Privacy Policy.

1. Introduction

Welcome to Seek, a daily word-puzzle mobile game developed by Taral ("we", "us", or "our"). This Privacy Policy explains how we collect, use, and protect information when you use the Seek mobile application and our associated backend services hosted at https://taral.io (collectively, the "Service").

By using the Service you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Blockchain / Wallet Data

Seek is a wallet-connected experience. When you choose to connect a Solana wallet, we process:

1. Your public wallet address (a string of alphanumeric characters identifying your on-chain account).
2. Transaction signatures submitted to our backend for NFT minting and upgrade operations.

We never request, store, or have access to your private keys, seed phrases, or any credentials that could control your wallet.

2.2 Gameplay Data and Analytics

Local gameplay state (current puzzle, guess history, streak, tutorial status, sound preference) is stored exclusively on your device using React Native AsyncStorage and is not transmitted to our servers.

However, we do collect anonymous gameplay events via PostHog (see §5). These events include: game started, game won or lost (including the word played and number of guesses), screen navigation (landing vs. game), NFT upgrade actions, and daily limit events. Events are tied to an anonymous session identifier — not your name, email, or wallet address — and are used solely for product improvement.

2.3 Server-Side Request Data

When you call our serverless API endpoints (e.g., to mint an NFT), our hosting provider (Vercel) and rate-limiting infrastructure (Upstash Redis) may temporarily store:

1. Your public wallet address, to enforce rate limits and prevent duplicate mints. Rate limit keys are retained for 30 seconds.
2. Payment transaction signatures, retained for up to 7 days to ensure idempotency and prevent double-processing.
3. Standard server log data (IP address, timestamp, HTTP method, response code) retained by Vercel per their own data-retention policies.

2.4 Data We Do NOT Collect

We do not collect:

1. Names, email addresses, or any personally identifiable information (PII).
2. Location data.
3. Advertising IDs or any identifier used for ad targeting.
4. Biometric data.
5. Any data for advertising or marketing to third parties.

PostHog, our analytics provider, uses an anonymous session identifier to group events from the same session. This identifier is not linked to your name, email, wallet address, or device advertising ID.

3. How We Use Information

We use the limited data described above solely to:

1. Provide the Service (mint and manage NFT achievements on your behalf).
2. Enforce rate limits to protect the integrity of the daily mint system.
3. Prevent duplicate or fraudulent transactions.
4. Debug and fix technical issues.
5. Understand how the app is used (via anonymous PostHog analytics) in order to improve the product.

We do not use your data for advertising, profiling, or any purpose unrelated to operating and improving the Service.

4. Blockchain Transparency

Solana is a public blockchain. Any NFTs minted through Seek are recorded permanently and publicly on-chain. This includes your wallet address, transaction details, and NFT metadata. This is an inherent feature of blockchain technology and is not within our ability to reverse or delete. Please be aware that:

1. Your wallet address is visible to anyone who inspects the Solana blockchain.
2. NFT ownership history is permanently public.
3. We cannot delete on-chain records.

5. Data Sharing and Third Parties

We share your data only with service providers strictly necessary to operate the Service:

• PostHog Product analytics. We send anonymous gameplay events (game outcomes, screen navigation, upgrade actions) to PostHog to understand how the app is used and improve it. Events are linked to an anonymous session identifier only — no name, email, wallet address, or advertising ID is included. PostHog is configured in EU-hosted mode. Privacy Policy →
• Vercel Serverless hosting and edge functions. Privacy Policy →
• Upstash Serverless Redis for rate limiting and idempotency. Rate limit data is ephemeral (TTL 30 seconds); payment idempotency keys expire after 7 days. Redis eviction is disabled to ensure idempotency keys are never prematurely deleted. Privacy Policy →
• Helius Solana RPC and DAS indexing provider. Only public blockchain queries are made. Privacy Policy →
• Pinata IPFS pinning and dedicated gateway for NFT imagery storage. NFT card images are served via our dedicated Pinata gateway. Privacy Policy →
• Expo (Notifications) If you grant notification permissions, your device's push token is registered with Expo's push notification service to deliver daily puzzle reminders. Expo does not receive any gameplay or wallet data. Privacy Policy →
• Metaplex / Solana Foundation On-chain program execution (public blockchain).

We do not sell, rent, or trade your information to any third party.

6. Data Retention

Rate limit keys in Upstash Redis expire automatically after 30 seconds. Payment signature idempotency keys expire after 7 days. No other personal data is retained by our servers. Server access logs held by Vercel are subject to Vercel's own retention policies (typically 30 days).

7. Children's Privacy

Seek is intended for users aged 18 and over. Because the Service involves real cryptocurrency transactions, we do not permit use by anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has used the Service or provided us with personal information, please contact us at taral.io@proton.me and we will take steps to address it.

8. Security

We implement industry-standard security measures including:

• HTTPS for all API communications
• Environment-variable storage for sensitive credentials (never hardcoded)
• Upstash Redis eviction disabled — idempotency keys cannot be silently purged
• Minimal data collection by design

However, no system is perfectly secure. We cannot guarantee absolute security of information transmitted over the internet.

9. Your Rights

Because we collect minimal off-chain data, most data subject rights are straightforward to exercise:

1. Access / Portability — Your gameplay data is already stored locally on your device. Server-side data (rate limit TTLs) is ephemeral.
2. Deletion — Rate limit and idempotency keys auto-expire. On-chain NFT records cannot be deleted (blockchain immutability).
3. Correction — Contact us if you believe incorrect data is being processed.

Indian users may exercise rights under the Digital Personal Data Protection Act, 2023 (DPDP Act) by contacting us at taral.io@proton.me.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this document and, where appropriate, notify users through the app or website. Continued use of the Service after changes constitutes acceptance of the updated policy.

Please also review our Terms of Service.

11. Contact Us