Privacy Policy

1.1 Applicable Legislation

• Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR);
• Act No. 110/2019 Coll. on the Processing of Personal Data (Czech Republic);
• Act No. 127/2005 Coll. on Electronic Communications, as amended (Czech Republic) — for marketing communications;
• Act No. 18/2018 Coll. on the Protection of Personal Data (Slovak Republic);
• Act No. 452/2021 Coll. on Electronic Communications (Slovak Republic) — for marketing communications;
• Act No. 253/2008 Coll. on the Prevention of Legalisation of Proceeds from Crime (Czech Republic) — for compliance with cryptocurrency payouts.

Data Protection Officer (DPO): The Controller has not appointed a Data Protection Officer pursuant to Article 37 of the GDPR. For any questions relating to the protection of personal data, please contact us at ask@y3s.app.

For any questions relating to the processing of your personal data or to exercise the rights of a data subject, please contact us at the e-mail address stated above or by post at the registered office address. You also have the right to lodge a complaint with a supervisory authority (in the Czech Republic: the Office for Personal Data Protection / Úřad pro ochranu osobních údajů).

We will respond to your request without undue delay and in any case within one month of its receipt. This period may be extended by a further two months if necessary, and we will inform you of this within the first month, together with the reasons for the extension.

3.1 Data you provide to us directly

• (a) Identification data: first name, last name, username and password (stored in hashed form). If required by applicable legislation or for the purposes of age verification/validation, we may also collect date of birth and/or nationality.
• (b) Contact data: email address, phone number (including country dialling code), postal address, country of residence.
• (c) Business Identification data (if applicable for B2B clients or entrepreneurs): business name, Company Registration Number (IČO), Tax Identification Number / VAT Number (DIČ/IČ DPH), VAT registration status.
• (d) Payment data: bank account number (IBAN), bank name, account holder name, cryptocurrency wallet address and (where card payments are used) limited card-related data received from our payment Processor (e.g., transaction token/identifier and last 4 digits). Full payment card numbers and CVV codes are processed directly by our payment Processor in accordance with the PCI-DSS standard and are not retained by us.
• (e) Communication Data: records of correspondence with our support team via email, chat, or telephone, feedback, complaints, and support ticket history. In the case of telephone communication, this may include call metadata (e.g., date/time, phone number) and, only when explicitly announced at the beginning of the call, call recordings for the purposes of support quality review and dispute resolution.

3.2 Automatically Collected Data

• (f) Device and Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, language preferences, time zone. Where such data are collected through cookies, SDKs, or similar technologies, we distinguish between necessary technologies and optional analytical/marketing technologies, and obtain consent where required by applicable ePrivacy rules. For details, see Section 10.
• (g) Usage Data: pages visited, time spent on pages, click patterns, navigation paths, referral sources, entry and exit pages.
• (h) Platform Activity Data: login/logout timestamps, account settings and preferences, challenge participation and progress, demo trading activity, simulated positions and performance metrics, virtual capital allocation and management.

3.3 Data Obtained from Third Parties

• (i) Trading platform data: data relating to simulated transactions, trading signals and strategies, and performance metrics derived from integrated demo trading platforms. These data concern simulated/demo trading activity and are used for the operation of platform features. We do not use these data for automated decision-making with legal effects, unless expressly stated otherwise in this notice.
• (j) Social media data: if you choose, on an optional basis, to link your account or to log in via a third-party social login provider, we may obtain certain account data, such as your username, profile picture, and email address. Such providers may process data outside the territory of the EU/EEA; details regarding recipients and transfer safeguards are described in the relevant sections of this notice.
• (k) Data from the payment processor: confirmed transactions, payment status, fraud screening results. We receive only limited payment card information from payment processors (e.g., a token and the last 4 digits) and never receive or store full card numbers or CVV codes.

3.4 Obligation and Voluntary Nature of Data Provision

The provision of personal data is, depending on the purpose of processing, either a contractual requirement or voluntary:

• Identification and contact details (Section 3.1 letter a) and b)): a contractual requirement necessary for registration and use of the Services. Without providing them, it is not possible to conclude the contract or use the Services.
• Payment data and KYC verification (Section 3.1 letter d)): a contractual and statutory requirement necessary for processing reward payouts and fulfilling AML/KYC obligations. Without providing them, it is not possible to process the payout.
• Business Identification data (section 3.1, point c)): required only if the customer is acting within the scope of their business activities; otherwise voluntary.
• Marketing data and communication preferences: strictly voluntary. Failure to provide such data has no impact on access to the Services or on the payment of rewards.

We process your Personal data only where we have a valid legal basis pursuant to Article 6 of the GDPR. The table below provides a comprehensive overview of our processing activities:

5.1 Types of Marketing Communication

Subject to obtaining your consent or on the basis of our legitimate interest, we may contact you for marketing purposes through the following channels:

• Email: newsletters, promotional offers, service updates, educational content, Platform announcements;
• Phone calls: personalised offers, account overviews, satisfaction surveys, onboarding assistance, VIP client support;
• SMS/Text messages (marketing): time-limited promotional offers; Service/Security messages (non-marketing): important account-, security-, and transaction-related notifications;
• Push notifications: Platform alerts, promotional messages (if you have our mobile application installed);
• Messaging applications: communication via platforms you have connected (e.g. Telegram, Discord).

5.2 Legal basis for marketing

1. Your explicit prior consent (Art. 6(1)(a) GDPR) for: (i) marketing communications with prospective customers; (ii) telephone calls for marketing purposes; (iii) SMS messages for marketing purposes.
2. Our Legitimate interest (Art. 6(1)(f) GDPR) in sending electronic marketing to existing customers, provided that: (i) we obtained your contact details in connection with your purchase/use of our Services; (ii) we promote only our own similar services; and (iii) you were offered the opportunity to opt out.

Your consent to marketing communications is entirely voluntary and is not a condition for using our Services or receiving payouts. You will never be disadvantaged for refusing to give consent.

5.3 Right to Withdraw Consent and Object to Marketing

YOUR RIGHT TO WITHDRAW CONSENT / OBJECT TO MARKETING

You have the right to withdraw your consent to marketing communications or to object to direct marketing at any time, free of charge. To withdraw your consent or to object to marketing, you may:

1. Click the unsubscribe link at the bottom of any marketing email;
2. Reply STOP to any marketing SMS message;
3. Verbally request removal during any marketing telephone call;
4. Update your communication preferences in the account settings panel;
5. Write to us by email at: ask@y3s.app with the subject line: Marketing Opt-Out;
6. Contact our support team.

We will process your request without undue delay, and no later than within one month. Following your unsubscription, we will cease sending you marketing communications. We may retain a minimal record of your unsubscribe status on a suppression list.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable legislation. Upon expiry of the retention period, the data will be securely deleted or anonymised.

7.1 Categories of Recipients and List of Processors

We may share your personal data with the following categories of recipients. Where a recipient processes personal data on our behalf as our processor, we will have entered into an appropriate data processing agreement (DPA) in accordance with Article 28 of the GDPR. Some recipients may act as independent controllers and will process personal data in accordance with their own privacy notices.

Specific processors and recipients:

In addition to the Processors referred to above, we may share data with the following categories of recipients:

• Trading platform providers: to provide access to demo trading environments and to process simulated trades;
• Cryptocurrency exchange partners: to process cryptocurrency payouts to your designated wallet;
• Affiliate partners: to the extent necessary for the administration of the affiliate programme (e.g., conversion confirmation); affiliate partners act as independent controllers in relation to their own marketing activities and process personal data in accordance with their own privacy policies;
• Customer Relationship Management (CRM) tools: for managing customer support and communications;
• Analytics service providers: for understanding Platform usage patterns (where possible, we use aggregated/anonymised data);
• Professional advisors: lawyers, accountants, auditors and tax advisors as required;
• Public authorities: tax authorities, supervisory authorities, law enforcement agencies and courts, where required by law or an applicable legal process.

7.2 International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). In the case of transfers outside the EEA, we ensure an adequate level of protection through the following mechanisms:

• Transfer to countries with an adequacy decision issued by the European Commission (Art. 45 GDPR);
• Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914 (Art. 46(2)(c) GDPR). Where we rely on SCCs, we assess the circumstances of the transfer and implement additional technical and organisational measures (e.g. encryption, access controls, data minimisation);
• Binding Corporate Rules, where applicable (Art. 47 GDPR);
• Your explicit consent to specific, exceptional transfers (Art. 49(1)(a) GDPR). In such cases, we will inform you of the possible risks of the transfer.

You can request a copy of the specific safeguards by contacting us at ask@y3s.app.

We have implemented appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:

• Encryption and other cryptographic control mechanisms for data in transit and, where relevant, for stored data, utilizing current and industry-recognized standards;
• Multi-factor authentication (MFA) for user accounts and administrator access;
• Role-based access control restricting access to data solely to authorised persons;
• Regular security assessments, vulnerability scanning and penetration testing;
• Employee training on data protection and security awareness;
• Documented incident response procedures and personal data breach notification;
• Regular backups with tested disaster recovery procedures;
• Physical security controls at data centre premises.

Although we implement Security measures in accordance with industry standards, no method of transmission over the internet or method of electronic storage is 100% secure. You are responsible for maintaining the confidentiality of your account login credentials. If you suspect unauthorised access to your account, please notify us immediately at ask@y3s.app.

Under the GDPR and applicable national data protection legislation, you have the following rights with regard to your personal data:

9.9 How to Exercise Your Rights

If you wish to exercise any of your rights, please submit a request by email to ask@y3s.app or by post to the address of our registered office. Please provide sufficient information to identify you (name, email, account ID) and specify which right(s) you wish to exercise. We will respond to your request without undue delay and in any case within one month of its receipt. This period may, if necessary, be extended by a further two months; you will be informed of any such extension within the first month.

9.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

You may lodge your complaint with the competent supervisory authority:

We recommend that you contact us first at ask@y3s.app so that we can address your concerns directly. You may also seek judicial remedy pursuant to Articles 78 to 79 of the GDPR.

On our Platform, we use cookies and similar Tracking technologies to enhance your user experience, analyse usage, and deliver personalised content. For cookies other than strictly necessary ones (e.g. analytical, personalisation, advertising), we use these exclusively after you have given your consent through our cookie consent banner/management tool. You may withdraw or modify your consent at any time through the cookie settings available on the Platform (or via the link in the footer).

Necessary cookies are used on the basis of our legitimate interest in providing and securing the Platform. For comprehensive information about the types of cookies we use, their purposes, and your choices regarding cookies, please contact us at ask@y3s.app to request a copy of our Cookie Policy.

Our Services are intended exclusively for natural persons who have reached the age of 18. We do not knowingly collect personal data from minors (persons under the age of 18). If we learn that we have collected personal data from a person under the age of 18, we will take steps to restrict access to the Platform and delete such personal data without undue delay, unless we are required to retain it to fulfil a legal obligation or for the establishment, exercise, or defence of legal claims.

If you believe that we may have unintentionally collected data from a minor, please contact us immediately at ask@y3s.app.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or for other legitimate purposes. When we make changes:

• We will update the effective date at the top of this Privacy Policy;
• In the case of material changes, we will notify you by email and/or through a prominent notice on our Platform at least 14 days before the changes take effect;
• Where required by law, we will request your consent to material changes;
• Previous versions will be archived and made available upon request.

We recommend that you review this Policy on a regular basis. We will always process Personal data in accordance with applicable laws and regulations and the legal bases described in this Privacy Policy. If you do not agree with the updated Policy, you should discontinue your use of the Platform; should you have any questions, you may contact us at ask@y3s.app.

If you have any questions, comments, or requests regarding this Privacy Policy or our data processing practices, please contact us through the following channels: