Privacy Policy
Last updated: April 7, 2026
1. Introduction
Gachato (“we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Gachato Blind Box Draw Platform at gachato.com.
This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws. If you are located in the EU or California, please see the additional rights sections below.
2. Data We Collect
2.1 Account Information
- Email address — used for authentication, account recovery, and service communications.
- Username — your public display name on the Platform.
- Password — stored as a bcrypt hash (cost 10); we never store your plain-text password.
- Date of birth — collected at registration for age verification (18+ requirement). Stored as a date field.
- Avatar URL — optional profile image you choose to upload.
- Account role — whether your account is a standard user or administrator.
2.2 Transaction and Activity Data
- Draw history — records of every blind box draw including series, item received, rarity, and timestamp.
- Wallet transactions — all Credits movements including top-ups, draw deductions, marketplace purchases and sales, and referral bonuses.
- Marketplace activity — listings created, items sold and purchased, and pricing.
- Inventory — items held in your vault.
- Referral relationships — your referral code, who you referred, and commission history.
2.3 Responsible Gaming Data
- Self-exclusion periods you set.
- Daily and weekly draw limits you configure.
- Session timeout preferences.
- Age verification timestamp and method.
2.4 Technical and Usage Data
- IP address — logged for rate limiting, fraud prevention, and jurisdiction controls.
- Browser and device information — collected by our analytics provider (see §4).
- Session activity — last activity timestamps for session timeout enforcement.
- RNG seeds — cryptographic seeds associated with each draw for auditability.
2.5 Community Content
- Posts you submit to the community feed, including captions and images.
- Likes and interactions on community posts.
3. Cookies and Tracking Technologies
We use the following cookies:
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
summon_token | Essential | JWT authentication token — keeps you logged in | 7 days |
csrf_token | Essential | CSRF protection — prevents cross-site request forgery | 7 days |
summon_theme | Functional | Stores your light/dark mode preference | 1 year |
referral_code | Functional | Remembers your referral code if accessed via a referral link | 30 days |
cookie_consent | Essential | Stores your cookie consent preference | 1 year |
ph_* | Analytics | PostHog analytics cookies — only set with your consent | 1 year |
You can manage your cookie preferences at any time using the cookie consent settings accessible in the site footer. Essential cookies cannot be disabled as they are necessary for the Platform to function.
4. How We Use Your Data
We use your personal data to:
- Provide the Platform — process draws, manage your wallet, display inventory, and enable marketplace transactions.
- Authentication and security — verify your identity, prevent fraud, enforce rate limits, and protect against unauthorised access.
- Age verification — confirm you meet the minimum age requirement of 18 years.
- Responsible gaming — enforce self-exclusion periods, draw limits, and session timeouts you configure.
- Referral programme — calculate and award referral commissions.
- VIP progression — track your total spend to calculate your VIP tier status.
- Customer support — respond to enquiries and resolve disputes.
- Legal compliance — retain financial transaction records as required by applicable law, enforce jurisdiction restrictions.
- Analytics (with consent) — understand how the Platform is used to improve the service, via PostHog.
- Communications — send password reset emails and service notices (not marketing without your consent).
5. Legal Bases for Processing (GDPR)
If you are in the European Economic Area, we process your data under the following legal bases:
- Contract performance — processing necessary to provide the Platform services you have requested.
- Legitimate interests — fraud prevention, security, and Platform improvement.
- Legal obligation — retaining transaction records for financial compliance and regulatory reporting.
- Consent — analytics tracking via PostHog (you may withdraw consent at any time).
6. Data Retention
We retain your data as follows:
- Account data — retained for the duration of your account. Upon account deletion, personally identifiable fields (email, username, avatar) are anonymised.
- Financial records — wallet transactions and draw history are retained for a minimum of 7 years to comply with financial reporting obligations. This data is retained even after account deletion.
- Community posts — deleted upon account deletion.
- Analytics data — subject to PostHog’s retention policy (typically 12 months for event data).
- Password reset tokens — expire after 1 hour and are deleted immediately upon use.
7. Data Sharing and Third Parties
We do not sell your personal data. We share data only as follows:
- PostHog(analytics) — if you consent to analytics cookies, anonymised usage events are sent to PostHog. PostHog may store data on servers in the EU or US. See PostHog’s Privacy Policy.
- AWS(hosting infrastructure) — the Platform is hosted on AWS infrastructure in Singapore. AWS processes infrastructure-level data. See AWS’s Privacy Notice.
- Resend (email) — if you use password reset, we use Resend to deliver transactional emails. Your email address is processed by Resend for delivery purposes only.
- Law enforcement — we may disclose data where required by law, court order, or to protect rights and safety.
We do not share your data with advertisers, data brokers, or marketing platforms.
8. Your Rights
8.1 Rights Under GDPR (EU/EEA Residents)
- Right of access — request a copy of your personal data.
- Right to rectification — correct inaccurate data.
- Right to erasure — request deletion of your personal data (subject to our legal retention obligations). Use Privacy & Data Settings to request account deletion.
- Right to restriction — restrict how we process your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format. Use Export Your Data.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — withdraw analytics consent at any time via the cookie banner.
8.2 Rights Under CCPA (California Residents)
California residents have the right to:
- Know what personal information is collected, used, shared, or sold.
- Delete personal information (subject to certain exceptions for financial records).
- Opt out of the sale of personal information. We do not sell personal information.
- Non-discrimination for exercising CCPA rights.
To exercise your CCPA rights, contact us at the email below.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- HTTPS encryption for all data in transit.
- Bcrypt password hashing (cost 10).
- HttpOnly, Secure, SameSite=Strict authentication cookies.
- CSRF token protection on all mutation endpoints.
- Rate limiting to prevent brute-force attacks.
- Immutable audit logs of all financial transactions.
- Token epoch invalidation for immediate session revocation.
Despite our best efforts, no security measure is 100% effective. If you discover a security vulnerability, please report it responsibly to our security contact.
10. Children’s Privacy
The Platform is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has registered, we will promptly delete their account and associated data. If you believe a minor has registered, please contact us immediately.
11. International Transfers
The Platform is hosted in Singapore. If you access the Platform from the EU or other regions with data transfer restrictions, please note that your data may be transferred to and processed in Singapore and other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers in accordance with applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.
13. Contact and Complaints
For privacy-related questions, data subject requests, or to report a concern:
Gachato Privacy Team
Email: privacy@gachato.com
Website: gachato.com
If you are in the EU and believe your rights have not been adequately addressed, you have the right to lodge a complaint with your local supervisory authority.