.4 Support, Abuse Reports, and Moderation Data We retain support requests, abuse reports, unlawful-content reports, moderation records, and related correspondence for as long as reasonably necessary to handle the request, enforce the Platform rules, protect users and third parties, prevent repeated abuse, preserve evidence, and establish, exercise, or defend legal claims. Once those purposes no longer apply, such data will be deleted or anonymized without undue delay unless further retention is legally required or justified by an ongoing dispute, investigation, or abuse issue. 8.5 Logs, Monitoring, Analytics, and Security Data We generally retain logs, monitoring data, analytics data, error data, uptime data, and similar technical or security-related records only for as long as reasonably necessary for security, stability, troubleshooting, abuse prevention, product improvement, and legal defense purposes. Where appropriate, more specific retention periods may be applied internally for particular categories of logs or monitoring data. 8.6 Account Deletion, Cooling-Off, and Abuse-Prevention Data If you delete your account, we may retain limited identifiers, account-linkage indicators, and related abuse-prevention or enforcement data for as long as reasonably necessary to enforce cooling-off periods, prevent fraud, detect repeated violations, maintain leaderboard integrity, or defend legal claims. We restrict such retained data to what is reasonably necessary for those purposes and delete or anonymize it once those purposes no longer apply, unless further retention is required or permitted by law. 8.7 Statutory Retention and Legal Claims Where personal data is subject to statutory retention obligations or is reasonably necessary for the establishment, exercise, or defense of legal claims, we may retain the relevant data for the period required or permitted by applicable law and delete or anonymize it thereafter. 8.8 Anonymized Data We may retain anonymized or sufficiently aggregated data for statistical, security, integrity, and product improvement purposes. Truly anonymized data is no longer personal data. 9. Sources of Personal Data We collect personal data: - directly from you when you register, use the Platform, upload content, contact us, report content, or claim a prize, - automatically from your device or browser when you use the Platform, - from service providers or technical systems used to operate the Platform, - from publicly available or platform-designated external sources relevant for market resolution or score calculation, - from university systems or university APIs where relevant for affiliation or eligibility checks, - from anti-abuse, fraud-prevention, and security signals generated by our infrastructure or service providers, - from shipping or logistics providers where relevant to prize fulfillment. 10. Requirement to Provide Data Certain personal data is necessary for creating and operating your account and for providing the Platform. If you do not provide required data, we may be unable to create your account, allow participation in certain features, or fulfill prizes. Providing optional data is voluntary. 11. Automated Decision-Making We may use automated systems to support: - score calculation, - leaderboard ranking, - fraud detection, - abuse prevention, - duplicate-account detection, - technical moderation workflows. However, we do not make decisions based solely on automated processing that produce legal effects or similarly significant effects within the meaning of Art. 22 GDPR, unless legally permitted and subject to the applicable safeguards. 12. Your Rights Subject to the applicable legal requirements, you have the following rights: - Right of access under Art. 15 GDPR - Right to rectification under Art. 16 GDPR - Right to erasure under Art. 17 GDPR - Right to restriction of processing under Art. 18 GDPR - Right to data portability under Art. 20 GDPR - Right to object under Art. 21 GDPR - Right to withdraw consent at any time with effect for the future, where processing is based on consent - Right to lodge a complaint with a supervisory authority If you object to processing based on our legitimate interests, we will stop processing the relevant data unless we have compelling legitimate grounds overriding your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. Right to Object: Where we process your personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing on grounds relating to your particular situation at any time under Art. 21 GDPR. To exercise your rights, contact: privacy@neostake.de 13. Supervisory Authority You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement. 14. Security We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Such measures may include access controls, least-privilege principles, encryption, logging, backups, environment separation, and processor management. However, no system is completely secure, and we cannot guarantee absolute security. 15. Children and Minors The Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that personal data of a person under 18 has been collected in violation of our rules, we will take appropriate steps to delete the data and close the account. 16. Changes to this Privacy Policy We may update this Privacy Policy from time to time, for example to reflect legal, technical, or operational changes. We will publish the updated version on the Platform and, where appropriate, notify users by email or through the Platform. The “Last Updated” date at the top of this Privacy Policy indicates the latest revision date. 17. Contact If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: Neostake Paul Gasselseder, Philipp Grömer, and Moritz Strachon c/o MDC#neostake Welserstraße 3 87463 Dietmannsried Germany Email: privacy@neostake.de