This is a short, plain-language summary of our full Privacy Policy. Where the two differ, the full Policy is the one that governs.

OVERVIEW

At Play Solana, we treat privacy as part of how good technology should work, rather than as a separate formality, and this summary sets out in plain language what happens to your personal data when you visit our website, use the PSG1 device, or interact with our services, while the full Privacy Policy remains the document that governs the detail.

The Policy applies worldwide and is built to a high standard of data protection, drawing on the GDPR in Europe, the United Kingdom framework, the LGPD in Brazil, the CPRA in California, and the other regimes that reach our users, and we review it every year, and sooner whenever the law or the way we work changes, telling you in a clear and lasting way whenever a change is significant.

Our products are not meant for anyone under thirteen, and use by a young person between thirteen and eighteen depends on the consent of a parent or guardian, subject to any higher age that local law may set.

Because blockchain technology and connected devices carry risks that no one can fully remove, the Policy is candid that a blockchain transaction is irreversible and public, that digital assets are volatile, and that we are not a custodian, since we never hold or recover your private keys or seed phrases, which remain yours to protect.

Unless the consumer-protection law of your own country requires otherwise, this Policy and anything connected to it are governed by the laws of the United Arab Emirates, and nothing in it takes away the protection that the law where you live already gives you.

WHAT WE COLLECT AND WHY

What we process depends on how you meet us, so that when you create or keep an account we handle data such as your name, email, contact and delivery details, and login credentials, when you buy from our store we handle your order, billing, and shipping information together with the confirmation of payment, and when you use the device or our services we may record limited usage, configuration, update, download, installation, and diagnostic data to keep everything working, secure, and compatible.

When you install an update or turn on a new feature, the device may read some additional information already held on the console, including download status, installation status, app or game identifiers, version information, and related technical timestamps, so that the feature you asked for can work. Where any such reading would go beyond what that feature strictly needs, such as optional analytics or product-improvement telemetry, we ask for your consent on the device itself before it begins.

We may also process an approximate location drawn from network information in order to detect fraud, apply export-control and sanctions rules, and show you content suited to your region, relying on your consent where the law requires it.

HOW AND WHEN DATA IS SHARED AND TRANSFERRED

Play Solana does not sell personal data, and we share it only where that is genuinely needed for the reasons the Policy describes, whether with the service providers who act for us under contract, such as our payment, logistics, hosting, and support partners, or with the independent third parties whose tools make the product work, such as the apps and wallets you choose to use and the blockchain networks that process your transactions.

Some advertising and social-media tools built into our website work in a way where we and the provider share responsibility for the data they gather, and we use those only after you have consented through the cookie banner, while courts, regulators, and authorities may receive data where the law requires it or where it is needed to protect rights, prevent fraud, or comply with sanctions.

Because we operate globally, your data may travel across borders, and whenever it does we apply the safeguards the law expects, including the Standard Contractual Clauses for transfers out of the European Economic Area, the United Kingdom Addendum for transfers out of the United Kingdom, and equivalent mechanisms under the LGPD, the CPRA, the PIPL, and the other frameworks, so that it keeps the same level of protection wherever it goes.

RETENTION, SECURITY AND YOUR RIGHTS

We keep personal data only for as long as it is needed to serve the purposes set out in the Policy, to meet our legal and regulatory duties, or to resolve disputes and enforce our agreements, after which we delete it, anonymise it, or place it in a protected archive where continued retention is still justified.

We protect it with technical and organisational measures designed to keep it confidential, accurate, and available, including encryption in transit, access controls, role-based permissions, monitoring, credential-management practices, and incident-response procedures, with notification to the authorities and to those affected where the law requires it.

Under the laws the Policy refers to, you hold a set of rights over your data, which include asking for access to it, correcting it, deleting it, restricting or objecting to its use, receiving it in a portable form, and withdrawing any consent you gave, and you can use them by contacting our privacy team, who may need to verify your identity first and will reply within the period the law allows.

CHILDREN, COOKIES, ON-CHAIN DATA AND CONTACT

We do not knowingly collect data from children below the age the law permits, the PSG1 device and related services are meant for people aged thirteen or older, and because the device does not yet include parental controls, a parent or guardian stays responsible for supervising a minor's use.

We use cookies and similar technologies as the full Policy explains, relying on the strictly necessary ones to make the site work and on everything else only where you have consented, a choice you can revisit and change at any time.

For blockchain activity, the Policy is clear that we do not control or alter what is written to a public ledger, that such data is permanent and visible to anyone, and that you alone are responsible for safeguarding your wallet and the credentials that protect it.

For any question, concern, or request about your personal data, you can reach our privacy team at legal@playsolana.com. Because Play Solana is established outside the European Union while offering its services to people within it, Play Solana has also appointed an EU representative for the limited purposes of Article 27 of the GDPR, as an additional point of contact for people in the Union. The representative’s details appear in the full Policy.

Across everything we do, we hold to the same commitment to transparency, accountability, and respect for privacy, applying one standard worldwide and treating your data with the care we would expect for our own. The tables below summarise the main categories of data we process, with their purposes, legal bases, and retention periods, the rights you can exercise, and the safeguards we apply when data crosses a border.

At Play Solana, we treat privacy as part of how good technology should work, not as a formality. This Privacy Policy (the “Policy”) explains, in plain terms, what personal data we collect, why we collect it, how we protect it, and the rights you have over it. It is written in English, which is the version that governs. We provide translations for convenience, and if a translation ever differs from the English, the English text is the one that applies. We review this Policy at least once a year, and sooner whenever the law or the way we work changes.

IMPORTANT, PLEASE READ CAREFULLY

This Policy describes how Play Solana LTD, a company incorporated under the laws of the Ras Al Khaimah Digital Assets Oasis (RAK DAO) in the United Arab Emirates, with its registered office at RAK DAO Business Centre, Al Rifaa, Sheikh Mohammed Bin Zayed Road, Ras Al Khaimah, collects, uses, stores, shares, transfers, and protects personal data. In this Policy we call ourselves Play Solana, we, us, or our.

It applies wherever you meet us. That includes our website at playsolana.com and its subdomains, our online store and everything around a purchase such as checkout, payment, shipping, returns, and support, the PSG1 Device together with its operating system, software, updates, and connected features, the wallet integrations and on-chain activity you carry out through the Device, and our communications, customer service, and marketing.

By using our Services or the PSG1 Device, you confirm that you have read and understood how we handle your personal data. If you do not agree with this Policy, the right thing to do is to stop using our Services and, where you can, return the Device under our Terms of Service and your statutory rights. Nothing here takes away the protection that privacy or consumer law gives you, and where the law of your own country is stronger, that law applies.

This Policy is built to meet a high standard of data protection worldwide. The frameworks we have in mind include the EU General Data Protection Regulation (the GDPR), the UK Data Protection Act 2018 and UK GDPR, Brazil's General Data Protection Law (the LGPD) and Consumer Defence Code, the California Consumer Privacy Act as amended by the California Privacy Rights Act (the CPRA), the U.S. Children's Online Privacy Protection Act (COPPA), China's Personal Information Protection Law (the PIPL), India's Digital Personal Data Protection Act (the DPDP Act), the UAE Federal Data Protection Law of 2021 with the DIFC and ADGM regimes, Canada's PIPEDA, the Australian Privacy Act 1988, Japan's APPI, Korea's PIPA, and any other privacy law that applies to our Services.

We may amend this Policy from time to time, and the effective date at the top shows when the current version took force. Where a change is material, we will tell you in a durable medium such as an email, a notice on the Device, or a banner on the website, and your continued use of our Services or the Device after the change takes effect means you accept the revised Policy.

AGE RESTRICTIONS

The PSG1 Device is not for anyone under thirteen. The website and store may be used by people aged thirteen to eighteen only with the consent of a parent or guardian, unless a higher digital age of consent applies where they live, as it can in parts of the EU, where it reaches sixteen, or in Brazil, where it is fourteen. We do not knowingly collect personal data from children below the legal age, and if we find that we have, we erase it without delay.

RISKS OF DIGITAL AND BLOCKCHAIN TECHNOLOGIES

Working with blockchain technology and connected hardware carries real risks that no company can fully remove, and we would rather be straight with you about them. Transactions on a blockchain are irreversible. Digital assets are volatile. Protocols can fail, fork, or be exploited. Much of the infrastructure sits with third parties we do not control, and any network can carry security flaws. We are also not a custodian. We do not store, control, or recover your private keys, seed phrases, or wallet credentials, so keeping them safe is down to you. No technology is ever perfectly secure, and some risk always remains.

GOVERNING LAW

Unless a mandatory rule of consumer law says otherwise, this Policy and any dispute about it are governed by the laws of the United Arab Emirates, with the courts of Dubai as the default venue, and without affecting your right as a consumer to bring a claim in the country where you live. If this Policy and our Terms of Service or Terms of Use ever conflict on a question of personal data, this Policy is the one that applies to that question.

1. Definitions

1.1 “Account” means a personal profile registered with Play Solana that lets you make purchases, set up a Device, or use our Services, along with the credentials, preferences, and order history linked to it.

1.2 “Affiliate” means any entity that controls, is controlled by, or is under common control with Play Solana LTD, whether directly or indirectly.

1.3 “Applicable Law” means every law, regulation, and binding guidance that applies to personal data or consumer rights, including the ones named in the introduction to this Policy and any other privacy framework in force where we operate or offer our products.

1.4 “Blockchain Data” means data recorded on a distributed ledger, such as wallet addresses, transaction identifiers, smart-contract interactions, and on-chain metadata. By its nature this data is public, permanent, and beyond our control.

1.5 “Child” or “Minor” means anyone below the age set by Applicable Law, which is under thirteen in the United States and for Device use anywhere, under fourteen in Brazil, under sixteen in some EU Member States, or any higher local threshold.

1.6 “Controller” means the natural or legal person who, alone or with others, decides why and how personal data is processed, as defined in Article 4(7) of the GDPR and its equivalents.

1.7 “Cookies and Similar Technologies” means small files, code, or scripts stored on or read from a device, including HTTP cookies, local storage, software development kits, pixels, tags, and other tracking tools.

1.8 “Customer Data” means the information we collect when you order from our store, such as your billing and shipping address, payment confirmation, delivery tracking, and order history.

1.9 “Data Breach” means a security incident that leads to the accidental or unlawful loss, destruction, alteration, or unauthorised disclosure of, or access to, personal data, whether or not any harm is apparent straight away.

1.10 “Device” means the Play Solana PSG1 console and any future hardware we make, distribute, or support, including its operating system, firmware, pre-installed apps, secure elements, and connected services.

1.11 “Durable Medium” means any medium that lets you keep information addressed to you in a form you can return to and that reproduces it unchanged, such as an email, a PDF, or a printed document.

1.12 “On-Chain Interactions” means any transaction, smart-contract execution, signature, or blockchain communication started through the Device or our Services. We do not validate, reverse, or control them.

1.13 “Partner” or “Third Party” means any natural or legal person other than Play Solana, its staff, or its affiliates that we work with to provide our Services, including payment processors, logistics providers, app developers, and analytics vendors.

1.14 “Personal Data” (also “Personal Information”) means any information relating to an identified or identifiable person, as defined in Article 4(1) of the GDPR, Article 5(I) of the LGPD, section 1798.140 of the CPRA, Article 4 of the PIPL, and their equivalents. Examples include a name, email, shipping address, IP address, device identifier, or a wallet address when it can reasonably be linked to a person.

1.15 “Processing” means any operation performed on personal data, automated or not, including collecting, recording, organising, storing, changing, retrieving, using, disclosing, restricting, erasing, or destroying it, as defined in Article 4(2) of the GDPR.

1.16 “Processor” means a natural or legal person who processes personal data on behalf of a controller and on that controller's instructions.

1.17 “Sanctioned Jurisdiction” or “Restricted Person” means any country, region, government, entity, or individual under trade restrictions, embargoes, or sanctions under Applicable Law, including the regimes run by OFAC in the United States, the EU, the UK, the UN, and others.

1.18 “Sensitive Personal Data” (also “Special Category Data”) means the categories the law protects more closely, including biometric and genetic data, precise location, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data about health or sexual orientation, and data about minors.

1.19 “Services” means the Play Solana website, the online store, the Device-related services, firmware and software updates, wallet integrations, on-chain interactions, customer support, and our related offerings.

1.20 “Telemetry Data” means the system and performance data drawn from the Device or its software for diagnostics, updates, error reporting, and product improvement, always subject to your settings and to Applicable Law.

1.21 “Updates” means the patches, firmware upgrades, software releases, and security improvements we provide for the Device or its services.

1.22 “User Content” means the data, text, files, images, or messages you choose to submit through the Device, website, store, or related services.

1.23 “Wallet” means a cryptographic mechanism, in hardware or software, that lets you carry out blockchain transactions and hold digital assets. To be clear, Play Solana is not a custodian and does not store or recover private keys or seed phrases.

2. Categories of Data Collected

2.1 Account and Registration Data

When you create or keep a Play Solana account, we process things like your name, email address, shipping and billing details, login credentials, and preferences, and we may record your order history and any Device linked to your account.

2.2 Order, Payment, and Transaction Data

When you order from our store, we process the information around your purchase, including the products ordered, the payment method, your billing and shipping details, the order identifiers, and the confirmation of payment, refund, or chargeback. We do not store sensitive payment details such as full card numbers. Those are handled only by certified third-party payment providers.

2.3 Device Data

When you use the PSG1 Device, we may process information about it, such as hardware identifiers, the model, the operating system and firmware version, the language and region settings, network identifiers including the IP and MAC address, update status, download status, installation status, app or game identifiers, and technical logs generated by updates, errors, or the features you use. Where telemetry, diagnostic data, crash reports, or performance metrics are enabled, generated, or made available by the relevant feature, we may process them to keep the Device working well, secure, and compatible, and to improve it within the limits of your settings and the law. When you install an update or turn on a new feature, the Device may read additional configuration or usage information from the console, including download and installation information, so that the feature you asked for can work, and Section 3 explains the basis for this and when we ask for your consent.

2.4 Software and Usage Data

When you use the software on the Device or our Services, we may collect limited technical data about app or game availability, download and installation status, update history, configuration settings, and how you use support or help features. We use this data to operate the relevant feature, maintain compatibility, troubleshoot faults, and keep the Services secure.

2.5 On-Chain and Wallet-Related Data

When you start an on-chain transaction through the Device, we may process wallet addresses, transaction identifiers, smart-contract calls, and metadata such as gas fees, timestamps, and block height. Blockchain data is public, permanent, and outside our control. We do not store, control, or recover private keys, seed phrases, or wallet credentials, and keeping them safe is down to you.

2.6 Communication and Support Data

When you contact us for support, warranty, or general questions, we may process the messages, the transcripts of calls or chats, any attachments or screenshots you send, and the identifiers that tie them to your account or Device.

2.7 Marketing and Preference Data

When you choose to hear from us, we process your subscription preferences, how you interact with our campaigns, and your participation in promotions, events, or surveys. Where the law requires it, we do this only with your consent, and you can withdraw that consent at any time without affecting anything we did before.

2.8 Location Data

Depending on your settings, we may process an approximate location from your IP address or region settings, or a precise location if you turn on location services on the Device. Where the law requires it, we process precise location only with your explicit consent.

2.9 Sensitive Personal Data

As a rule we do not collect sensitive data. It can come up in narrow cases, such as a biometric identifier tied to a security feature you choose to turn on, a financial identifier, or data about a minor for whom parental consent is needed. We process any such data only with your explicit consent or where Applicable Law strictly requires it.

2.10 Automatically Collected Data

When you use our website or store, we may process information collected automatically through cookies and similar technologies, such as your browser type, operating system, IP address, the date and time of your visit, the referring page, and identifiers stored locally. Technologies that are not strictly necessary are used only where you have consented, and our Cookies Policy explains them in full. Turning them off may change how the website behaves.

2.11 Third-Party Data

We may receive data about you from others, including logistics partners who report on delivery and tracking, payment providers who confirm whether a transaction worked, app developers or marketplaces integrated with the Device, and authorities where the law requires it.

2.12 Data Concerning Minors

We do not knowingly collect personal data from anyone below the minimum legal age, and where we get such data without valid consent, we erase it without delay.

2.13 Aggregated or Anonymised Data

We may process data in an aggregated or anonymised form that cannot reasonably be traced back to a person. As long as it cannot be re-identified, it is not personal data under Applicable Law.

3. Purposes of Processing and Legal Bases

3.1 Account Creation and Management

We process your account and registration data so you can create, manage, and secure a Play Solana account, which means verifying your identity, handling authentication, managing your settings, guarding against unauthorised access, and linking your Device to your account. The basis is the performance of our contract with you under Article 6(1)(b) of the GDPR and Article 7(V) of the LGPD, together with our legitimate interest under Article 6(1)(f) in keeping accounts secure, and, where a minor is involved, parental-consent rules.

3.2 Order Processing, Payments, and Delivery

We process order data to confirm a purchase, handle billing, arrange shipping, work out the taxes that apply, and meet customs rules. This can mean sharing your name, contact details, and address with logistics partners, and sharing payment confirmation with financial institutions. We never store sensitive payment credentials, which are handled only by certified providers. The basis is the performance of our contract with you and compliance with our legal duties under consumer, tax, and accounting law.

3.3 Operation and Maintenance of the Device and Software

We process Device and software data, such as identifiers, configuration, diagnostic logs where generated, error reports where generated, update status, download and installation status, app or game identifiers, and performance metrics where enabled or made available, so the PSG1 Device works correctly and stays secure, so we can deliver updates, fix faults, detect whether downloads or installations have completed, and keep it compatible with third-party apps. The basis is the performance of our contract with you, together with our legitimate interest under Article 6(1)(f) in a reliable and secure product. Where the Device stores information on, or reads information already held within, the console, and that reading is strictly necessary to deliver an update, verify access to a feature, detect download or installation status, restore functionality, or deliver a feature you asked for, we rely on our contract with you. Where the reading goes beyond what is strictly necessary for that feature, such as optional analytics or product-improvement telemetry, we ask for your consent on the Device itself before any such reading begins, in line with Article 5(3) of the ePrivacy Directive and the European Data Protection Board guidance on its technical scope.

3.4 On-Chain Transactions and Wallet Interactions

We process blockchain metadata, including wallet addresses and transaction identifiers, only to let you start a transaction through the Device. We do not validate or reverse a blockchain transaction, and we cannot recover lost credentials. The basis is the performance of our contract with you, and in places that treat blockchain identifiers as personal data, such as the EU and Brazil, we treat them the same way and apply the same safeguards.

3.5 Customer Support, Repairs, and Warranty Services

We process the messages, transcripts, and attachments from a support interaction to resolve your issue, give technical help, and handle a warranty or repair claim, which can mean linking your messages to your account or Device. The basis is the performance of our contract with you and our legitimate interest in good support, and we may keep such records to meet legal duties, for example under consumer law in the EU or the LGPD in Brazil.

3.6 Marketing and Promotions

We process your email, preferences, and campaign activity to send newsletters, promotions, and invitations, and only with your prior consent where the law requires it. You can opt out at any time. We do not sell your personal data, and we do not profile you for targeted advertising without your consent where that consent is required.

3.7 Location-Based Services

We process an approximate location from your IP address to enforce geoblocking and export controls, show you relevant content, detect fraud, and comply with sanctions rules. Where you turn on precise location on the Device, we do so only with your explicit consent. The basis is consent or legitimate interest, depending on the place.

3.8 Processing of Sensitive Personal Data

We process sensitive data, such as the biometrics used to secure the Device, only where you choose to turn on the feature and only with your explicit consent under Article 9(2)(a) of the GDPR and Article 11 of the LGPD. We may also process financial identifiers to prevent fraud. This processing stays limited to what is necessary and to what the law allows.

3.9 Security, Fraud Prevention, and Abuse Detection

We process IP addresses, Device identifiers, login attempts, transaction metadata, and messages to prevent fraud, detect abuse, watch for suspicious activity, and keep our networks secure, so that, for example, repeated failed logins can trigger a protective step. The basis is our legitimate interest under Article 6(1)(f), weighed against your rights, and in California this counts as a business purpose under the CPRA.

3.10 Compliance with Legal and Regulatory Obligations

We process personal data to meet the duties the law puts on us, including tax and accounting law, product safety, warranty, anti-money-laundering and counter-terrorist-financing rules, and export controls, so we can, for example, keep invoice data for the period the law sets or check a delivery address against a sanctions list. The basis is compliance with a legal obligation under Article 6(1)(c) of the GDPR and Article 7(II) of the LGPD.

3.11 Product Improvement, Research, and Analytics

We may process Device and usage data, anonymised where we can, to understand how the product is used, find where it underperforms, and build new features, and we may use aggregated data for analysis as long as it cannot reasonably be re-identified. The basis is our legitimate interest in developing the product and, where the law requires it, your consent.

3.12 Record-Keeping and Business Continuity

We may keep records of transactions, support tickets, and Device updates as part of our internal record-keeping and to keep the business running through backups, disaster recovery, and audits. The basis is our legitimate interest and compliance with our legal duties.

3.13 Other Purposes Consistent with the Above

We may process data for purposes closely related to those above, such as training our staff, quality assurance, or enforcing our Terms, and where the law requires it we will ask for your consent or give you further notice.

4. Data Sharing and Third Parties

4.1 General Principle

We do not sell personal data. We share it only where this is needed to provide our Services, comply with the law, or protect our rights, or where you have consented. Every third party that receives your data is bound by contract to handle it securely, lawfully, and only as we instruct.

4.2 Service Providers and Processors

We share data with trusted providers that act for us as processors, including payment processors and financial institutions that handle transactions, logistics and shipping providers that deliver products and manage returns, cloud-hosting and infrastructure providers that keep our systems and backups running, authentication and identity-verification providers, email-delivery providers, blockchain infrastructure providers, cache and rate-limiting providers, analytics and diagnostics vendors that help us monitor performance, content-management providers, internal notification tools, and support partners that help with questions and warranty. These providers may process your data only for the services they provide to us and are not allowed to use it for their own independent purposes unless the law treats them as separate controllers and their own privacy terms apply.

4.3 Third-Party Applications and Integrations

When you use apps, marketplaces, or wallets integrated with the Device, some data may pass to them so the feature can work. Starting a blockchain transaction, for example, means your wallet address and the transaction metadata have to be shared with the relevant network. As a rule these parties are independent controllers of your data and apply their own privacy policies, and once the data reaches them, we no longer control how they use it.

4.4 Affiliates and Corporate Transactions

We may share data with our affiliates where it is needed to run the group, under the same safeguards, and if there is ever a merger, acquisition, reorganisation, or sale of assets, your data may pass to the new owner, always under this Policy and the law.

4.5 Legal and Regulatory Disclosures

We may disclose personal data to courts, regulators, or law enforcement where the law requires it, including to answer a subpoena, a court order, or a regulatory duty, and where it is needed to enforce our Terms, defend a legal claim, prevent fraud, or protect the safety of our product. Any such disclosure stays limited to what is strictly necessary.

4.6 International Transfers

Because we work with providers and partners in different countries, sharing your data may involve a transfer across borders. Whenever that happens, we apply the safeguards described in Section 5 so that your data keeps a level of protection consistent with the law.

4.7 Sanctioned Jurisdictions and Restricted Persons

We do not knowingly provide Services to, or transfer data to, any country, entity, or individual under sanctions, and we may block a transaction, account, or delivery linked to a sanctioned jurisdiction or person, in line with the OFAC, EU, UK, UN, and UAE regimes.

4.8 Research, Analytics, and Aggregated Data

We may share aggregated or anonymised data with partners, researchers, or the public to understand how the Device performs, improve our Services, or study blockchain usage. This data cannot reasonably be traced to you and, as long as it cannot be re-identified, is not personal data under Applicable Law.

4.9 Consent-Based Sharing

In some cases, such as a joint promotion or an optional integration, we share data only with your explicit consent, which you can withdraw at any time without affecting what was shared before.

4.10 Residual Risks of Third-Party Processing

Once data has gone to an independent third party, whether a blockchain network, a wallet provider, or an external app, we cannot fully control how it is handled, and we strongly suggest you read that party's privacy practices before you use it.

4.11 Joint Controllers

Some tools built into our website, in particular certain social-media and advertising technologies such as an advertising pixel, work in a way where we and the provider together decide why and how the data they gather is collected and passed on. In that case we and the provider are joint controllers under Article 26 of the GDPR, and an arrangement is in place setting out who is responsible for what, the key points of which we will share with you on request. We use these tools only after you consent through the cookie banner, where consent is required, as our Cookies Policy explains.

5. International Data Transfers

5.1 General Principle

Play Solana runs a global operation, so your data may be transferred to, stored in, or accessed from countries other than your own, some of which may not protect it the same way. This can happen, for example, when data sits on a cloud server abroad, when a logistics partner carries a Device across a border, or when a blockchain transaction is processed by nodes elsewhere. Wherever data is transferred, we put safeguards in place to keep its protection in line with the law.

5.2 Transfers from the European Economic Area (EEA) and the United Kingdom

For transfers to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, in the modules suited to controller-to-controller and controller-to-processor transfers, on the UK International Data Transfer Addendum, on binding corporate rules where they apply, and on extra measures such as strong encryption, separation of keys, minimised access, and pseudonymisation. We also run transfer impact assessments to weigh the legal climate of the destination country, including the chance of access by public authorities, and adjust our safeguards to match.

5.3 Transfers from Brazil (LGPD)

Where data starts in Brazil, we rely on the mechanisms the ANPD allows, whether contractual clauses, consent, or international cooperation agreements, and we transfer sensitive data abroad only with explicit consent or where it is strictly necessary. People in Brazil can ask us for more detail on our safeguards at legal@playsolana.com.

5.4 Transfers from the United States

We may transfer personal data across state lines or internationally for processing, and where a state's privacy law adds duties, including California, Colorado, Virginia, Connecticut, and Utah, we keep an equivalent level of protection through our provider contracts, audit rights, and security safeguards.

5.5 Transfers from China (PIPL)

For data from China, a cross-border transfer follows the PIPL, which can mean a government security assessment for a large or sensitive transfer, a certification by an approved body, or contractual clauses with the overseas recipient, and we do not knowingly transfer data from China without meeting these in full.

5.6 Transfers from India (DPDP Act)

Under the DPDP Act, data may leave India only under the rules the Indian authority sets, which we follow, putting contractual safeguards in place where they are required.

5.7 Transfers from the UAE and Free Zones

Transfers from the UAE follow Federal Law No. 45 of 2021, while the DIFC and ADGM free zones run their own frameworks aligned with GDPR principles, and we make sure any transfer out of the UAE rests on a finding of adequacy or on appropriate safeguards, as the law requires.

5.8 Transfers from Other Jurisdictions

We also follow local rules in Canada, Australia, Japan, Korea, and elsewhere, applying contractual or consent-based conditions where needed, and adding safeguards such as encryption, restricted access, and data minimisation.

5.9 Sanctions and Export Controls

We do not knowingly transfer personal data to a sanctioned jurisdiction or a restricted person, we block any transfer that would breach the OFAC, EU, UK, UN, or UAE sanctions regimes, and we may suspend a Service where export-control law forbids the transfer or delivery.

5.10 Residual Risks and Government Access

Despite our safeguards, a transfer to another country can still expose data to access by a public authority under foreign law, a risk we cannot fully remove, and you should know that in some places a government's powers to reach data are broader than in your own country.

5.11 Right to Obtain Information

Under the GDPR, the LGPD, and similar laws, you can ask us for detail on the safeguards we apply to a cross-border transfer, including a copy of the relevant Standard Contractual Clauses, by writing to legal@playsolana.com.

5.12 User Consent Where Required

In some places explicit consent is needed for an international transfer, and where it is, we get it in advance. You can withdraw it at any time, which does not affect a transfer already completed.

6. Data Retention and Deletion

6.1 General Principle

We keep your personal data only for as long as it is needed: to fulfil the purposes described in this Policy, to meet our legal and regulatory duties, or to resolve disputes and enforce our agreements. Once it is no longer needed, we delete it, anonymise it, or move it to a secure archive, in line with the law and good practice.

6.2 Retention by Category of Data

Account and registration data is kept for the life of your account and for up to six years after it closes, so the account can be reactivated, disputes resolved, and limitation periods respected. Order, payment, and transaction data is kept for at least seven years after the transaction, or longer where tax, accounting, consumer, fraud-prevention, or sanctions rules require. Device and software data is kept for as long as needed for active use, security, updates, diagnostics, and warranty, and usually for no longer than two years after active use ends unless a legal, security, product-safety, or dispute-related reason requires a longer period. The metadata we hold about on-chain transactions started through the Device is kept for up to three years, unless an anti-money-laundering, sanctions, fraud-prevention, tax, or legal duty requires longer, though the blockchain record itself is public and cannot be erased by us. Communication and support data is kept for at least three years after a ticket closes, and longer where consumer law, warranty rules, disputes, or legal duties require. Marketing and preference data is kept until you opt out, and in any case no longer than two years after your last interaction with our marketing. Location data is kept only as long as the session or relevant security purpose needs it, unless it forms part of a Device or server log, in which case it follows the applicable log-retention period. Sensitive data is kept only for the minimum period strictly necessary. Data collected through cookies is kept for the periods set out in our Cookies Policy.

6.3 Legal and Regulatory Retention Requirements

Different legal systems set their own ceilings on how long data may be held, and we observe each of them where it applies, so that the storage-limitation principle of Article 5(1)(e) of the GDPR, the rule under Article 16 of the LGPD that any retention be justified by a legal or regulatory duty, the insistence of the CPRA that retention periods be disclosed and never left open-ended without a reason, and the requirement under both the PIPL and the DPDP Act that data be erased once the purpose which justified its collection has been served, all converge on a single discipline, which is to keep nothing for longer than the law and the underlying purpose genuinely demand.

6.4 Criteria Used to Determine Retention

We set a period by looking at the nature and sensitivity of the data, the purpose and whether we can meet it another way, the retention duties that tax, anti-money-laundering, warranty, and consumer law impose, the limitation periods for legal claims, and our legitimate interest in keeping records for security, audit, and continuity.

6.5 Secure Deletion and Anonymisation

When a retention period ends, we either delete the data using methods that meet industry standards, anonymise it so it can no longer be linked to a person, or, where the law requires, move it to a restricted-access archive.

6.6 User Rights Regarding Retention

Under the GDPR, the LGPD, the CPRA, the PIPL, and their equivalents, you can ask us to erase your personal data, and we will do so unless the law requires us to keep it, as tax and accounting law often do, or unless an overriding legitimate interest applies. You can also ask which periods apply to your data.

6.6A Post-Termination Anonymisation

If you stop using our Services or close your account, you can ask us to anonymise the data that remains, as long as that does not clash with a legal duty or a legitimate interest. Once data is anonymised, it can no longer be linked to you and is no longer personal data under Applicable Law.

6.7 Residual Risks

Even after deletion, a copy of your data may survive for a short time before it is fully overwritten, particularly in backups or logs. Such copies are held only for limited periods, kept under strict safeguards, and are not used for any other purpose.

6.8 Logs, Backups, and Disaster Recovery

We keep server logs, backups, and disaster-recovery snapshots so we can secure the Services, investigate faults or abuse, restore a Service after an outage, and keep the business running. These records are retained for limited periods according to their purpose and the relevant provider or backup cycle, and are not actively used except where needed for security, troubleshooting, recovery, compliance, or legal reasons. They remain subject to appropriate technical and organisational safeguards.

7. Data Subject Rights

7.1 General Statement

The law gives you a set of rights over the personal data we hold about you. They are not unlimited, and we may sometimes restrict them where this is needed to protect the rights of others, meet a legal duty, or protect the integrity of an investigation. To use a right, contact us through the details in this Policy, and we will reply within the time the law allows, which is one month under the GDPR, fifteen days under the LGPD, and forty-five days under the CPRA. Nothing in this Policy cuts down a statutory right that the law does not let you waive.

7.2 Right of Access

You can ask us to confirm whether we process data about you and, if we do, to give you a copy along with why we process it, the categories involved, who we shared it with, how long we expect to keep it, the safeguards around any international transfer, and, where the data did not come from you, its source. We provide access in a clear and intelligible form, as long as doing so does not harm the rights of others.

7.3 Right to Rectification

You can ask us to correct data that is wrong and to complete data that is incomplete, and we will make the correction without undue delay and try to tell anyone we shared it with, unless that proves impossible or would take a disproportionate effort.

7.4 Right to Erasure (“Right to be Forgotten”)

You can ask us to delete your data in certain cases, including where it is no longer needed for the purpose it was collected for, where you withdraw consent and no other basis applies, where you have successfully objected, where the processing was unlawful, or where the law requires deletion. We may still keep data where it is needed to meet a legal duty such as tax or accounting, to bring or defend a legal claim, to exercise freedom of expression, or for a public-interest reason such as research or archiving.

7.5 Right to Restriction of Processing

You can ask us to restrict our use of your data in certain situations, such as where you contest its accuracy and we need time to check, where the processing is unlawful but you prefer restriction to deletion, where we no longer need the data but you need it for a legal claim, or where you have objected and we are weighing whether our grounds override yours. While a restriction applies, we store your data but otherwise use it only with your consent or as a legal claim or someone else's rights require.

7.6 Right to Object to Processing

You can object at any time, on grounds relating to your situation, to processing based on our legitimate interest, and where you do, we will stop unless we can show compelling grounds that override yours or the processing is needed for a legal claim. Where we process your data for direct marketing, your right to object is absolute, and we will stop all such marketing right away.

7.7 Right to Data Portability

Where our processing is based on your consent or a contract and is carried out by automated means, you can ask us for the data you gave us in a structured, commonly used, machine-readable form, and you can send it to another controller, or ask us to do so directly where that is technically feasible, unless it would harm the rights of others.

7.8 Right to Withdraw Consent

Where our processing is based on your consent, you can withdraw it at any time, which does not affect anything we did before, and we will act on your choice quickly and make sure no further processing on that basis takes place.

7.9 Right Not to be Discriminated Against

In places such as California under the CPRA, you have the right not to be treated worse for using your privacy rights, and we will not deny you a Service, charge you more, or give you a poorer Service just because you used them. Where the law allows a difference, such as where a Service cannot work without data you asked us to delete, we will explain that to you plainly.

7.10 Right to Human Review of Automated Decisions

Where the law provides, including under the GDPR and the LGPD, you have the right not to be subject to a decision made only by automated means that has a legal effect on you or affects you in a similarly significant way, and where one is made you can ask for human review, give your point of view, and contest it. Play Solana does not currently make such decisions without proper safeguards, and does not carry out behavioural profiling or targeted advertising based on automated decisions. If we ever introduce such practices, we will do so only with your explicit consent and with strong safeguards, including transparency and a way to opt out.

8. Exercise of Rights and Complaint Procedures

8.1 Submitting a Request

To use your rights, contact us through the channels in this Policy, whether by email at legal@playsolana.com, by post, or through a form on the Device or website where one is available. To protect your privacy, we may need to verify your identity first, for example by confirming your account credentials or using authentication on the Device.

8.2 Response Times

We answer within the period that the law allows, which under the GDPR is one month and may be extended by a further two where a request proves particularly complex, which under the LGPD is fifteen days, which under the CPRA is forty-five days and may be extended by another forty-five upon notice to you, and which under the PIPL is simply without undue delay, and wherever the law that governs you fixes a specific deadline, that deadline is the one we keep.

8.3 Limitations and Refusals

Your rights may be limited where this is needed to protect the rights of others, meet an overriding legal duty, or protect the integrity of an investigation, and where we turn down a request in whole or in part, we will tell you why, unless the law forbids it. We might, for example, decline to delete data the tax law requires us to keep, or decline access where it would reveal a trade secret or another person's data.

8.4 Costs

Using your rights is free. Where a request is clearly unfounded or excessive, we may charge a reasonable fee or decline to act, as the law allows, for example under Article 12(5) of the GDPR.

8.5 Representation and Minors

Where the law allows, a right can be used by an authorised representative such as a guardian, lawyer, or agent, and for a minor a right can be used by a parent or guardian under the law.

8.6 Supervisory Authorities and Complaints

You are always free to bring a complaint to the data-protection authority that covers you, whether that is the authority of your own Member State in the European Union, such as the CNPD in Portugal, the CNIL in France, or the Federal Commissioner in Germany, the Information Commissioner's Office in the United Kingdom, the ANPD in Brazil, the California Privacy Protection Agency in California, the Cyberspace Administration in China, the Data Protection Board in India, or the Federal Data Office and the relevant free-zone authorities in the United Arab Emirates, and while we would genuinely welcome the chance to resolve your concern ourselves before it goes any further, nothing requires you to come to us first, and you may approach the authority at any time.

8.7 Judicial Remedies

As well as a complaint to an authority, you may have the right to a remedy before the courts of your jurisdiction where you believe your rights have been infringed.

9. Security Measures

9.1 General Commitment

We work to protect the confidentiality, integrity, and availability of personal data. In line with Article 32 of the GDPR, Article 46 of the LGPD, the reasonable-security rules of the CPRA, and their equivalents, we use technical and organisational measures suited to the risk, designed to guard against the accidental or unlawful loss, destruction, alteration, or unauthorised disclosure of, or access to, personal data.

9.2 Technical Measures

We protect data with technical measures suited to the risk, including encryption in transit through protocols such as TLS and, where supported by the relevant system or provider, encryption at rest. We minimise or pseudonymise data where this reduces risk without preventing the Services from working properly. Access is controlled through authentication measures, password and credential-management practices, role-based permissions, logging, monitoring, and security review. We also use vulnerability checks and security testing appropriate to the nature of our infrastructure and the risks of the processing.

9.3 Organisational Measures

We keep internal data-protection policies, access controls, and incident-response procedures. People who handle personal data are bound to confidentiality and receive security and data-protection guidance appropriate to their role. Access is granted according to role, business need, and operational responsibility, and is reviewed so that access that is no longer needed can be removed. Responsibility for security sits at management level, and we review our compliance through internal checks and, where it applies, third-party assurance.

9.4 Supply Chain and Vendor Security

Personal data is also handled by providers such as cloud hosts, payment processors, logistics partners, authentication providers, email-delivery providers, blockchain infrastructure providers, analytics providers, and support vendors. Before and during our use of those providers, we assess the nature of the data involved, the provider’s role, the contractual protections available, and the security information the provider makes available, including recognised standards such as ISO/IEC 27001 or SOC 2 where relevant. Our contracts require providers to apply appropriate safeguards and to tell us of security incidents without undue delay where the law or the contract requires it.

9.5 Physical Security

Where data is held on physical servers or in offices we or our providers control, we apply physical safeguards, including restricted access, surveillance, environmental controls, visitor management, and secure disposal of media.

9.6 Incident Response and Breach Notification

We maintain incident-response procedures to detect, investigate, contain, and assess a possible breach, with internal escalation and communication steps. Where a personal data breach happens, we assess its nature, scope, likely consequences, and the law that applies. If notification is required, we notify the competent authority within the time the law sets, which is seventy-two hours under the GDPR where that regime applies, and where the law requires we tell affected users without undue delay, explaining the breach, its likely consequences, and what we have done or intend to do about it. Similar duties may apply under the LGPD, the CPRA, the PIPL, and other applicable regimes.

9.7 Residual Risks and User Responsibilities

Despite our safeguards, no system can be made fully immune to threats, and blockchain activity in particular carries risks beyond our control, including network-level flaws and the public visibility of a transaction. You stay responsible for securing your Wallet, private keys, and seed phrases, which we cannot recover, and you should take reasonable care of your Device, installing updates promptly, using strong passwords, and avoiding networks you do not trust.

9.8 Continuous Improvement and Reviews

Our security measures are not fixed. We review and update them as threats, technology, and regulators' expectations change, at least once a year and more often after an incident or a change in how we process data, and we use what we learn to make them stronger.

10. Children and Minors

10.1 General Rule

The PSG1 Device, the store, and our related Services are meant for people aged thirteen or older, and a child below that age must not use the Device, the store, or our Services. We do not knowingly collect, request, or process personal data from a child under thirteen, and if we learn that we have done so without valid parental consent, we delete it without undue delay and may take further steps to restrict access.

10.2 Global Variations in Digital Age of Consent

The age at which a young person may consent on their own behalf differs from one country to the next, standing at thirteen in the United States, at fourteen in both Brazil and China, and as high as sixteen in those European Union Member States that have used the latitude Article 8 of the GDPR allows them, while India's DPDP Act layers further duties over the data of children that are expected to reach everyone below eighteen, and wherever more than one threshold could apply we follow the higher of them.

10.3 Adolescents Aged 13 to 18

Where a minor between thirteen and eighteen may use a digital service under local law, we require that their use happen with the knowledge and consent of a parent or guardian. The Device does not currently include parental controls, so a guardian stays responsible for supervising a minor and for lawful use, and by letting a minor use the Device a parent or guardian accepts responsibility for the minor's compliance with this Policy and our Terms.

10.4 Absence of Technical Parental Controls

Because the PSG1 Device does not yet include technical parental controls, and because we do not monitor or restrict the content a minor reaches beyond the ban on use under thirteen, parents and guardians must take their own steps to supervise a minor. We disclaim responsibility for a minor's misuse where a guardian has not supervised adequately, except where the law makes us liable regardless.

10.5 Marketing and Profiling Restrictions

We do not aim marketing at children under thirteen, and we do not knowingly profile a minor for advertising. Where a minor aged thirteen to eighteen subscribes to our marketing, we process their data only where lawful parental consent is given, and we do not knowingly share a minor's data with a third party for marketing or advertising.

10.6 Special Protection under Applicable Law

We follow the heightened protections the law gives children's data, including COPPA in the United States, Article 8 of the GDPR and its national versions, Articles 14 and 18 of the LGPD in Brazil, Articles 15 and 31 of the PIPL in China, and the DPDP Act in India, applying them wherever they are required.

10.7 Reporting and Remedies

If you believe we have collected data from a child below the legal age without valid consent, tell us at once through the contact details in this Policy, and once we have checked, we will erase the data without undue delay and act to prevent further collection. A parent or guardian can also ask us for access to, correction of, or deletion of data about their child.

10.8 Residual Risks

Even with age restrictions, the online environment and on-chain activity carry risks that cannot be fully controlled. A blockchain transaction is public and irreversible, and the Device currently has no technical way to stop a minor from attempting one, so we strongly recommend that a parent supervise a minor's use of the Device at all times.

11. Cookies and Similar Technologies

11.1 General Use

We use cookies and similar technologies across our website and store. Cookies are small text files placed on your browser or device. Similar technologies include local storage, pixels, tags, software development kits, and scripts, which work in comparable ways by storing or reading information or linking an identifier to your visit. These tools let us recognise your device, keep your session secure, remember your preferences, keep the service stable, and measure how it performs, and they also support analytics, product improvement, and advertising, which are uses that are not essential and so depend on your choice where the law requires it.

11.2 Categories and Purposes

We group these technologies by what they do. Strictly necessary technologies are the ones the website cannot work without, supporting authentication, your session, the cart, checkout, security, and storing your cookie choices. Analytics technologies help us understand how the site is used and where it can be improved. Marketing technologies support advertising and campaign measurement, and may support remarketing across services. Preference technologies remember your settings, such as language or region.

11.3 Legal Bases and Jurisdictional Requirements

Strictly necessary technologies call for no consent, since the ePrivacy Directive exempts them and whatever personal data they involve rests on our legitimate interest in delivering the service you asked for, whereas every other technology is set only once you have consented in those places where the law conditions their use on consent, which means that consent must come before any non-essential technology in the European Union and the United Kingdom under the ePrivacy rules read together with the GDPR, that express consent is required for anything beyond the strictly necessary under the LGPD in Brazil, that the CPRA and its sister statutes in the United States treat several of these uses as a sale or sharing of data and give you a right to opt out, and that informed consent governs non-essential tracking under the PIPL in China and the DPDP Act in India.

11.4 Consent Mechanisms

When you first visit the site, a banner lets you accept, reject, or customise the technologies that are not strictly necessary, and until you choose, only the strictly necessary ones run. Your choice is recorded and applied through the cookie settings panel, which you can revisit at any time, and withdrawing consent does not affect anything done before. Choosing not to allow non-essential technologies does not block access to the site, though some features may be affected.

11.5 Third-Party Cookies and SDKs

Some of these technologies are provided by third-party partners whose services are built into the site, including analytics, advertising, and infrastructure providers. Using them can mean information about your visit is sent to or read by those providers through their own systems, which is part of how those services work. Where a provider acts independently, it decides how that information is used, and we do not control that once it has been collected. Where the law requires it, these technologies are used only after you have made your choice.

11.6 Duration and Persistence

Some of these technologies last only for a session and are removed when it ends, while others stay on your device for a set period or until you delete them, so the site can recognise it across visits. The duration reflects each technology's purpose.

11.7 Management and Opt-Out Options

You can manage these technologies in several ways. Through our cookie settings panel you can switch categories on or off. Most browsers also let you block or delete stored information, and those controls work independently of our panel and may override it. You can also use the global opt-out mechanisms available in some places, such as the Do Not Sell or Share My Personal Information control under the CPRA or the Global Privacy Control browser signal.

11.8 Local Legal Notices

Some places add specific rules. In the EU and the UK, we rely on consent for non-essential technologies under the ePrivacy framework read with the GDPR. In Brazil, we follow the LGPD and the guidance of the ANPD. In California and other U.S. states, we honour opt-out rights and recognised opt-out signals. Where a local law requires a particular notice or control, we provide it, and the detail of the specific technologies we use is set out in the cookie tables in this Policy.

11.9 Residual Risks and Transparency

Even with consent tools and technical controls in place, cookies and similar technologies can involve data flows to third parties and across borders, and turning cookies off may not stop every form of tracking, particularly where external apps, blockchain activity, or network-level monitoring are involved. We keep reviewing our use of these technologies and will update this Policy as practice and guidance develop.

12. Contact, Data Protection Officer, and Policy Updates

12.1 Contacting Play Solana

If you have a question, concern, or request about this Policy or about how we handle your data, you can reach us by email at legal@playsolana.com, by post at our registered office, or through the form at playsolana.com/compliance. These channels are for privacy matters and are monitored regularly. We will acknowledge your message without undue delay and reply in substance within the time the law of your jurisdiction allows.

12.2 Data Protection Officer (DPO) or Privacy Team

Where the law requires it, we appoint a Data Protection Officer to monitor our compliance, advise on our duties, run impact assessments, and act as a contact point for the authorities. Until that appointment is made, you can direct your messages to our privacy team using the details above, and once a Data Protection Officer is named, their identity and contact details will appear here and, where required, be notified to the authorities.

12.3 Complaints and Escalation

We would rather you contact us first if you think your rights have not been respected, and we will make a genuine effort to sort it out quickly. If our answer does not satisfy you, you keep the right to take the matter to the competent authority, as Section 8 explains, and nothing here limits your right to complain to an authority or to go to court.

12.4 Policy Review and Updates

This Policy is a living document. We review it at least once a year, even where nothing needs to change, and sooner whenever there is a significant change in our Services, in the data we process, or in the law. The effective date at the top shows when the current version took force. Where a change is material, such as broadening the data we collect, adding a new form of processing, or changing your rights, we will give you specific notice in a durable medium, whether by email, a notice on the Device, or a banner on the website, and you will have a chance to review the change before it takes effect. Continuing to use our Services or the Device after the change takes effect means you accept the updated Policy.

12.5 Version Control and Language

We may offer this Policy in several languages for convenience, and where translations differ, the English version applies to the fullest extent the law allows, unless a mandatory consumer-protection rule requires a local-language version to govern. We keep an archive of earlier versions and will share a copy on request so you can see how the Policy has changed.

12.6 Limitations of Play Solana's Responsibility

While we aim to reply quickly and keep this Policy current, some risk always remains in any digital environment, our duties under this Policy are bounded by the law, and nothing here creates a right or remedy beyond what mandatory data-protection law gives you.

12.7 Future Regulatory Adaptation

Data-protection law keeps developing, and new rules may appear in the places where we operate. We will adapt this Policy and our practices to meet those rules as they come into force, and where a new requirement calls for it, we will update this Policy and, where the change is material, tell you in a durable medium.

12.8 Representative in the European Union

Because Play Solana is established outside the European Union and offers its Services to people within it, Play Solana has appointed an EU representative for the limited purposes of Article 27 of the GDPR. The representative provides an additional point of contact in the Union for data subjects and supervisory authorities on matters relating to the processing of personal data. Our EU representative is AIO Studio LDA, Avenida D. João IV, Centro Comercial, Loja Villa 9, 4810-532 Guimarães, Portugal. You may contact the representative at that address, or contact Play Solana directly at legal@playsolana.com, to exercise your rights or raise a question about this Policy. This appointment does not change Play Solana’s responsibility for deciding how and why personal data is processed.

13. On-Chain Data and Blockchain Risks

13.1 Nature of Blockchain Data

When you use the PSG1 Device or our Services to start a transaction, interact with a smart contract, verify a holding, claim an on-chain asset, or otherwise operate on a blockchain, some data, including wallet addresses, transaction identifiers, and metadata such as gas fees and timestamps, may be published to a public ledger. By design this data is publicly visible, permanently recorded, and beyond our control. Separately, where needed to operate the Services, verify access or proof of purchase, support account features, prevent fraud, or meet legal duties, we may keep limited records of wallet addresses or transaction metadata in our own systems under this Policy, but that does not give us custody or control over your wallet, your credentials, or the blockchain record itself.

13.2 No Custody of Credentials

We do not generate, store, or have access to your private keys, seed phrases, or wallet credentials. You alone are responsible for securing your Wallet and keeping what you need to access it, and we cannot recover a lost credential or reverse a transaction once it has started.

13.3 Public Visibility and Linkability

Blockchain data is transparent by nature. A wallet address may not name you directly, but in many places, including the EU, Brazil, and, under guidance, California, it can count as personal data where it can reasonably be linked to you, which means your activity could be analysed or correlated by others to infer your identity, your behaviour, or your holdings. We cannot prevent this, and we want you to be aware of the risk.

13.4 Legal and Regulatory Implications

How blockchain data is treated under privacy and financial law keeps developing, and authorities in several places, including the EU, Brazil, the United States, and China, have signalled that it may fall under privacy law where it is linked to a person. By using our Services you accept that a blockchain transaction may carry legal implications beyond our control, including tax, financial-reporting, or sanctions duties.

13.5 Responsibility of Users

You stay responsible for safeguarding your credentials, checking that a smart contract is genuine, and making sure your use of a blockchain network follows the law, which includes staying away from any interaction with a sanctioned address, a restricted jurisdiction, or unlawful content stored on a chain.

13.6 Residual Risks

Despite the measures we take, risk is unavoidable in a blockchain environment, including the permanent publication of data, the impossibility of deleting or correcting it once recorded, and exposure to analysis by others, and you should weigh these risks carefully before you start an on-chain transaction.

14. Miscellaneous, Governing Law, and Severability

14.1 Relationship with Other Agreements

Read this Policy together with our Terms of Service for the Device, our Terms of Use for the website and software, and our Store Terms, which cover separate but related parts of your relationship with us. Where this Policy and one of those agreements conflict on a question of personal data, this Policy applies to that question, and nothing here limits a right or duty expressly set out in them.

14.2 Governing Law and Jurisdiction

This Policy, and any dispute about how Play Solana processes personal data, is governed by the laws of the United Arab Emirates as applied in the Emirate of Ras Al Khaimah, without regard to any conflict-of-law rule that would point to another place.

Consumers. If you qualify as a consumer under Applicable Law, nothing in this Policy takes away the protection given to you by the mandatory rules of the law of your country of residence. You keep the right to rely on those protections and to bring a claim before the courts where you live.

Business users. If you are not a consumer, any dispute, controversy, or claim arising out of or in connection with this Policy will be finally resolved by arbitration under the Rules of the Dubai International Arbitration Centre (DIAC), which are taken to be incorporated into this clause. The seat of arbitration is Dubai, United Arab Emirates, the language is English, and the tribunal consists of one arbitrator unless otherwise agreed. The award is final and binding, and judgment on it may be entered in any court of competent jurisdiction. Nothing in this clause prevents Play Solana from seeking urgent injunctive, conservatory, or equitable relief in any competent court.

Regulators and authorities. Nothing in this section affects your right to complain to a competent data-protection authority, as Section 8 explains.

14.3 Non-Waivable Rights

Nothing in this Policy excludes or limits a right that mandatory data-protection law gives you, including the GDPR in the EU, the LGPD in Brazil, the CPRA and its sister laws in the United States, the PIPL in China, and the DPDP Act in India, and where this Policy and such a law conflict, the law applies.

14.4 Severability

If a part of this Policy is found to be invalid or unenforceable, it will be treated as modified only as far as needed to make it valid, or, where that is not possible, as removed, and the rest of the Policy stays in force.

14.5 Entirety and Language

This Policy is the whole agreement between you and Play Solana LTD on how we process personal data, without affecting any further notice given when data is collected or required by law. We may make it available in several languages for convenience, and where translations differ the English version applies to the fullest extent the law allows.