Privacy Policy

The data controller for personal data processed through the Platform is Plypto Pte. Ltd., a private limited company incorporated and registered in the Republic of Singapore.

This Policy applies to personal data processed in connection with: (a) the Plypto website at plypto.space; (b) the official Plypto Android application; (c) any related emails, support channels, and partner-portal interactions.

The Android application does not run a separate backend: it loads the live website inside Chrome via a Trusted Web Activity. As a result, the same data flows, cookies, and security model described here apply identically whether you use Plypto in a browser or in the app.

• We collect what we need to run the game safely: your account details, your gameplay state, technical telemetry, payment metadata (never the full card number), and a handful of attribution / analytics signals.
• We never sell your personal data.
• Plypto is not a bank, wallet, or exchange. We do not custody your private keys and we do not connect to your personal wallet beyond the address you supply for withdrawals.
• In-game Bitcoin (BTC) production is simulated: nothing on Plypto mines cryptocurrency on your device, in your browser, or on your behalf. The Platform does not run any cryptominer, hash function, or proof-of-work workload on your device.
• The Galactic Café uses protons only. Protons won at the café are non-withdrawable and have no cash value. There is no real-money gambling on the Platform.
• You can ask us to access, correct, export, or delete your data at any time — see Section 17.

We process the following categories of personal data:

• Directly from you: when you register, log in, play, send messages, or pay.
• From Google:when you choose "Sign in with Google", Google returns your email, name, and a stable identifier; we do not receive your Google password.
• From payment processors: Coinremitter, 0xProcessing, and Stripe send us webhook events about your invoices and Checkout Sessions.
• From URL parameters: ad-network and partner referral parameters captured by our middleware when you land on the site.
• Automatically: HTTP request metadata, cookies, and analytics events.

• Run the game. Authenticate you, persist your planet state, run the daily BTC rewards cron, resolve raids, settle Galactic Café plays, and process Battle Strike Pass purchases.
• Process payments. Issue invoices, verify webhooks, credit protons, audit transactions, and refund or charge-back when applicable.
• Process withdrawals. Validate your wallet address, run anti-fraud and AML/KYC checks where required, and disburse BTC.
• Secure the Platform. Detect and block fraud, abuse, multi-accounting, automation, and bot traffic; verify Cloudflare Turnstile CAPTCHA; validate webhook signatures.
• Support & communicate. Respond to support tickets, send transactional emails (sign-up welcome, purchase receipts, password reset), and deliver legal or service notifications.
• Analytics & improvement. Understand how the Platform is used so we can fix bugs and improve the game (PostHog, Vercel Analytics, optionally Google Analytics 4).
• Marketing attribution. Measure how new players found us (partner program, referral, ad campaign) and remit partner commissions correctly.
• Comply with the law. Tax, accounting, AML, and dispute-resolution obligations.

Where the GDPR (or an equivalent regime) applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to operate the game, your account, and any paid features you choose to use.
• Legitimate interest (Art. 6(1)(f)) — fraud prevention, security, network and information integrity, debugging, defending against abuse, and basic product analytics. We balance these interests against your rights and offer opt-outs where required.
• Consent (Art. 6(1)(a)) — for marketing emails (when applicable), and for any non-essential cookies / advertising analytics where the jurisdiction requires opt-in consent.
• Legal obligation (Art. 6(1)(c)) — tax and accounting record-keeping, AML / KYC, and responses to lawful requests.

We use a small number of first-party cookies that are strictly necessary or directly related to operating the game:

• authjs.session-token / __Secure-authjs.session-token — your authenticated session JWT (HTTP-only, secure).
• plypto_signup_attribution — HMAC-signed payload that lets us correctly credit a partner / ad campaign / referrer when you sign up.
• plypto_contact_guest — random UUID set on /support so guests can have a consistent ticket thread.
• plypto_footer_variant — UI preference flag for the in-app footer style.
• Third-party cookies / SDK identifiers may also be set by the analytics and CAPTCHA providers listed in Sections 8 and 9.

You can clear or block cookies in your browser settings. Please note that blocking the session cookie will sign you out and prevent you from using authenticated features.

Where enabled, we use the following analytics tools to understand usage patterns and improve the Platform:

• PostHog (product analytics, optional session replay) — events about page views, in-game actions, and errors. Configured via NEXT_PUBLIC_POSTHOG_KEY; can be disabled per-environment via NEXT_PUBLIC_POSTHOG_DISABLED.
• Vercel Analytics — privacy-focused traffic measurement that does not use cross-site cookies.
• Google Analytics 4 — only loaded in production when NEXT_PUBLIC_GA_ID is set. IP addresses are truncated by Google and we do not enable ad personalisation.

If you do not want to be measured by these tools, you can use your browser's built-in tracking protection, an extension that blocks third-party scripts, or a privacy-focused browser such as Brave or Firefox with strict tracking protection.

We rely on the following data processors. Each of them only processes the data needed for its function and is bound by a data-processing agreement and / or its own enterprise terms.

We may add or replace processors over time; this list will be kept current and material additions will be highlighted in the changelog at the top of this page.

Plypto does not store card numbers, card CVVs, or wallet private keys. When you pay with a card, you are redirected to a Stripe-hosted Checkout Session and Stripe handles the card data inside its PCI-DSS scope. Plypto only receives the Checkout Session identifier, the amount, the currency, the success / cancel status, and a sanitised webhook payload.

For Bitcoin and Ethereum payments, the invoice is created and hosted by Coinremitter or 0xProcessing respectively. We receive the invoice identifier, the resolved transaction hash (when available), the amount, the wallet address used, and the webhook signature for verification.

Withdrawals are paid out to the Bitcoin address you provide. That address, along with the amount, status, and transaction identifier, is recorded for audit, accounting, and AML purposes.

Some of our processors are located outside the European Economic Area or the United Kingdom. Where personal data is transferred outside these jurisdictions, we rely on legally recognised transfer mechanisms such as the European Commission Standard Contractual Clauses, equivalent UK addenda, adequacy decisions where available, and the transfer-impact assessments published by the relevant providers. You may contact us for more information on any specific transfer.

• Account data: kept while your account is active and for a reasonable period thereafter to handle disputes, fraud investigations, and legal obligations.
• Append-only ledger & payment records: retained for at least the duration required by Singaporean accounting and tax law (currently 5 years) and longer if required for an open dispute or investigation.
• Authentication session JWT: 30 days from issuance, after which you must sign in again.
• Signup-attribution cookie: up to ~13 months from set time, then automatically discarded by the browser.
• Server logs: short-term, typically 30–90 days unless preserved for an active investigation.
• Marketing attribution data on user records: kept for the lifetime of the account because it is needed to credit partner commissions retroactively.

When data is no longer needed we delete it or anonymise it (for example, by stripping personal identifiers from long-term aggregate ledger records).

We apply industry-standard security practices including TLS in transit, at-rest encryption on managed databases, bcrypt password hashing, HMAC-signed session tokens, HMAC-signed attribution cookies, webhook signature verification (Stripe, Coinremitter, 0xProcessing), and least-privilege access controls on operational tooling. No system can be guaranteed to be 100% secure; we encourage you to use a strong unique password and enable a passkey when available.

If we ever experience a personal-data breach affecting you, we will notify the relevant supervisory authority and / or you, as required by applicable law.

The Platform is strictly reserved for adults aged 18 and over (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to Plypto, please contact us and we will delete it.

The Plypto Android app is a Trusted Web Activity wrapper: under the hood it is the Chrome browser rendering plypto.space. As a result:

• No additional personal data is collected by the app itself beyond what the website would already collect in your browser.
• The app does not access your phone book, SMS, microphone, camera, precise location, files outside its sandbox, or installed apps list.
• Sign-in with Google in the app uses the same Google flow as in your browser and is processed by Google directly.
• Push notifications are off by default. If we add them, you will be asked for explicit consent the first time the feature is used.
• We do not run any mining, hashing, or compute-intensive background workload on your device.

Subject to applicable law, you have the following rights over your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): ask us to delete your account and personal data, subject to legal retention obligations and to settled ledger records that must remain auditable for tax / accounting purposes.
• Portability: receive a structured machine-readable export of the personal data you have provided.
• Restriction & objection: ask us to pause certain processing activities or object to processing based on our legitimate interest.
• Withdraw consent: where we rely on consent (for example, marketing emails), you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Lodge a complaint: you may lodge a complaint with the data-protection supervisory authority of your country of residence (Singapore: PDPC; EU: your local DPA; UK: ICO).

To exercise any of these rights, please contact us as described in Section 21. To prevent unauthorised disclosure, we may need to verify your identity before acting on your request. We aim to respond within 30 days.

Transactional emails (welcome, password reset, purchase receipts, withdrawal updates) are sent on the basis of our contract with you and cannot be opted out of without closing your account.

Marketing or product-update emails (when applicable) are only sent to users who have explicitly opted in. Each such email contains an unsubscribe link, and the corresponding newsletterOptIn flag on your account is updated accordingly.

We do not currently respond to legacy Do Not Track signals (which lack a unified industry standard). We do, however, disable Google Ads personalisation features in our Google Analytics 4 configuration when GA4 is loaded, and we honour explicit opt-outs you make through the providers listed in Section 8.

We may update this Policy from time to time. The date at the top of the page reflects the latest revision. Material changes will be communicated through in-game notifications or email. Your continued use of the Platform after the posting of a revised Policy constitutes acceptance of the changes.

For privacy-related questions, requests, or complaints, please reach out to our team: