Privacy Policy

The data controller for coin-verdict.com is the Operator identified in the Impressum. Contact for all data-protection matters: legal@coin-verdict.com.

The Operator processes the following categories of personal data:

• Account data — email address, password hash (stored by Supabase Auth). Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Subscription data — plan tier, payment timestamps, USDT transaction hashes, Stripe customer/subscription IDs. Legal basis: contract performance.
• Usage data — pages viewed, features used, session timing. Collected via Plausible Analytics in aggregate, anonymised form (no cookies, no cross-site tracking). Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — improving the service. Plausible does not process personal data within the meaning of GDPR.
• Communication data — emails sent to support or legal addresses. Legal basis: legitimate interest.
• Affiliate data — referral codes, commission ledger, payout wallet addresses. Legal basis: contract performance.

Supabase Auth uses a strictly-necessary session cookie to keep you signed in. No consent is required under GDPR Art. 5(3) / TDDDG §25(2) No. 2 for strictly-necessary cookies.

The affiliate referral programme sets a verdict_ref cookie when you arrive via a referral link (?ref=CODE). This cookie is a marketing/tracking cookie. It is set for the sole purpose of attributing a subscription to a referrer and expires after 90 days. Under TDDDG §25(1), your consent is the legal basis. By following a referral link, you provide implied consent for this limited purpose. You may delete this cookie at any time via your browser settings.

Plausible Analytics is cookieless and does not set any client-side storage. No third-party tracking or advertising cookies are used.

The Operator relies on the following third-party processors. Each has a data processing agreement in place:

• Supabase — database, authentication, and realtime. Data stored in EU regions. Privacy: supabase.com/privacy
• Stripe — card payment processing (when applicable). Stripe is an independent data controller for payment data under their own terms. Privacy: stripe.com/privacy
• Vercel — hosting and edge delivery. Request logs (IP, user-agent, URL) are processed for security and CDN routing. Privacy: vercel.com/legal/privacy-policy
• Plausible Analytics — cookieless, aggregated traffic analytics. No personal data processed. Privacy: plausible.io/privacy
• Public blockchain explorers — to verify USDT transactions, the service queries Etherscan, Tronscan, BSCScan, and Solscan APIs. Only public transaction hashes (no personal data) are sent to these services.

Supabase stores data in EU regions. Vercel edge nodes may process request metadata globally; Vercel is covered by EU Standard Contractual Clauses. Blockchain explorer APIs operate from various jurisdictions; only public on-chain data (transaction hashes) is sent — no personal data.

Account and subscription data is retained for the duration of your account plus 3 years for legal/tax compliance. Usage analytics (Plausible) are retained as configured in the Plausible dashboard (default 2 years), in aggregate only.

You may request deletion of your account and associated personal data at any time (see Section 07).

As a data subject you have the following rights:

• Access (Art. 15) — obtain confirmation of whether and what personal data is processed, and a copy.
• Rectification (Art. 16) — correct inaccurate personal data.
• Erasure (Art. 17) — request deletion of personal data when retention is no longer necessary or consent is withdrawn.
• Data portability (Art. 20) — receive your data in a machine-readable format.
• Object (Art. 21) — object to processing based on legitimate interest.
• Restriction (Art. 18) — request that processing be restricted while a dispute is resolved.

To exercise any right, email legal@coin-verdict.com. The Operator will respond within 30 days.

You also have the right to lodge a complaint with the competent supervisory authority. The federal authority is: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Husarenstraße 30, 53117 Bonn, www.bfdi.bund.de. Alternatively, the supervisory authority of the Operator's federal state may be competent.

The Operator may update this Privacy Policy. For material changes, subscribers will be notified by email or in-app notice at least 14 days in advance.