Privacy Policy

1. What We Do

headline.bet is a mobile application that pairs breaking news stories with prediction markets operated by Polymarket, a third-party platform. We provide a user interface for reading news and placing trades on Polymarket event contracts. We do not operate prediction markets, create markets, set odds, resolve outcomes, or hold user funds.

2. Data Controller

Crypto Forest UAB
Republic of Lithuania
Email: hello@headline.bet
Support: support@cryptoforest.eu

For any questions regarding this Privacy Policy or your personal data, contact us at the addresses above.

3. Data We Collect

3.1 Account Data

When you create an account, we may collect:

• Email address (if you sign up via email)
• Name and profile information provided by your authentication method. If you sign in with Apple or Google, the specific data shared depends on the provider and your provider-level privacy settings. If you sign in with an email address, we send a six-digit one-time code to verify that address; we do not store a password.
• Display name (auto-generated at signup; you may change it)
• Selected interest categories (chosen during onboarding)
• Country (derived from your IP address for regulatory compliance) and timezone (from your device).

3.2 Wallet Data

When you use the App, we generate and store:

• Encrypted wallet data: Your cryptographic private key is generated on your device and encrypted using a server-derived key before being stored. We store the encrypted blob to enable multi-device access. The private key itself is stored in your device's secure enclave (iOS Keychain or Android Keystore).
• Wallet address: Your public wallet address on the Polygon network.

3.3 Usage and Diagnostic Data

We collect information about how you interact with the App:

• Analytics events: Screen views, feature interactions, and in-app actions (collected via PostHog)
• Session data: Session duration, app version, device type, and operating system
• Session replays: We record a limited sample of in-app sessions to diagnose usability issues. Text inputs are masked, and financial displays (balances, positions, P&L, trade amounts, and deposit and withdrawal amounts) are masked from these recordings. Wallet addresses and private cryptographic keys are never captured.
• Error and crash reports: Stack traces, device model, OS version, and app version when the app crashes or hits an unhandled error (collected via Sentry). Sensitive fields (wallet keys, auth tokens, financial amounts) are not included.

We do not share this data with advertising networks and do not use it to track you across other apps or websites.

3.4 Referral Data

If you participate in our referral program, we collect:

• Your referral code (based on your username)
• Records of referral relationships between users

3.5 Data We Do NOT Collect

• We do not collect payment card numbers, bank account details, or financial account credentials. All fiat payment processing is handled directly by our third-party payment partners (such as MoonPay and Coinbase) in their own secure environments.
• We do not collect government-issued identification documents. Any identity verification required for deposits or withdrawals is handled directly by our payment partners.
• We do not collect precise geolocation data.
• We do not use the Advertising Identifier (IDFA/AAID) and we do not track you across other apps or websites.

3.6 Device Data

If you enable push notifications, we store a push notification token associated with your account so we can deliver alerts you have opted into. This token is deleted when you disable notifications, sign out, or delete your account.

3.7 On-chain and Blockchain Data

When you use the trading functionality, a non-custodial wallet address on the Polygon network is associated with your account. Transactions submitted from this wallet, the address itself, and any holdings at that address are public information recorded on the Polygon blockchain. This information is visible to anyone and cannot be deleted by us or by you, regardless of whether you delete your account. You should treat your wallet address as public.

4. How We Use Your Data

We use personal data for the following purposes:

• Providing and operating the App: Account creation, authentication, wallet management, and enabling you to interact with Polymarket prediction markets.
• Personalising your experience: Displaying news stories and markets relevant to your selected interests.
• Improving the App: Analysing usage patterns, identifying bugs, measuring feature performance, and conducting A/B tests.
• Communications: Sending transactional notifications (trade confirmations, market resolutions) and, with your consent, optional summary notifications.
• Security and fraud prevention: Detecting and preventing misuse of our services.
• Legal compliance: Meeting our obligations under applicable laws and regulations.

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide you with our services (account management, wallet functionality, trade facilitation).
• Legitimate interests (Article 6(1)(f) GDPR): Analytics, security, fraud prevention, and improving our services. We have assessed that these interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) GDPR): Where applicable, for optional marketing communications and non-essential cookies. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c) GDPR): Where we are required to process data to comply with applicable laws.

6. Third-Party Services

We share data with the following categories of third-party service providers, who process data on our behalf or as independent controllers:

6.1 Polymarket

Polymarket acts as an independent data controller when you use its services through our App. Your public wallet address and transaction data are visible on the Polygon blockchain and are processed by Polymarket under their own privacy policy.

6.2 Payment Providers

We integrate with third-party payment providers (currently MoonPay and Coinbase) to enable fiat currency deposits and withdrawals. When you use these services, you interact directly with the payment provider, who processes your payment data and identity verification under their own privacy policies. We receive only the information necessary to credit your in-app wallet (transaction status and amount).

6.3 Authentication Methods

We support Sign in with Apple, Sign in with Google, and email one-time-code authentication. When you sign in with Apple or Google, those providers share limited profile information with us as described in Section 3.1, and their own privacy policies govern how they handle your data. When you sign in by email, we send a six-digit verification code to your address through our authentication provider (Supabase) and do not store a password.

6.4 Infrastructure and Analytics

• Supabase (database and authentication hosting)
• PostHog (product analytics and sampled session replay, with the masking described in Section 3.3)
• Sentry (crash and error reporting, with the scope described in Section 3.3)

These providers process data on our behalf under data processing agreements.

6.5 Blockchain

Transactions you make are recorded on the Polygon blockchain. Blockchain transactions are public, immutable, and not controlled by us. Your public wallet address and transaction history on the blockchain are visible to anyone.

We do not sell your personal data to third parties.

7. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide our services. Specifically:

• Account data: Retained until you delete your account.
• Encrypted wallet data: Retained until you delete your account. You may export your private key at any time via Settings.
• Push notification tokens: Retained while notifications are enabled; deleted when notifications are disabled, when you sign out, or when you delete your account.
• Analytics data: Retained for up to 24 months from collection.
• Session replays: Retained for up to 12 months.
• Error and crash reports: Retained for up to 12 months.
• On-chain transaction data: Recorded on the Polygon blockchain; cannot be deleted by us or by you.

After account deletion, we may retain certain data in anonymised or aggregated form, or where required by law.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Restriction: Request restriction of processing in certain circumstances.
• Data portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at hello@headline.bet. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Lithuania, this is the State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including industry-standard encryption at rest and in transit, device-level secure storage for sensitive data, and access controls that limit data visibility to the individual user. No system is perfectly secure, and we cannot guarantee absolute security.

10. International Data Transfers

Our infrastructure providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions.

11. Children

Our services are not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from someone under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at hello@headline.bet.

12. Cookies and Tracking

The headline.bet Website may use essential cookies for functionality. The App uses analytics services (PostHog) as described in Section 6.4. You can control cookie preferences through your browser settings. You can opt out of analytics collection in the App settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Website and, where appropriate, via in-app notification. The “Last updated” date at the top indicates when this policy was last revised. Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Crypto Forest UAB
Email: hello@headline.bet
Support: support@cryptoforest.eu