Token Clash TOKEN CLASH ← Home

Privacy Policy

Effective: 29.04.2026 · Last updated: 27.06.2026

1. Overview

Token Clash ("we", "us", "the game") is a Web3 trading card game on the Solana blockchain. This Privacy Policy explains what data we collect when you play, how we use it, and your rights regarding that data.

By connecting a wallet and playing Token Clash, you agree to the data practices described below. If you do not agree, please disconnect your wallet and discontinue use.

2. Data We Collect

2.1 Wallet Address (Required)

We store your Solana public wallet address as your primary account identifier. The address itself is public on the Solana blockchain. We use it to associate match history, decks, achievements, and inbox messages with your player profile.

2.2 Authentication Tokens

When you sign in with your wallet, we issue a cryptographically signed authentication token (Ed25519). This token is stored in your browser's localStorage and on our server (MongoDB) for up to 30 days. It is not shared with any third party.

2.3 Match History & Stats

We record the result of every ranked, KotH, and tournament match you participate in: opponent wallet, deck used, hero, turn count, duration, winner, and prize amount. This is used for leaderboards, anti-cheat detection, and player statistics displayed on your profile.

2.4 Optional X (Twitter) Profile Data

If you choose to connect your X account, we store your X username, profile image URL, and OAuth refresh token. These are used for in-battle avatar display and tournament recognition. You can disconnect at any time from your Profile page; refresh tokens are deleted on disconnect.

2.5 IP Address (Transient)

We log your IP address temporarily for rate-limiting, fraud detection, and security audit purposes. IPs are stored in admin audit logs for up to 90 days, then automatically deleted (TTL index).

2.6 On-Chain Data

Pack purchases, NFT mints, escrow deposits, and prize distributions occur on the Solana blockchain. This data is public, permanent, and outside our control. Anyone can view your wallet's on-chain history via block explorers like Solscan.

3. How We Use Your Data

  • Gameplay: match history, deck management, leaderboards, achievements
  • Anti-cheat: detect impossible play patterns, exploit attempts
  • Fraud prevention: rate-limiting, sybil-attack mitigation
  • Customer support: investigate reported issues using your wallet history
  • Analytics: aggregate play patterns to balance card stats and improve gameplay (no personal identifiers in aggregated data)

4. Data We Do NOT Collect

  • We do not collect your real name, email, phone number, or government ID
  • We do not access your wallet's private key or seed phrase under any circumstances
  • We do not use third-party advertising trackers, fingerprinting, or behavioral profiling
  • We do not sell or rent your data to anyone

5. Sharing With Third Parties

We share data only with infrastructure providers strictly necessary to operate the service:

  • Solana RPC providers (Helius, public RPC) — for reading on-chain state. Wallet addresses are inherently visible to RPC providers when interacting with the chain.
  • X (Twitter) API — only if you opt in to X integration; subject to X's own privacy policy

We do not share data with advertisers, data brokers, or marketing platforms.

6. Your Rights

You have the following rights regarding your data:

  • Access: view your collected data via your Profile page
  • X Disconnect: remove X integration via Profile → "Disconnect X" — refresh tokens are deleted immediately
  • Spectator Privacy: opt out of having your Ranked matches listed publicly via Profile → Game Settings
  • Account Deletion: request deletion of your off-chain data (match history, settings, X tokens) via the contact email below. Note: on-chain data cannot be deleted — that is a property of the blockchain, not our system.

EU residents have additional rights under GDPR including data portability, objection to processing, and the right to lodge a complaint with a supervisory authority.

7. Cookies & Local Storage

We do not use third-party tracking cookies. We use browser localStorage to store:

  • Your authentication token (cleared on disconnect)
  • Your audio/UI preferences
  • Disclaimer-acceptance state
  • Tutorial progress flags

You can clear localStorage at any time via your browser settings. This will log you out and reset preferences but will not affect on-chain assets.

8. Data Storage & Security

Player data is stored in a MongoDB database on a dedicated server. Authentication is enforced via Ed25519 signatures verified server-side. Admin actions are logged for audit (90-day retention). We use TLS 1.2+ for all client-server communication.

While we follow industry best practices, no system is perfectly secure. In the event of a data incident, we will notify affected users without undue delay where required by applicable law.

9. Children

Token Clash is intended for users 18 years and older. We do not knowingly collect data from minors. If you believe a minor has provided us data, please contact us and we will delete the relevant records.

10. Changes to This Policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the most recent revision. Significant changes will be announced in-game via the Inbox. Continued use after a material change constitutes acceptance.

11. Contact

For privacy questions, data deletion requests, or other inquiries, contact us at: contact@tokenclash.app