Privacy Policy

1.1 Applicable Law

• Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR");
• Act No. 110/2019 Coll. on the Processing of Personal Data (Czech Republic);
• Act No. 127/2005 Coll. on Electronic Communications, as amended (Czech Republic) - for marketing communications;
• Act No. 18/2018 Coll. on the Protection of Personal Data (Slovak Republic);
• Act No. 452/2021 Coll. on Electronic Communications (Slovak Republic) - for marketing communications;
• Act No. 253/2008 Coll. on Anti-Money Laundering (Czech Republic) - for cryptocurrency payout compliance.

For any questions regarding the processing of your personal data or to exercise your data subject rights, please contact us at the email address above or by post at the registered office. You also have the right to lodge a complaint with a supervisory authority (in the Czech Republic, the Office for Personal Data Protection / Úřad pro ochranu osobních údajů).

We will respond to your inquiry without undue delay and in any event within one month of receipt. This period may be extended by up to two further months where necessary, taking into account the complexity and number of requests; if we extend the period, we will inform you within one month of receipt and explain the reasons for the delay.

3.1 Data You Provide Directly

• (a) Identification Data: first name, surname, username, and password (stored in a hashed form). Where required by applicable law or for verification/age-check purposes, we may also collect date of birth and/or nationality.
• (b) Contact Data: email address, telephone number (including country code), postal address, country of residence;
• (c) Business Identification Data (if applicable for B2B clients or entrepreneurs): business name, business identification number (ICO), tax identification number (DIC/IC DPH), VAT registration status;
• (d) Payment Data: bank account number (IBAN), bank name, account holder name, cryptocurrency wallet address, and (where card payments are used) limited card-related data received from our payment processor (e.g., token/transaction identifier and last 4 digits). Full payment card numbers and CVV are processed directly by our PCI-DSS compliant payment processor and are not stored by us;
• (e) Communication Data: records of correspondence with our support team via email, chat, or telephone, feedback, complaints, and support ticket history. For telephone communications, this may include call metadata (e.g., date/time, phone number) and, only where explicitly announced at the start of the call, call recordings for support quality and dispute resolution purposes, retained for a defined period described in our retention section.

3.2 Data Collected Automatically

• (f) Device and Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, language preferences, time zone. Where Device and Technical Data / Usage Data are collected via cookies, SDKs or similar technologies, we distinguish strictly necessary technologies from optional analytics/marketing technologies and obtain consent where required under applicable ePrivacy rules. See section 11 for details.
• (g) Usage Data: pages visited, time spent on pages, click patterns, navigation paths, referral sources, entry and exit pages;
• (h) Platform Activity Data: login/logout timestamps, account settings and preferences, challenge participation and progress, demo trading activity, simulated positions and performance metrics, virtual capital allocation and management.

3.3 Data from Third Parties

• (i) Trading Platform Data: simulated transaction data, trading signals and strategies, performance metrics from integrated demo trading platforms. This Trading Platform Data relates to simulated/demo trading activity and is used to operate platform features (e.g., challenge evaluation, statistics, and user support). We do not use this data for automated decision-making producing legal or similarly significant effects unless explicitly stated elsewhere in this notice.
• (j) Social Media Data: if you choose (optionally) to link or sign in using a third-party social login provider, we may receive certain account data such as your username, profile picture, and email address, depending on the provider and the permissions you grant. Such providers may process data outside the EU/EEA; details on recipients and transfer safeguards are described in the relevant sections of this notice.
• (k) Payment Processor Data: transaction confirmation, payment status, fraud screening results (no full card numbers are shared with us). For the avoidance of doubt, we receive only limited card-related information from payment processors (e.g., token and last 4 digits) and never receive or store full card numbers or CVV.

We process your personal data only where we have a valid legal basis under Article 6 of the GDPR. The table below provides a comprehensive overview of our processing activities:

5.1 Types of Marketing Communications

Subject to obtaining your consent or relying on our legitimate interest (as applicable), we may contact you for marketing purposes through the following channels:

• Email: newsletters, promotional offers, service updates, educational content, platform announcements;
• Telephone Calls: personalized offers, account reviews, satisfaction surveys, onboarding assistance, VIP client support;
• SMS/Text Messages (Marketing): time-sensitive promotions (only where permitted by law and/or with your consent); Service/Security Messages (Non-marketing): important account, security, and transactional notifications (sent as necessary to provide and secure the Services, irrespective of marketing preferences);
• Push Notifications: platform alerts, promotional messages (if you have installed our mobile application);
• Messaging Applications: communications through platforms you have connected (e.g., Telegram, Discord).

5.2 Legal Basis for Marketing

1. Your explicit prior consent (Article 6(1)(a) GDPR, Section 7 of Act No. 127/2005 Coll., Section 116 of Act No. 452/2021 Coll.) for: (i) marketing communications to prospective customers who have not yet purchased our services; (ii) telephone calls for marketing purposes to any recipient; (iii) SMS messages for marketing purposes.
2. Our legitimate interest (Article 6(1)(f) GDPR) in sending electronic marketing to existing customers about our own similar products or services, where permitted by applicable e-privacy laws (e.g., CZ/SK electronic communications and anti-spam rules), provided that: (i) we obtained your contact details in connection with your purchase/use of our Services; (ii) we market only our own similar services; and (iii) you were offered a clear, free opt-out when your details were collected and in every message, and you can object at any time (Art. 21 GDPR).

Your consent for marketing communications is entirely voluntary and is not a condition for using our Services or receiving payouts. You will never be disadvantaged for refusing to consent to marketing communications.

5.3 Right to Withdraw Consent and Object to Marketing

YOUR RIGHT TO WITHDRAW CONSENT / OBJECT TO MARKETING

You have the right to withdraw your consent to marketing communications or object to direct marketing at any time, free of charge, without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw consent or object to marketing, you may:

1. Click the "unsubscribe" link at the bottom of any marketing email;
2. Reply "STOP" to any SMS marketing message;
3. Verbally request removal during any marketing telephone call;
4. Update your communication preferences in your account settings dashboard;
5. Email us at: legal@y3s.app with subject line "Marketing Opt-Out";
6. Contact our support team.

We will process your request without undue delay. In any event, we will implement your marketing opt-out/objection as soon as technically feasible, and no later than within one month, unless a shorter period is required by applicable law. After opting out, we will cease sending you marketing communications, but this will not affect your ability to use our Platform or receive payouts. Please note: after you opt out or object, we may retain a minimal record of your opt-out status (e.g., email/phone identifier and date) on a suppression list to ensure we comply with your request and do not contact you for marketing again.

We retain your personal data only for as long as necessary to fulfill the purposes for which they were collected or as required by applicable law. Upon expiration of the retention period, data will be securely deleted or irreversibly anonymized.

7.1 Categories of Recipients

We may share your personal data with the following categories of recipients. Where a recipient processes personal data on our behalf as our processor, we will have an appropriate data processing agreement in place in accordance with Article 28 GDPR. Some recipients may act as independent controllers (e.g., payment service providers, cryptocurrency exchange partners) and will process personal data under their own privacy notices. Public authorities receive personal data where required by applicable law or valid legal process:

• Trading Platform Providers: to provide you access to demo trading environments and process simulated trades;
• Payment Service Providers: to process challenge fee payments and bank transfer payouts (PCI-DSS compliant). Certain recipients (in particular payment service providers and cryptocurrency exchanges) may process personal data as independent controllers for their own compliance purposes (e.g., AML/KYC, fraud prevention, regulatory reporting). In such cases, their own privacy notices will apply to their processing.
• Cryptocurrency Exchange Partners: for processing cryptocurrency payouts to your designated wallet. Certain recipients may process personal data as independent controllers for their own compliance purposes. In such cases, their own privacy notices will apply to their processing.
• Cloud Infrastructure Providers: for secure data storage and platform hosting. Depending on the provider and support arrangements, personal data may be accessed from countries outside the EEA; where this occurs we implement the safeguards described in Section 7.2.
• Customer Relationship Management Tools: for managing customer support and communications;
• Email Service Providers: for sending transactional and marketing communications (where consented). Users can withdraw consent to marketing at any time (where consent is the legal basis) and/or object to direct marketing at any time. Each marketing message will include an unsubscribe mechanism, and we will honor opt-out requests without undue delay.
• Analytics Providers: for understanding Platform usage patterns. Where possible we use aggregated/anonymized data; otherwise we use pseudonymized identifiers (which remain personal data under GDPR) and apply appropriate technical and organizational measures to reduce identifiability.
• Professional Advisors: lawyers, accountants, auditors, and tax advisors as necessary for legal and regulatory compliance;
• Public Authorities: tax authorities, supervisory authorities, law enforcement, and courts where required by law or valid legal process.

7.2 International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where transfers outside the EEA occur, we will provide (upon request and/or in an up-to-date list made available in our privacy documentation) the categories of recipients and the destination countries involved, where this is possible without compromising security or contractual restrictions. Where we transfer data outside the EEA, we ensure an adequate level of protection through one or more of the following mechanisms:

• Transfer to countries with an adequacy decision by the European Commission (Article 45 GDPR);
• Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914 (Article 46(2)(c) GDPR). Where we rely on SCCs (or other Article 46 GDPR safeguards), we assess the circumstances of the transfer and implement additional technical and organizational measures where necessary (e.g., encryption in transit/at rest, access controls, data minimization) to ensure a level of protection essentially equivalent to that in the EU/EEA.
• Binding Corporate Rules where applicable (Article 47 GDPR);
• Your explicit consent for specific, exceptional transfers (Article 49(1)(a) GDPR) where Article 45/46 safeguards are not available. In such cases, we will inform you of the possible risks of the transfer due to the absence of an adequacy decision and appropriate safeguards before requesting your explicit consent.
• You may request a copy of the specific safeguards we have implemented by contacting us at legal@y3s.app.

We have implemented appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:

• Encryption and other cryptographic controls for data in transit and, where appropriate, at rest, using up-to-date industry-accepted standards;
• Multi-factor authentication (MFA) for user accounts and administrative access;
• Role-based access controls limiting data access to authorized personnel only;
• Regular security assessments, vulnerability scanning, and penetration testing;
• Employee training on data protection and security awareness;
• Documented incident response and data breach notification procedures;
• Regular backups with tested disaster recovery procedures;
• Physical security controls at data center facilities.

While we implement industry-standard security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials and for using our Services in a secure computing environment. Please notify us immediately at ask@y3s.app if you suspect any unauthorized access to your account.

Under the GDPR and applicable national data protection laws, you have the following rights regarding your personal data:

9.9 How to Exercise Your Rights

To exercise any of your rights, please submit a request to legal@y3s.app or by post to our registered office address. Please include sufficient information to identify yourself (name, email, account ID) and specify which right(s) you wish to exercise. We may request additional information to verify your identity before processing your request. We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within the first month.

9.10 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (UOOU). In Slovakia, it is the Office for Personal Data Protection of the Slovak Republic (UOOU SR). You may also seek a judicial remedy under Articles 78-79 GDPR.

If you believe that our processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first at legal@y3s.app so that we can address your concerns directly.

We use cookies and similar tracking technologies on our Platform to enhance your experience, analyze usage, and deliver personalized content. For non-essential cookies (e.g., analytics, personalization, advertising), we use them only after you have given your consent via our cookie banner/consent tool. You can withdraw or change your consent at any time through the cookie settings available on the Platform (or via a link in the footer).

Essential cookies are used based on our legitimate interest in providing and securing the Platform. For comprehensive information about the types of cookies we use, their purposes, and your choices regarding cookies, please contact us at legal@y3s.app to request a copy of our Cookie Policy.

Our Services are intended exclusively for individuals who are 18 years of age or older. We do not knowingly collect personal data from minors (persons under 18 years of age). If we become aware that we have collected personal data from a person under 18, we will take steps to restrict access to the Platform and delete such personal data without undue delay, unless we are required to retain it to comply with a legal obligation or to establish, exercise, or defend legal claims.

If you believe we may have inadvertently collected data from a minor, please contact us immediately at legal@y3s.app.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or for other legitimate purposes. When we make changes:

• We will update the "Effective Date" at the top of this Policy;
• For material changes, we will notify you by email and/or through a prominent notice on our Platform at least 14 days before the changes take effect;
• Where required by law, we will obtain your consent to material changes;
• Previous versions will be archived and available upon request.

We encourage you to review this Policy periodically. We will always process personal data in accordance with applicable law and the lawful bases described in this Privacy Policy. Where a change requires your consent, we will request your consent separately (and you may withdraw it at any time). If you do not agree with an updated Privacy Policy, you should stop using the Platform and you may contact us with questions at legal@y3s.app.

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us through the following channels: