Privacy Policy

Last Updated: November 25, 2025

TABLE OF CONTENTS

1. Introduction
2. Information We Collect
3. How We Use Your Information
4. Legal Basis for Processing (GDPR)
5. How We Share Your Information
6. Third-Party Privacy Practices
7. Data Retention
8. Data Security
9. Cookies and Tracking Technologies
10. International Data Transfers
11. Your Privacy Rights
12. GDPR Rights for EEA Users
13. California Privacy Rights (CCPA/CPRA)
14. Children's Privacy
15. Changes to This Privacy Policy
16. Contact Information
17. EU Representative
18. Supervisory Authority

1. INTRODUCTION

BonkX, Inc. ("BonkX," "we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website bonkx.io (the "Website") and participate in our waitlist program with gamified quests.

Important: BonkX products are currently in development. This Privacy Policy applies only to our pre-launch waitlist program. When we launch our products, a separate privacy policy will govern those services.

Please read this Privacy Policy carefully. By accessing or using the Website, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Website.

Data Controller: BonkX, Inc., a Delaware corporation

2. INFORMATION WE COLLECT

2.1 Personal Information You Provide

Email Address: When you join our waitlist, you provide your email address. This is the only personal information we directly collect from you at this time.

2.2 Information Collected Through Third-Party Services

Domino.run Quest Platform: We use Domino.run, a third-party service provider, to manage our gamified quest system. When you participate in quests, Domino.run may collect and process:

• Email address (shared by us with Domino.run to link your account)
• Quest completion data
• Social media interactions (likes, follows, retweets, comments, shares)
• Blockchain wallet addresses (if participating in on-chain quests)
• Telegram, Discord, or other platform usernames (if participating in platform-specific quests)
• API interaction data (if participating in app-based quests)
• Device and browser information
• IP addresses

Important: Domino.run's collection and use of your information is governed by their own privacy policy, which we encourage you to review.

2.3 Automatically Collected Information

When you visit the Website, we automatically collect certain information about your device and browsing actions:

• Log Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
• Usage Data: Pages viewed, time spent on pages, links clicked, navigation paths, referring website
• Device Data: Device type, unique device identifiers, mobile network information
• Cookies and Similar Technologies: We use cookies and similar tracking technologies. See Section 9 for details.

2.4 Quest Activity Data

Information about your quest participation, including:

• Quests completed and in progress
• Points earned and current balance
• Waitlist position and rank
• Task completion timestamps
• Referral activity and referral codes (if applicable)
• Social media engagement metrics
• Blockchain transaction data (if applicable to quests)

This information is collected and processed by Domino.run and shared with us to manage your waitlist position.

2.5 Third-Party Platform Data

When you complete quests, you may authorize Domino.run to access information from third-party platforms such as:

• X (Twitter): Profile information, tweets, likes, follows, follower count
• Discord: Server membership, roles, username, activity (if authorized)
• Telegram: Username, group membership, activity
• Blockchain Networks: Wallet addresses, transaction history, token holdings, NFT ownership
• Other Web3 Applications: In-app activity data, interactions, usage patterns

You control what information these platforms share through their authorization flows.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

3.1 Waitlist Management

• Register you for our waitlist
• Track your quest completion and points
• Calculate and update your waitlist position
• Notify you when products or services become available
• Manage the gamified quest program
• Prevent fraud and abuse of the points system

3.2 Communication

• Send you updates about BonkX products and services
• Notify you about quest opportunities and new tasks
• Respond to your inquiries and provide customer support
• Send administrative information, such as changes to our Terms or Privacy Policy
• Communicate important security or service updates

3.3 Website Operations and Improvement

• Operate, maintain, and improve the Website
• Monitor and analyze usage trends, preferences, and demographics
• Detect, prevent, and address technical issues
• Protect against security threats and fraudulent activity
• Prevent manipulation of the quest or points system
• Debug and fix errors

3.4 Marketing (With Your Consent)

• Send promotional materials and marketing communications
• Inform you about new features, products, or services
• Conduct surveys or request feedback

You may opt out of marketing communications at any time (see Section 11).

3.5 Legal and Compliance

• Comply with legal obligations and regulations
• Respond to legal requests and prevent illegal activity
• Protect our rights, privacy, safety, or property
• Protect the rights and safety of our users and the public
• Enforce our Terms and Conditions
• Establish, exercise, or defend legal claims

3.6 Analytics and Research

• Understand how users interact with our Website
• Conduct internal research for technology development
• Analyze waitlist and quest engagement metrics
• Improve user experience and feature development

4. LEGAL BASIS FOR PROCESSING (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6:

Legitimate Interest Assessment: Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:

• Providing and improving our services
• Preventing fraud, abuse, and security threats
• Understanding user behavior to enhance the Website
• Network and information security

Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. See Section 12 for details.

5. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

5.1 Third-Party Service Providers

Domino.run (Quest Platform): We share your email address with Domino.run to enable quest participation and track your progress. Domino.run independently collects additional information when you interact with their platform. Domino.run acts as both a data processor (for email addresses we share) and an independent data controller (for quest activity data they collect directly from you). Their privacy practices are governed by their own privacy policy.

Other Service Providers: We may share your information with service providers who perform services on our behalf:

• Website Hosting: Cloud infrastructure providers
• Email Services: Email delivery platforms (e.g., SendGrid, Mailchimp, AWS SES)
• Analytics: Website analytics providers (e.g., Google Analytics)
• Customer Support: Help desk and support tools
• Security Services: Fraud prevention and security monitoring

These service providers are contractually obligated to:

• Use your information only as necessary to provide services to us
• Implement appropriate security measures
• Comply with applicable data protection laws
• Not use your information for their own purposes

5.2 Third-Party Platforms

When you complete quests involving third-party platforms (X/Twitter, Discord, Telegram, blockchain networks, etc.), you authorize those platforms to share information with Domino.run according to their respective privacy policies and authorization flows. We do not control these platforms' data practices.

5.3 Business Transfers

If BonkX is involved in a merger, acquisition, financing, reorganization, bankruptcy, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will provide notice via email and/or a prominent notice on our Website before your information becomes subject to a different privacy policy.

5.4 Legal Requirements and Protection of Rights

We may disclose your information when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with a subpoena, court order, or other legal process
• Respond to lawful requests from law enforcement or government authorities
• Protect and defend our legal rights or property
• Protect the rights, safety, or security of our users or the public
• Investigate fraud, security issues, or technical problems
• Enforce our Terms and Conditions
• Prevent illegal activity or potential harm

5.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, including:

• Statistical data about waitlist participation
• Quest completion rates and trends
• User demographics (without personal identifiers)
• Website usage analytics

This information is not considered personal data under GDPR or other privacy laws.

5.6 With Your Consent

We may share your information for any other purpose with your explicit, informed consent.

6. THIRD-PARTY PRIVACY PRACTICES

6.1 Domino.run

Domino.run is an independent third-party service provider. Their collection, use, storage, and sharing of your information is governed by their own privacy policy, not this Privacy Policy.

What Domino.run Does:

• Manages quest creation and verification
• Tracks quest completion and points
• Integrates with social media and blockchain platforms
• May use cookies and tracking technologies

Our Relationship: We have contractual agreements with Domino.run requiring them to protect your data, but we have limited control over their day-to-day privacy practices.

Your Responsibility: We encourage you to review Domino.run's privacy policy to understand how they handle your information.

6.2 Social Media and Web3 Platforms

When you connect your social media accounts or blockchain wallets to complete quests, those platforms' privacy policies govern their collection and use of your information. We do not control and are not responsible for the privacy practices of:

• X (Twitter): https://twitter.com/privacy
• Discord: https://discord.com/privacy
• Telegram: https://telegram.org/privacy
• Blockchain Networks: Ethereum, Solana, Cosmos, and other chains
• Other Web3 Applications: Various decentralized apps and protocols

Important: Blockchain transactions are public and permanent. Once information is recorded on a blockchain, it cannot be deleted or made private.

6.3 Your Responsibilities

You are responsible for:

• Reading and understanding the privacy policies of all third-party services you use
• Managing your privacy settings on third-party platforms
• Revoking access to third-party integrations if you no longer wish to share information
• Understanding the public and permanent nature of blockchain transactions
• Securing your social media accounts and wallet credentials

6.4 Third-Party Links

The Website may contain links to third-party websites or services not owned or controlled by BonkX. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. Visiting third-party websites is at your own risk.

7. DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

7.2 Deletion After Retention Period

After the retention period expires, we will:

• Securely delete your personal data, OR
• Anonymize it so it can no longer identify you

Exception: Blockchain data cannot be deleted due to the immutable nature of distributed ledger technology. This is a technical limitation, not a policy choice.

7.3 Third-Party Retention

Domino.run and other service providers maintain their own data retention policies, which may differ from ours. We require our service providers to delete or return data when no longer needed, but we cannot guarantee their compliance.

8. DATA SECURITY

We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

8.1 Security Measures

Technical Safeguards:

• Encryption of data in transit using TLS/SSL (HTTPS)
• Encryption of sensitive data at rest
• Secure data storage with access controls
• Firewalls and intrusion detection systems
• Regular security vulnerability assessments
• Secure authentication and authorization mechanisms

Organizational Safeguards:

• Employee training on data protection and security
• Confidentiality agreements with employees and contractors
• Access controls limiting who can access personal data
• Background checks for employees with data access (where legally permitted)
• Incident response and data breach procedures
• Regular security policy reviews and updates

8.2 Limitations of Security

Important: No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

Risks include:

• Unauthorized access due to hacking or malware
• Human error or social engineering attacks
• Third-party security breaches
• Technical failures or system malfunctions

Third-Party Security: We cannot guarantee the security of information processed by third-party services like Domino.run, social media platforms, or blockchain networks. You acknowledge that sharing information with third parties involves inherent security risks.

Blockchain Risks: Blockchain transactions are public and permanent. Wallet addresses and transaction data:

• Are visible to anyone on the blockchain
• Cannot be deleted or made private
• May be linked to your identity through various means

8.3 Your Security Responsibilities

You are responsible for:

• Keeping your email account secure
• Using strong, unique passwords
• Not sharing your login credentials
• Protecting your devices from malware
• Securing your blockchain wallets and private keys
• Reporting suspected security incidents to us immediately

8.4 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

To Supervisory Authorities: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33).

To You: We will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (as required by GDPR Article 34). Our notification will include:

• Nature of the breach
• Likely consequences
• Measures taken or proposed to address the breach
• Contact point for more information
• Steps you can take to protect yourself

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies

Cookies are small text files stored on your device (computer, smartphone, tablet) when you visit a website. We use cookies and similar technologies such as:

• Web beacons/pixels: Small graphic images embedded in web pages or emails
• Local storage: HTML5 local storage for storing data in your browser
• Session storage: Temporary storage for the duration of your browser session
• Device fingerprinting: Collecting device characteristics for identification

9.2 Types of Cookies We Use

Strictly Necessary Cookies (Essential):

• Required for the Website to function properly
• Enable core functionality like security, authentication, and load balancing
• Cannot be disabled without breaking Website functionality
• Legal basis: Legitimate interest (GDPR Art. 6(1)(f))
• Examples: Session management, CSRF protection

Analytics Cookies (Non-Essential):

• Help us understand how visitors interact with our Website
• Collect information anonymously (page views, time on site, traffic sources)
• Used to improve Website performance and user experience
• Providers: Google Analytics, similar services
• Legal basis: Consent (GDPR Art. 6(1)(a))
• Retention: Typically 12-24 months

Functional Cookies (Non-Essential):

• Enable enhanced functionality and personalization
• Remember your preferences, settings, and choices
• Examples: Language preference, remembered form inputs, waitlist position display
• Legal basis: Consent (GDPR Art. 6(1)(a))
• Retention: Varies (typically 12 months)

Marketing/Advertising Cookies (Non-Essential):

• Track your activity to deliver relevant advertising (if we implement advertising)
• May be placed by third-party advertising networks
• Legal basis: Consent (GDPR Art. 6(1)(a))
• Currently not in use but may be implemented in the future

Third-Party Cookies:

• Domino.run and other integrated services may place cookies on your device
• Enable quest functionality and track your activity
• Subject to those third parties' privacy policies

9.3 Cookie Management and Consent

Cookie Banner: When you first visit our Website (if you're in the EU/EEA), you will see a cookie consent banner that:

• Clearly explains what cookies we use and why
• Provides granular choices: Accept All, Reject Non-Essential, Customize
• Does not use pre-ticked boxes
• Allows you to change your preferences at any time

Browser Controls: Most web browsers allow you to control cookies through settings. You can:

• View and delete cookies
• Block all cookies
• Block third-party cookies
• Receive alerts when cookies are being sent

Browser-Specific Instructions:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and Website Data
• Edge: Settings > Cookies and Site Permissions

Important: Disabling cookies may affect Website functionality and prevent you from participating in quests or accessing certain features.

9.4 Analytics Services

Google Analytics: We use Google Analytics to collect information about Website usage. Google Analytics uses cookies to collect information such as:

• How often users visit the Website
• What pages they visit and in what order
• How long they stay on each page
• What sites they used prior to coming to the Website

Opt-Out: You can opt out of Google Analytics by:

• Installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
• Adjusting your cookie preferences in our cookie banner
• Using browser settings to block analytics cookies

Data Processing: Google Analytics data is processed in accordance with Google's privacy policy: https://policies.google.com/privacy

9.5 Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to have your online activity tracked. Our Website does not currently respond to DNT signals or similar mechanisms. However, you can control tracking through:

• Cookie consent preferences
• Browser cookie settings
• Opt-out tools provided by analytics services

10. INTERNATIONAL DATA TRANSFERS

10.1 Location of Data Processing

BonkX Operations: BonkX, Inc. is based in the United States. Your information will be transferred to, stored, and processed in the United States.

Service Providers: Our service providers (Domino.run, hosting providers, email services, etc.) may operate servers in various locations globally, including:

• United States
• European Union
• Other countries where our service providers have infrastructure

Data Transfer: If you are accessing the Website from outside the United States, particularly from the EEA, UK, or Switzerland, your information will be transferred to countries that may have different data protection laws than your country of residence.

10.2 Safeguards for International Transfers (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we ensure appropriate safeguards are in place for international data transfers as required by GDPR Chapter V:

Standard Contractual Clauses (SCCs):

• We use European Commission-approved Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our U.S.-based service providers
• SCCs are contractual commitments between companies transferring personal data, ensuring EU-level data protection

Service Providers Using SCCs:

• Domino.run (quest platform) - if they process EU data
• Email service providers (SendGrid, Mailchimp, AWS SES, etc.)
• Cloud hosting providers (AWS, Google Cloud, etc.)
• Analytics providers (Google Analytics, etc.)

Supplementary Measures: In addition to SCCs, we implement technical and organizational measures such as:

• End-to-end encryption of data in transit
• Encryption of data at rest
• Pseudonymization where possible
• Access controls and authentication
• Regular security audits and assessments
• Data minimization practices
• Contractual obligations on service providers

Adequacy Decisions: Where available, we rely on European Commission adequacy decisions for certain countries that provide adequate data protection (e.g., UK under the UK GDPR, Switzerland under FADP).

10.3 Your Rights Regarding Transfers

You have the right to:

• Obtain information about the safeguards we use for international transfers
• Request a copy of the Standard Contractual Clauses we have in place
• Object to transfers in certain circumstances
• Lodge a complaint with your supervisory authority if you believe transfers violate GDPR

To request information about our transfer mechanisms or copies of SCCs, contact: gdpr@bonkx.io

10.4 Consequences of Transfer

By using the Website and providing your information, you acknowledge and consent to:

• Transfer of your data to the United States and other countries
• Processing of your data in countries with different data protection laws
• The risks associated with international data transfers

If you do not agree to international transfers, please do not use the Website or provide your information.

11. YOUR PRIVACY RIGHTS

All users, regardless of location, have certain basic privacy rights. Additional rights apply to users in specific jurisdictions (see Sections 12 and 13).

11.1 Universal Rights (All Users)

Right to Access: You may request a copy of the personal information we hold about you.

Right to Correction: You may request correction of inaccurate or incomplete information.

Right to Deletion: You may request deletion of your personal information, subject to certain exceptions (legal obligations, ongoing disputes, etc.).

Right to Opt-Out of Marketing: You may unsubscribe from marketing emails at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@bonkx.io
• Updating your email preferences (if we implement a preference center)

Right to Revoke Authorizations: You may revoke access to third-party platforms (social media accounts, wallets) through those platforms' settings.

11.2 How to Exercise Your Rights

Email: privacy@bonkx.io Subject Line: "Privacy Rights Request - [Your Request Type]"

Include in Your Request:

• Your email address registered on the waitlist
• Specific right(s) you wish to exercise
• Any relevant details to help us locate your information
• Proof of identity (if required for verification)

Response Timeline: We will respond to your request within 30 days (or as otherwise required by applicable law). We may extend this period by an additional 60 days for complex requests, in which case we will inform you of the extension and reasons.

Verification: To protect your privacy, we may need to verify your identity before fulfilling your request. We may request additional information such as:

• Confirmation of email address
• Answers to security questions
• Government-issued ID (for sensitive requests)

Free of Charge: Generally, exercising your privacy rights is free. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

11.3 Limitations on Rights

We may decline requests in certain circumstances:

• Legal Obligations: We must retain data to comply with legal or regulatory requirements
• Legal Claims: We need data to establish, exercise, or defend legal claims
• Security: Deletion would compromise Website security or fraud prevention
• Technical Limitations: Blockchain data cannot be deleted due to immutability
• Third-Party Data: We cannot delete data held by Domino.run or other third parties (you must contact them directly)

If we decline your request, we will explain the reasons and inform you of your right to complain to a supervisory authority (for EEA users).

12. GDPR RIGHTS FOR EEA USERS

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws.

12.1 Right of Access (Article 15)

You have the right to obtain:

• Confirmation of whether we process your personal data
• A copy of your personal data we hold
• Information about how we process your data, including:
• Purposes of processing
• Categories of personal data
• Recipients or categories of recipients
• Retention periods
• Your other GDPR rights
• Source of data (if not collected directly from you)
• Existence of automated decision-making, including profiling

How to Exercise: Contact gdpr@bonkx.io with subject "GDPR Access Request"

Timeline: Within 1 month (extendable by 2 months for complex requests)

Format: We will provide data in a commonly used electronic format (e.g., PDF, CSV)

12.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

Examples:

• Update your email address
• Correct misspelled information
• Add missing information

How to Exercise: Contact gdpr@bonkx.io with subject "GDPR Rectification Request"

Timeline: Within 1 month

Notification: We will notify third parties (e.g., Domino.run) of corrections where feasible

12.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• It's no longer necessary for the purposes for which it was collected
• You withdraw consent and there's no other legal basis for processing
• You object to processing based on legitimate interests (and there are no overriding legitimate grounds)
• Your data was unlawfully processed
• Erasure is required to comply with a legal obligation
• Data was collected from a child without proper parental consent

Exceptions - We May Refuse Deletion When Data is Needed For:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest, scientific research, or statistical purposes
• Freedom of expression and information

Important Limitation: We cannot erase blockchain transaction data due to the immutable nature of distributed ledgers. This is a technical limitation inherent to blockchain technology.

How to Exercise: Contact gdpr@bonkx.io with subject "GDPR Erasure Request"

Timeline: Within 1 month

Notification: We will notify third parties of erasure where feasible, but cannot control their independent processing

12.4 Right to Restriction of Processing (Article 18)

You can request we restrict (but not delete) your data when:

• You contest the accuracy of data (during verification period)
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing (pending verification of our legitimate grounds)

What "Restriction" Means: We will store your data but not use it (except with your consent, for legal claims, to protect others' rights, or for public interest).

How to Exercise: Contact gdpr@bonkx.io with subject "GDPR Restriction Request"

Timeline: Within 1 month

Notification: We will inform you before lifting any restriction

12.5 Right to Data Portability (Article 20)

You can request your data in a structured, commonly-used, machine-readable format (e.g., CSV, JSON) when:

• Processing is based on consent or contract
• Processing is carried out by automated means

What You Can Receive:

• Email address
• Quest activity and completion history
• Points earned and current balance
• Waitlist position history
• Timestamps and dates

Format Options: CSV, JSON, XML, or other commonly-used formats

Direct Transfer: You may request we transmit your data directly to another service provider where technically feasible.

How to Exercise: Contact gdpr@bonkx.io with subject "GDPR Portability Request"

Timeline: Within 1 month

Limitation: This right applies only to data you provided to us, not data generated by our systems (e.g., analytics)

12.6 Right to Object (Article 21)

Object to Processing Based on Legitimate Interests:

• You can object at any time to processing based on our legitimate interests
• We must stop unless we demonstrate compelling legitimate grounds that override your interests
• Example: Objecting to use of your data for analytics or fraud prevention

Object to Direct Marketing:

• You can object at any time to use of your data for direct marketing
• We must stop immediately and unconditionally
• This includes profiling related to direct marketing

How to Exercise:

• For marketing: Click "unsubscribe" in emails OR contact privacy@bonkx.io
• For other processing: Contact gdpr@bonkx.io with subject "GDPR Objection"

Timeline: We will stop processing immediately upon receiving objection to direct marketing; within 1 month for other objections

12.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent (e.g., waitlist registration, marketing emails, non-essential cookies), you can withdraw consent at any time by:

• Email: Clicking "unsubscribe" in marketing emails
• Waitlist: Contacting privacy@bonkx.io to remove yourself
• Cookies: Adjusting preferences in our cookie banner
• Third-party integrations: Revoking access through platform settings

Important: Withdrawal doesn't affect the lawfulness of processing before withdrawal. We may continue processing on a different legal basis (e.g., legal obligation, legitimate interest).

12.8 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects.

Current Status: We do not currently engage in automated decision-making or profiling that produces legal or similarly significant effects.

Waitlist Ranking: Our points-based waitlist ranking is not considered automated decision-making under Article 22 because:

• It does not produce legal effects (no contractual obligation)
• It does not significantly affect you (waitlist position is not a guarantee of service)
• You have control over your points through quest participation
• Rankings can be manually reviewed and adjusted

If we implement automated decision-making in the future, we will:

• Notify you in an updated Privacy Policy
• Obtain your explicit consent where required
• Provide information about the logic involved
• Give you the right to contest decisions and request human review

12.9 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated GDPR or your rights.

Find Your Supervisory Authority:

• EEA Countries: https://edpb.europa.eu/about-edpb/board/members_en
• United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk/
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch/

Preferred Resolution: We encourage you to contact us first at gdpr@bonkx.io so we can address your concerns directly. However, this does not affect your right to lodge a complaint with a supervisory authority.

12.10 How to Exercise Your GDPR Rights

Contact: gdpr@bonkx.io Subject Line: "GDPR Rights Request - [Access/Erasure/Rectification/etc.]"

Include:

• Your full name
• Email address registered on waitlist
• Specific right(s) you wish to exercise
• Any relevant details or context
• Proof of identity (if required)

Response Timeline: Within 1 month of receiving your request. We may extend by an additional 2 months for complex or numerous requests, in which case we will inform you within the first month.

Free of Charge: Generally free. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Verification: We may request additional information to verify your identity before fulfilling requests, particularly for access, deletion, or portability requests.

Third-Party Data: For data held by Domino.run (quest activity, social media connections), you must exercise your rights directly with them according to their privacy policy.

13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

13.1 Categories of Personal Information We Collect

Under CCPA, we collect the following categories of personal information:

Categories We Do NOT Collect:

• Social Security number, driver's license, passport
• Financial information (bank accounts, credit cards)
• Health information
• Biometric data
• Precise geolocation
• Protected classifications (race, religion, sexual orientation, etc.)

13.2 Sources of Personal Information

We collect personal information from:

• Directly from you: Email address when you join waitlist
• Automatically: Browser data, IP address, cookies
• Third-party platforms: Via Domino.run (social media data, blockchain data)

13.3 Business Purposes for Collection

We collect and use personal information for the following business purposes:

• Performing services (waitlist management, quest tracking)
• Detecting and preventing fraud and security incidents
• Debugging and fixing errors
• Internal research and development
• Quality and safety maintenance
• Legal compliance

13.4 Your California Privacy Rights

Right to Know / Access (CCPA § 1798.100, 1798.110): You have the right to request disclosure of:

• Categories of personal information we collected
• Categories of sources from which information was collected
• Business or commercial purpose for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information we collected about you

Right to Delete (CCPA § 1798.105): You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, internal uses, etc.).

Right to Correct (CPRA § 1798.106): You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing (CCPA § 1798.120): Current Status: We do NOT sell your personal information to third parties. We share information with service providers (like Domino.run) for business purposes, which is not considered a "sale" under CCPA.

Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121): Current Status: We do not collect or use "sensitive personal information" as defined by CPRA (e.g., precise geolocation, racial/ethnic origin, health data, biometric data).

Right to Non-Discrimination (CCPA § 1798.125): We will not discriminate against you for exercising your CCPA rights. You will not be:

• Denied goods or services
• Charged different prices or rates
• Provided different levels or quality of service
• Threatened with any of the above

13.5 How to Exercise Your California Rights

Methods:

• Email: privacy@bonkx.io with subject "CCPA Request - [Your Right]"
• Web Form: [If you implement a web form, add link here]

Information to Include:

• Your name and email address
• Description of your request
• Specific right(s) you wish to exercise
• Sufficient information to verify your identity

Verification: To protect your privacy, we will verify your identity by:

• Matching the email address you provide with the email on our waitlist
• Requesting additional verification for sensitive requests (deletion, access to specific information)

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must:

• Provide proof of authorization (signed permission, power of attorney)
• Verify your identity
• Verify their own identity

Response Timeline:

• We will acknowledge receipt within 10 days
• We will respond substantively within 45 days
• We may extend by an additional 45 days for complex requests (we will notify you)

Right to Appeal (CPRA): If we deny your request, you have the right to appeal. We will provide appeal instructions in our response.

13.6 Disclosure of Personal Information

Past 12 Months: We have disclosed the following categories of personal information for business purposes:

• Identifiers (email, IP) → Disclosed to: Domino.run, email service providers, hosting providers
• Internet Activity → Disclosed to: Domino.run, analytics providers

No Sale: We have NOT sold personal information in the past 12 months and do not sell personal information.

No Sharing for Cross-Context Behavioral Advertising: We do not share personal information for cross-context behavioral advertising.

13.7 Retention Periods

See Section 7 for detailed retention periods. Generally:

• Email addresses: Until deletion requested or 24 months of inactivity
• Quest activity: Duration of program + 12 months
• Log data: 12-24 months

13.8 Contact for California Privacy Questions

Email: privacy@bonkx.io Subject: "California Privacy Rights"

14. CHILDREN'S PRIVACY

14.1 Age Restriction

The Website is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18.

Why Age 18?:

• Our future financial products will require users to be 18+
• To comply with financial services regulations
• To ensure users can enter into legally binding agreements

14.2 If We Discover Child Data

If you are a parent or guardian and believe your child under 18 has provided us with personal information:

• Contact us immediately at: privacy@bonkx.io
• Subject line: "Child Privacy - Immediate Attention Required"
• Include: Child's name, email address (if known), and your relationship

Our Response: If we become aware that we have collected personal information from a child under 18 without parental consent, we will:

• Delete the information immediately
• Remove the child from our waitlist
• Block the email address from future registration
• Notify you of the actions taken

14.3 Parental Rights (COPPA - if applicable)

While we do not target children, if a child under 13 (U.S.) or 16 (EEA) has provided information, parents have the right to:

• Review the child's personal information
• Request deletion of the child's personal information
• Refuse further collection or use of the child's information

14.4 Age Verification

We do not actively verify the age of users joining our waitlist, but we:

• State in our Terms and Conditions that users must be 18+
• Rely on users to provide accurate information
• Will investigate if we receive notice that a minor has registered

15. CHANGES TO THIS PRIVACY POLICY

15.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in:

• Our data practices
• Technology and security measures
• Legal or regulatory requirements
• Business operations
• User feedback

15.2 Notification of Material Changes

We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this Privacy Policy
• Posting the updated Privacy Policy on the Website with changes highlighted
• Sending an email notification to your waitlist email address (for significant changes)
• Displaying a prominent banner on the Website directing you to review changes

What Constitutes "Material" Changes:

• Changes to how we collect, use, or share your information
• Changes to your privacy rights
• Changes to third-party service providers
• Changes to international data transfers
• Changes to data retention periods
• Addition of new data processing activities

15.3 Non-Material Changes

For minor, non-material changes (typos, clarifications, updated contact information), we will:

• Update the "Last Updated" date
• Post the revised Privacy Policy on the Website
• Not send individual notifications

15.4 Your Acceptance

Continued Use = Acceptance: Your continued use of the Website after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

If You Disagree: If you do not agree with the updated Privacy Policy:

• Stop using the Website
• Contact us at privacy@bonkx.io to request deletion of your information
• Exercise your rights under Section 11, 12, or 13 (depending on your location)

15.5 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about:

• How we protect your information
• Your privacy rights
• Changes to our data practices

16. CONTACT INFORMATION

16.1 General Privacy Inquiries

For general questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: privacy@bonkx.io Website: bonkx.io

Mailing Address: BonkX, Inc. [Your US Mailing Address] [City, State, ZIP Code] United States

16.2 GDPR-Specific Inquiries

For GDPR-related inquiries, data subject rights requests, or supervisory authority communications:

Email: gdpr@bonkx.io Subject Line: "GDPR - [Your Request Type]"

Data Protection Officer: While we are not legally required to appoint a Data Protection Officer, you may direct GDPR inquiries to the email above, and they will be handled by our privacy team.

16.3 California Privacy Rights

For California-specific privacy requests under CCPA/CPRA:

Email: privacy@bonkx.io Subject Line: "CCPA Request - [Your Right]"

16.4 Security Incidents

To report a security incident or suspected data breach:

Email: security@bonkx.io Subject Line: "URGENT: Security Incident"

Include:

• Description of the incident
• Date and time it occurred
• Any evidence or details
• Your contact information

16.5 Response Time

We strive to respond to all privacy inquiries within:

• General inquiries: 5-7 business days
• GDPR requests: Within 1 month (extendable to 3 months for complex requests)
• CCPA requests: Within 45 days (extendable to 90 days for complex requests)
• Security incidents: Within 24 hours

17. EU REPRESENTATIVE

17.1 Article 27 GDPR Requirement

As a company established outside the European Union that offers services to EU data subjects, we have appointed an EU Representative pursuant to Article 27 of the GDPR.

17.2 EU Representative Contact Information

Name: Adam-Noaf Grigore Address: Strada Emanoil Porumbaru 82-84, ap. 3 Sector 1 Bucharest Romania

Email: gdpr@bonkx.io

17.3 Purpose of EU Representative

Our EU Representative serves as the contact point in the European Union for:

• Data protection supervisory authorities in EU/EEA member states
• Data subjects (users) exercising their GDPR rights
• Questions or complaints regarding our data processing activities

What Our EU Representative Does:

• Receives and forwards communications from supervisory authorities
• Receives and forwards data subject requests and complaints
• Serves as a local point of contact in the EU

What Our EU Representative Does NOT Do:

• Make decisions about data processing on our behalf
• Act as a Data Protection Officer (DPO)
• Provide legal advice
• Handle day-to-day data protection compliance

17.4 When to Contact Our EU Representative

Contact our EU Representative if:

• You are an EU supervisory authority seeking to communicate with us
• You are an EU data subject with a complaint or inquiry about our data processing
• You prefer to communicate with a contact point in the EU

Contact us directly if:

• You want to exercise your GDPR rights (gdpr@bonkx.io)
• You have general privacy questions (privacy@bonkx.io)
• You need immediate assistance

18. SUPERVISORY AUTHORITY

18.1 Right to Complain

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated GDPR or your privacy rights.

18.2 Contact Information for Supervisory Authorities

European Economic Area (EEA): Find your country's supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

United Kingdom: Information Commissioner's Office (ICO) Website: https://ico.org.uk/ Phone: 0303 123 1113 Report a concern: https://ico.org.uk/make-a-complaint/

Switzerland: Federal Data Protection and Information Commissioner (FDPIC) Website: https://www.edoeb.admin.ch/ Email: info@edoeb.admin.ch

18.3 Lead Supervisory Authority

Under GDPR Article 56, our lead supervisory authority (for cross-border processing issues) is:

• To be determined based on our main establishment in the EU (currently, our EU Representative is located in Romania, so the Romanian National Supervisory Authority for Personal Data Processing would be the relevant authority for inquiries directed to our EU Representative)

Romanian Supervisory Authority: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) Website: https://www.dataprotection.ro/ Email: anspdcp@dataprotection.ro

18.4 We Encourage Direct Contact First

While you have the right to lodge a complaint with a supervisory authority at any time, we encourage you to contact us first at gdpr@bonkx.io so we can address your concerns directly and attempt to resolve the issue.

However, this does not affect your right to lodge a complaint with a supervisory authority.

SUMMARY OF KEY POINTS

This summary provides a quick overview. Please read the full Privacy Policy for complete details.

What information do we collect?

• Email address when you join our waitlist
• Quest activity data via Domino.run (social media interactions, blockchain activity)
• Automatic information (IP address, browser data, cookies)

How do we use your information?

• Manage the waitlist and track your position
• Send you updates and quest notifications
• Improve our Website and services
• Prevent fraud and ensure security
• Comply with legal obligations

Do we share your information?

• No, we do not sell your information
• We share your email with Domino.run to enable quest participation
• We use service providers for hosting, email, and analytics
• Domino.run collects additional data directly from you and third-party platforms
• We disclose data when required by law

How long do we keep your information?

• Email addresses: Until you request deletion or 24 months of inactivity
• Quest activity: Duration of program + 12 months
• Log data: 12-24 months
• See Section 7 for complete retention schedule

What are your rights?

• All users: Access, correction, deletion, opt-out of marketing
• EEA users: Additional GDPR rights (portability, restriction, object, etc.)
• California users: CCPA/CPRA rights (know, delete, correct, opt-out of sale)
• Contact us at privacy@bonkx.io or gdpr@bonkx.io to exercise rights

How do we protect your information?

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Employee training on data protection
• However, no method is 100% secure

International data transfers?

• Your data may be transferred to the United States
• For EEA users, we use Standard Contractual Clauses and supplementary measures
• See Section 10 for details

Third-party services?

• Domino.run manages quests and collects activity data (separate privacy policy)
• Social media platforms (X, Discord, Telegram) - their privacy policies apply
• Blockchain networks - transactions are public and permanent
• We're not responsible for third-party practices

EU Representative?

• Adam-Noaf Grigore, Romania
• Email: gdpr@bonkx.io
• Contact point for EU supervisory authorities and data subjects

Questions?

• General privacy: privacy@bonkx.io
• GDPR rights: gdpr@bonkx.io
• Security incidents: security@bonkx.io

Last Updated: November 25, 2025

BonkX, Inc. - Delaware Corporation This Privacy Policy complies with GDPR (EU/EEA), UK GDPR, Swiss FADP, CCPA/CPRA (California), and other applicable privacy laws.

By using the Website, you acknowledge that you have read, understood, and agree to this Privacy Policy.