PRIVACY POLICY
Metawell Sports Limited is committed to protecting your personal data and processing it lawfully, fairly, and transparently. This Policy explains exactly what we collect, why, the legal basis for each purpose, who we share it with, how long we retain it, and your rights.
1. Data Controller
| Data Controller | Metawell Sports Limited |
| Registration / Licence | 01010965 / 07010938 (RAK Innovation City, UAE) |
| Data Protection Officer | Murlidhar Abhimanyu Tripathi — Director / CEO |
| DPO Email | md@metawellsports.com |
| Support Email | md@metawellsports.com |
| Legal Frameworks | UAE Federal Decree-Law No. 45/2021 (PDPL) · India DPDP Act 2023 · GDPR · CCPA/CPRA |
| Registered Office | Office A, RAK Innovation City Business Centre, Al Rifaa, Sheikh Mohammed Bin Zayed Road, Ras Al Khaimah, UAE, P.O. Box 30099 |
2. Data We Collect
Data You Provide
- Account Data: Username, email address, hashed password, date of birth (18+ verification only)
- Profile Data: Display name, optional profile picture (at your discretion)
- Support Data: Messages, screenshots, and files submitted to our support team
- KYC Data: Government-issued ID where mandated by AML law — processed securely, retained only for mandatory legal periods
Data Collected Automatically
- Gameplay Data: Match history, scores, session logs, performance stats, tournament records
- Device Data: Device type, OS version, app version, anonymised device identifier
- Technical Data: IP address (truncated to /24), country-level geolocation only, browser type
- Analytics: Crash reports, error logs, app performance data — anonymised and aggregated
Blockchain / Web3 Data
When you connect an external Web3 wallet, we collect your public wallet address only. We never collect, store, or request your private key or seed phrase. All CPL Token and NFT transactions are permanently recorded on the opBNB public blockchain — publicly visible by design and technically immutable. We cannot delete or modify any on-chain records.
3. How We Use Your Data
| Purpose | Legal Basis | Data Used | Retention |
|---|---|---|---|
| Account creation and authentication | Contractual necessity | Account, Profile | Account lifetime + 5 years |
| Gameplay and marketplace services | Contractual necessity | Gameplay, Account | Account lifetime |
| In-game transactions and rewards | Contractual necessity | Gameplay, Wallet | 7 years (UAE AML) |
| Customer and technical support | Legitimate interest | Support, Account | 3 years from close |
| Anti-cheat and fair play | Legitimate interest | Gameplay, Device | Account lifetime |
| AML/CFT compliance and KYC | Legal obligation | KYC, Account | Minimum 5 years |
| Sanctions screening | Legal obligation | Account, KYC | Minimum 5 years |
| Platform security and fraud prevention | Legitimate interest | Technical, Device | 2 years |
| Analytics and improvement | Legitimate interest (anonymised) | Performance data | 2 years anonymised |
| Marketing communications | Explicit consent (opt-in only) | Account, Profile | Until consent withdrawn |
| Legal compliance and regulatory reporting | Legal obligation | All relevant categories | As mandated by law |
4. Data Sharing
We do not sell, rent, or trade your personal data. Sharing occurs only in these controlled circumstances:
- Service Providers: Cloud infrastructure, analytics (Firebase), KYC/AML providers — all under formal Data Processing Agreements
- UAE FIU: Suspicious Transaction Reports via goAML platform when legally required under UAE AML Law
- Sanctions Screening: Automated screening against UAE/UN/OFAC/EU lists
- Legal Authorities: When required by valid law, court order, or governmental direction
- Business Transfers: In connection with merger or acquisition, with user notification and equivalent data protection commitments
5. Data Breach Notification
Upon becoming aware of any personal data breach, the Company will: (a) activate its Incident Response Plan without undue delay; (b) contain the breach and prevent further unauthorised access; (c) assess the risk to affected Data Subjects; and (d) document all facts and remedial actions in accordance with applicable law.
Where a breach is likely to result in risk to Users' rights and freedoms, the Company will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33 and applicable UAE PDPL requirements. Where the breach is likely to result in high risk to Users, we will notify affected Users directly without undue delay, describing: the nature of the breach; categories of data affected; DPO contact details; likely consequences; and recommended protective actions.
6. Security Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Role-based access controls enforcing minimum necessary privilege
- Regular security audits, vulnerability assessments, and penetration testing
- Data stored in UAE-resident or equivalent-safeguard cloud infrastructure
- We never store, request, or access wallet private keys or seed phrases — ever
7. Your Privacy Rights
Under UAE PDPL, India DPDP Act 2023, GDPR (EU/EEA users), and CCPA/CPRA (California users), you have the right to: Access all personal data we hold; Rectification of inaccurate data; Erasure subject to legal retention and blockchain immutability; Portability in machine-readable format; Object to legitimate interest processing; Restrict processing; Withdraw Consent for consent-based processing; and Non-Discrimination for exercising your rights (CCPA).
Exercise any right by contacting md@metawellsports.com or DPO at md@metawellsports.com. We respond within 30 days as required by applicable law.
8. Children's Privacy — 18+ Platform
CPL Games is strictly for users aged 18 and over (or the age of majority in your jurisdiction if higher). We do not knowingly collect or process data from any person under 18. COPPA (USA): not directed to children under 13. GDPR (EU): no processing of data from persons under 16 without verifiable parental consent. India DPDP Act: a 'child' is defined as under 18. If you believe a minor has registered, contact md@metawellsports.com immediately — the account will be terminated and all data deleted.
9. Cookies & International Transfers
Cookies: cplgames.io uses only essential cookies for session management, authentication, CSRF protection, and anonymised performance monitoring. No advertising cookies, cross-site tracking, or third-party ad pixels.
International Transfers: Data may be processed where our service providers operate. All international transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms consistent with UAE PDPL, India DPDP Act, and GDPR.
10. Account Deletion
To delete your account: (1) Open the App → Settings → Delete Account → Confirm; or (2) Email md@metawellsports.com with subject "Account Deletion Request" including your registered email. Deletion requests are processed within 7 business days. Some data may be retained for legal or fraud prevention purposes for up to 30 days, and longer where legally mandated. On-chain records are immutable and cannot be deleted.
Privacy enquiries: md@metawellsports.com · Support: md@metawellsports.com
Request Account Deletion
Fill in your details below and we'll send a deletion request to our team. Your account will be removed within 7 business days. Some data may be retained as required by law.