Privacy Policy

Effective: at protocol launch. Last updated: 2026-05-29.

This Privacy Policy explains how CashPop ("we") collects, uses, and shares information when you use CashPop (the "Service").

1. Information We Collect

Automatically collected

Telegram User ID, username (if public), and language code.
Device fingerprint (hash of canvas + WebGL + audio + screen properties).
Country (via IP geolocation, then IP discarded).
Round participation metadata (Round ID, commit, reveal, outcome).
Ad-view events from AdMob/Telegram Ads SDK.

Provided by you (optional, per Trust Ladder tier)

L2: TON wallet address.
L3: Email address; mutual friend identifier.
L4: Telegram Premium status (verified via Telegram API).
L5: Phone number (verified via SMS).
L6: Government ID document (verified via Sumsub).
L7: Biometric liveness vector (verified via Sumsub).

2. How We Use Information

Service operation

To run Rounds, settle POP balances, and process redemptions.
To prevent Sybil attacks via device fingerprint correlation.
To compute Reputation Scores.
To deliver targeted ads via AdMob/Telegram Ads (subject to your ad-network privacy preferences).

Research and analytics

To compile aggregate anonymized statistics published in our Open Datasets program.
To improve question reservoir calibration.
To detect and respond to fraud.

Legal and compliance

To comply with applicable law, regulator inquiries, and legal process.
To enforce our Terms of Service.

We do not sell, rent, or trade your information to third parties.

We share information with:

Service providers (Cloudflare, Sumsub, Google AdMob, Telegram, TON validators) — bound by data processing agreements.
Legal authorities — where required by law or to protect our rights.
Anonymous aggregate research datasets — only after k-anonymity (k≥100) and differential privacy (ε≤1.0) processing.

4. Data Retention

Data category	Retention
Round participation records	5 years (for audit and dispute resolution)
Identity documents (L6/L7)	3 years post-account-deletion (regulatory)
Biometric vectors (L7)	3 years post-account-deletion (regulatory)
Aggregate anonymized statistics	Indefinite (published)
Device fingerprints	90 days rolling
Ad view records	1 year

You may request earlier deletion (right to erasure) per Section 7.

5. Cross-Border Data Transfer

CashPop operates globally. Data is processed by Cloudflare in multiple regions (EU, US, APAC) and by Sumsub in EU regions. By using the Service, you consent to cross-border transfer of your data.

For users in the EU/EEA, we maintain Standard Contractual Clauses with all processors.

6. Children

The Service is not directed to anyone under 18 years of age. We do not knowingly collect information from children. If we learn we have collected such information, we will delete it.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: request a copy of the information we hold about you.
Rectification: correct inaccurate or incomplete information.
Erasure: request deletion of your information, subject to legal retention requirements.
Restriction: limit how we process your information.
Portability: receive your information in a portable format.
Objection: object to certain processing, including profiling.
Withdraw consent: withdraw consent at any time (does not affect prior lawful processing).

To exercise these rights, email support@cashpop.meme. We will respond within 30 days.

You may also lodge a complaint with your local data protection authority.

8. Security

We protect your information using encryption (TLS 1.3 in transit, AES-256 at rest), access controls, and audit logging. We conduct annual security reviews.

No system is perfectly secure. We disclose data breaches affecting your information per applicable law and within 72 hours of discovery (per GDPR standard).

9. AI Question Pipeline

Our LLM ensemble (Claude, GPT, Gemini) processes only the question reservoir generation pipeline. Your individual gameplay data is not sent to external LLM providers. The LLM pipeline is run on our own infrastructure on synthetic populations, not real user data.

10. Cookies and Similar Technologies

The Service uses session storage (not persistent cookies) for the WebApp. Telegram's underlying client uses standard Telegram session cookies, governed by Telegram's privacy policy.

We do not use third-party tracking cookies. We do not use cross-site tracking pixels.

11. Updates

We may update this Privacy Policy. Material changes will be announced via the official Telegram channel and X account, with 30 days' notice. Continued use of the Service after such notice constitutes acceptance.

12. Contact

All privacy inquiries: support@cashpop.meme

Privacy Policy ​

1. Information We Collect ​

Automatically collected ​

Provided by you (optional, per Trust Ladder tier) ​

2. How We Use Information ​

Service operation ​

Research and analytics ​

Legal and compliance ​

3. How We Share Information ​

4. Data Retention ​

5. Cross-Border Data Transfer ​

6. Children ​

7. Your Rights ​

8. Security ​

9. AI Question Pipeline ​

10. Cookies and Similar Technologies ​

11. Updates ​

12. Contact ​