Privacy Policy - Xtellaris

Privacy Policy

System Update: April 2026 In accordance with GDPR and international data protection standards, Xtellaris informs its users about the processing of personal data on our hybrid auction platform.

1. Data Controller Identity

Entity: Xtellaris LLC Address: 131 Continental Drive, Suite 305, Newark, DE 19713, USA County: New Castle Email: support@xtellaris.com

2. Google API Services User Data

Xtellaris uses Google API Services to facilitate user authentication and account creation. We access, use, and store the following Google user data:

2.1 Data Accessed

We access only the following types of Google user data:
  • Email Address: Your Google account email address
  • First Name: Your first name as registered in your Google account
  • Last Name: Your last name as registered in your Google account

2.2 Data Usage

The Google user data we access is used exclusively for the following purposes:
  • Account Creation: To create and identify your Xtellaris user account
  • User Identification: To uniquely identify you within our platform
  • Communication: To send you auction notifications, account updates, and support communications via email
  • Personalization: To display your name within your account dashboard and profile

2.3 Data Storage

Google user data is stored securely in AWS Cognito, Amazon’s enterprise-grade identity management service. This data is:
  • Stored in encrypted format within AWS Cognito’s secure infrastructure
  • Protected by AWS’s industry-leading security standards and compliance certifications
  • Retained for the duration of your active account plus 5 years for legal compliance purposes
  • Never shared with third parties except as required by law
  • Never used for advertising, marketing to third parties, or any purpose beyond those explicitly stated above

2.4 Data Sharing

We do not share, sell, or transfer your Google user data to any third parties. The only exception is when legally required by government authorities or court orders.

2.5 Your Rights Regarding Google Data

You have the right to:
  • Access the Google data we have stored about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated Google data
  • Revoke Xtellaris’s access to your Google account at any time through your Google Account settings
Limited Scope: Xtellaris only requests and accesses the minimum Google user data necessary to provide our service. We do not access your Google Drive, Gmail content, Calendar, or any other Google services beyond basic profile information (email, first name, last name).

3. Purpose and Processing Strategy

We process your data to facilitate the Lowest Unique Bid Auction (LUBA) model:
  • Real-Time Engine: Bid management and collision detection via our API gateway (Node.js/Go) and Redis storage.
  • Financial Credits: Crediting of XPoints ($1 USD = 1 XPoint) after verifying deposits on the Polygon network.
  • Game Integrity: Implementation of artificial delays in losing bid notifications as an anti-bot measure.
  • Transparency: Periodic publication (every 5 minutes) of Merkle roots on the blockchain to anchor game state.
Cryptographic Privacy: Each bid is protected with a SHA-256 hash and a secret NONCE. This ensures your bid remains private and tamper-proof until the auction closes and data is published on Arweave.

4. Data Retention and Security

Data is managed under a multi-tier architecture:
  • User Identity Management: AWS Cognito securely stores user credentials, profile information (name, email), and authentication tokens with enterprise-grade encryption.
  • Active State: Redis maintains bid counts and unique values during live auctions.
  • Financial Records: PostgreSQL stores XPoints transaction history and auction records for 5 years for legal compliance.
  • Immutable Proofs: Audit logs on Polygon and complete bid lists on Arweave are permanent and cannot be modified.

4.1 AWS Cognito Security

User authentication and identity data managed by AWS Cognito benefits from:
  • Multi-factor authentication (MFA) support
  • Encryption at rest and in transit
  • AWS SOC, ISO, and PCI compliance certifications
  • Regular security audits and updates by Amazon Web Services
  • Geographic redundancy and backup systems

5. Security and Treasury

All revenue and prize funds are secured in a Gnosis Safe multi-sig wallet. The DepositReceiver contract forwards funds directly to the treasury, ensuring no single point of failure affects prize solvency.

6. Your Rights

You may exercise your rights to access, rectification, or deletion by contacting our support team at support@xtellaris.com. Please note that:
  • Account deletion requests will remove your data from AWS Cognito and our systems
  • Blockchain-anchored data on Polygon or Arweave becomes immutable as part of the public audit record and cannot be deleted
  • Financial transaction records may be retained for the legally required period even after account deletion

7. Third-Party Service Providers

Xtellaris uses the following trusted third-party services to operate our platform:
  • AWS Cognito: User identity and authentication management (Amazon Web Services)
  • Google APIs: OAuth authentication for Google Sign-In
  • Polygon Network: Blockchain infrastructure for transparency and verification
  • Arweave: Permanent decentralized storage for auction audit data
Each service provider maintains its own security standards and privacy policies. We only share the minimum necessary data with each provider to deliver our service.

8. Compliance with Google API Services User Data Policy

Xtellaris’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only for the purposes explicitly stated in this privacy policy and do not transfer this data to others except as necessary to provide our service or as required by law.

9. XPoints System

XPoints are our internal virtual currency used for participating in auctions:
  • 1 XPoint = $1 USD
  • XPoints are purchased with cryptocurrency (USDC/USDT) or credit card
  • XPoints purchases are non-refundable and represent revenue for Xtellaris
  • XPoints balances are tracked in our database and linked to your AWS Cognito user account
  • XPoints cannot be withdrawn or converted back to fiat currency
  • All XPoints transactions are logged for audit and compliance purposes

10. Contact Information

For questions about this privacy policy or how we handle your data, including Google user data, please contact:

Email: support@xtellaris.com
Address: 131 Continental Drive, Suite 305, Newark, DE 19713, USA

Last Updated: April 2026