Privacy Policy

This Privacy Policy explains how Kudos ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use our website at kudosonbase.com and related services (collectively, the "Service").

We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the ePrivacy Directive, and other applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

The data controller responsible for your personal data is:

• Company: Kudos
• Website: kudosonbase.com
• Email: privacy@kudosonbase.com
• Jurisdiction: United States

For EU/UK users, we have appointed a representative who can be contacted at: privacy@kudosonbase.com

We collect the following categories of personal data:

3.1 Data You Provide Directly

• Account Information: Email address (if you sign up via email), username, display name, profile biography, and avatar image.
• Wallet Data: Public blockchain wallet addresses you connect to the Service. Note: We never have access to your private keys or seed phrases.
• Content: Images, metadata, and descriptions you upload when creating NFT collections.
• Communications: Messages you send to us via email or support channels.
• Work Email Verification: Work email addresses submitted for verification to access restricted features.

3.2 Data Collected Automatically

• Device Information: Browser type, operating system, device type, screen resolution.
• Usage Data: Pages visited, features used, click patterns, time spent on pages, referral sources.
• IP Address: Used for security, fraud prevention, and approximate geolocation (country/region level).
• Cookies & Similar Technologies: Session identifiers, authentication tokens, and analytics data (see Section 9).

3.3 Data from Third Parties

• Blockchain Data: Public transaction data from the Base network related to your wallet address.
• Wallet Providers: Basic connection data when you authenticate via wallet providers (e.g., Coinbase, MetaMask).

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you requested, including account creation, NFT minting, and transaction processing.
• Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests, including service improvement, fraud prevention, security, and analytics—balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax reporting or responding to lawful government requests.

We use your personal data for the following purposes:

5.1 Service Delivery

• Create and manage your account
• Process NFT minting, airdrops, and transfers
• Display your profile and collections
• Facilitate blockchain transactions via integrated services

5.2 Communication

• Send transactional emails (mint confirmations, security alerts)
• Respond to your support inquiries
• Send marketing communications (with your consent)

5.3 Security & Fraud Prevention

• Detect and prevent fraud, abuse, and unauthorized access
• Monitor for suspicious activity
• Enforce our Terms of Service

5.4 Service Improvement

• Analyze usage patterns to improve features
• Conduct research and development
• Debug and fix technical issues

We do not sell your personal data. We may share your data in the following circumstances:

6.1 Service Providers (Processors)

We engage trusted third-party service providers to help operate the Service:

• Cloud Infrastructure: Vercel (hosting), Supabase (database)
• Blockchain Services: Crossmint (NFT minting), Coinbase Developer Platform (wallet services)
• Storage: Arweave, AWS S3 (media storage)
• Analytics: Privacy-focused analytics tools
• Email: Transactional email providers

All service providers are bound by Data Processing Agreements (DPAs) requiring them to protect your data and use it only for specified purposes.

6.2 Public Blockchain Data

By design, blockchain transactions are public and permanent. When you mint or transfer NFTs, your wallet address and transaction details are visible on the Base network. We cannot delete or modify blockchain data.

6.3 Legal Requirements

We may disclose data when required by law, court order, or government request, or to protect our rights, property, or safety.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) and United Kingdom, including the United States.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with our processors
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Data Processing Agreements: Binding agreements with all processors

You may request a copy of the safeguards we use by contacting privacy@kudosonbase.com.

We retain your personal data only as long as necessary for the purposes described in this policy:

• Account Data: Retained while your account is active, plus 30 days after deletion request
• Transaction Records: 7 years (for legal/tax compliance)
• Analytics Data: 26 months (aggregated/anonymized thereafter)
• Support Communications: 3 years after resolution
• Marketing Consent Records: 3 years after consent withdrawal

Blockchain data is permanent and cannot be deleted. This includes wallet addresses and transaction history recorded on-chain.

9.1 What We Use

• Essential Cookies: Required for authentication, security, and basic functionality. Cannot be disabled.
• Functional Cookies: Remember your preferences (theme, language).
• Analytics Cookies: Help us understand how you use the Service (with consent where required).

9.2 Local Storage

We use browser local storage to maintain your session, cache wallet connection state, and store preferences. This data remains on your device.

9.3 Your Choices

For EU/UK users, we obtain consent before setting non-essential cookies. You can manage cookie preferences through our cookie banner or your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

9.4 Do Not Track

We honor Do Not Track (DNT) browser signals and limit tracking accordingly.

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit (TLS/HTTPS) and at rest
• Secure authentication mechanisms
• Regular security assessments and monitoring
• Access controls and principle of least privilege
• Incident response procedures

No system is completely secure. Please protect your wallet credentials, enable two-factor authentication where available, and report any security concerns to security@kudosonbase.com.

Under GDPR and applicable laws, you have the following rights:

• Right of Access (Art. 15): Request a copy of your personal data we hold.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise your rights: Email privacy@kudosonbase.com with your request. We will respond within 30 days (extendable by 60 days for complex requests). We may verify your identity before processing requests.

Note: Some data (e.g., blockchain transactions) cannot be deleted due to the immutable nature of public blockchains.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@kudosonbase.com, and we will delete such data.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new "Last updated" date
• Sending an email notification for significant changes (if you have an account)
• Displaying a prominent notice on the Service

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions, requests, or complaints:

• Email: privacy@kudosonbase.com
• Subject Line: "Privacy Request - [Your Request Type]"

EU/UK Supervisory Authorities: You have the right to lodge a complaint with your local data protection authority. A list of EU authorities is available at edpb.europa.eu.