Privacy Policy
Effective Date: 30 May 2026 · Version 2.0 · GDPR/CCPA-aligned
This Privacy Policy describes how RewardPX ("we", "us", "our", the "Platform") collects, uses, stores, and discloses personal information when you visit rewardpx.com or use any of our services. We act as the data controller of the personal data described in this Policy. Please read it carefully. If you do not agree, do not use the Platform.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is the operator of RewardPX. You can contact the controller and our Data Protection contact at:
- Privacy email: privacy@rewardpx.com
- In-platform support: rewardpx.com → Support
2. Personal Data We Collect
2.1 Information you provide directly
- Account data: email address, username, hashed password, optional 2FA secret, country, language preference, referral code used (if any).
- Profile data: avatar, display name, timezone, notification preferences.
- Withdrawal data: cryptocurrency wallet addresses, gift-card recipient information, payment method preferences.
- Task submissions: screenshots, links, text, video, or other proof you upload for manual review.
- Communications: support tickets, chat messages, feedback you send us.
- Identity verification: when required for high-value withdrawals — government ID, selfie, proof of address. Collected only when necessary and retained only for the period required by applicable law (typically 5 years for AML compliance).
2.2 Information collected automatically
- Technical data: IP address, country, city, ISP (derived from IP), user-agent string, referrer URL, request timestamps.
- Device fingerprint: Canvas, WebGL, audio, screen size, hardware concurrency, installed fonts — used solely for fraud detection (to identify multi-account abuse).
- VPN/proxy signals: whether your IP appears to be a VPN, proxy, Tor exit, or datacenter — derived via ip-api.com.
- Behavioral data: tasks completed, withdrawal history, spin history, login history, page views.
- Cookies and local storage: session token, CSRF token, language preference. See our Cookie Policy.
2.3 Information from third parties
- Offerwall postbacks: when you complete an offer, the Offerwall provider sends us a notification containing a transaction ID, offer name, reward amount, and your sub-ID (the encoded reference to your account).
- Fraud-prevention partners: some Offerwalls share fraud signals (Suspended Player alerts) about specific users, which we use to investigate accounts.
- Captcha providers: Cloudflare Turnstile / hCaptcha share a verification result with us — they may collect additional behavioral signals under their own privacy policies.
3. Purposes and Legal Bases for Processing
We process your personal data on the following bases under GDPR Article 6(1):
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Service (account, balance, withdrawals) | Account, withdrawal, behavioral data | Contract (Art. 6(1)(b)) |
| Fraud prevention & multi-account detection | IP, fingerprint, behavioral patterns, login history | Legitimate interest (Art. 6(1)(f)) |
| Identity verification for withdrawals (KYC) | ID document, selfie, proof of address | Legal obligation (Art. 6(1)(c)) — AML |
| Transactional emails (login alerts, withdrawal status) | Email, username | Contract (Art. 6(1)(b)) |
| Marketing emails (newsletters, offers) | Email, country, language | Consent (Art. 6(1)(a)) — opt-in |
| Security & rate limiting | IP, request metadata | Legitimate interest (Art. 6(1)(f)) |
| Platform analytics & improvement | Aggregated behavioral data | Legitimate interest (Art. 6(1)(f)) |
| Tax & legal compliance | Withdrawal records, KYC data | Legal obligation (Art. 6(1)(c)) |
4. Automated Decision-Making
We use automated systems for the following decisions that may significantly affect you:
- Automated fraud scoring — IP-based, fingerprint-based, and AI-assisted (Google Gemini) analysis of your activity. A high fraud score may result in temporary account suspension pending manual review.
- Automated withdrawal pre-approval — small withdrawals (under a configurable USD threshold) may be auto-approved by our risk engine without manual review.
Where an automated decision produces a legal or similarly significant effect (e.g. account ban), you have the right to (a) obtain human review, (b) express your point of view, and (c) contest the decision. Open a support ticket to invoke these rights.
5. Who We Share Data With
We do not sell your personal data. We share data only with:
5.1 Service providers (processors)
| Provider | Purpose | Data Shared |
|---|---|---|
| Railway | Application hosting | All operational data |
| Cloudflare | CDN, DDoS protection | Request metadata, IP |
| Resend | Transactional email delivery | Email address, message content |
| Google Gemini | AI fraud analysis | Anonymized behavioral summaries |
| Cloudflare Turnstile / hCaptcha | Bot protection on forms | Browser environment, IP |
| ip-api.com | Geo/VPN detection | IP address |
5.2 Offerwall & ad partners
When you click into an Offerwall, you are redirected to a third-party provider that operates under its own terms and privacy policy. We share your sub-ID (an encoded user identifier — not your email or name) so that completion postbacks can be matched to your account. Offerwall providers may also receive your IP and device fingerprint from your browser independently of us.
5.3 Legal & safety
We may disclose data to law enforcement, regulators, or other authorized parties when:
- Compelled by valid legal process (subpoena, court order)
- Necessary to investigate fraud, theft, or other illegal activity
- Necessary to enforce our Terms or protect the rights, property, or safety of users or the public
- Required by anti-money-laundering, counter-terrorism, or sanctions regulations
5.4 Business transfers
If we are acquired, merged, or undergo a corporate restructuring, your data may be transferred to the new entity, which will be bound by terms no less protective than this Policy. We will notify you in advance via email.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the European Union, United States, and Türkiye, where our processors operate. We rely on the following safeguards for transfers from the EEA/UK:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable (e.g. UK, Switzerland)
- EU-US Data Privacy Framework for transfers to certified U.S. processors
You can request a copy of the safeguards in place by contacting privacy@rewardpx.com.
7. Data Retention
| Category | Retention Period |
|---|---|
| Active account data | Lifetime of the account |
| Inactive accounts (no login) | Up to 12 months, then anonymized or deleted |
| Withdrawal records | 5 years (AML/tax obligation) |
| KYC documents | 5 years after last withdrawal (AML) |
| Login logs & IP history | 12 months (fraud prevention) |
| Support tickets & chat | 2 years |
| Marketing email subscriptions | Until you unsubscribe |
| Audit logs (admin actions) | 3 years |
| Banned accounts (fraud record) | Indefinite (to prevent re-registration) |
After the retention period expires, data is either permanently deleted or anonymized so that it can no longer be linked to you.
8. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right to access: request a copy of your personal data. Available self-service via Settings → Activity → "Download My Data".
- Right to rectification: correct inaccurate or incomplete data. Most fields are self-editable in Settings.
- Right to erasure ("right to be forgotten"): request deletion of your data. Available via Settings → Security → "Delete Account". Subject to retention obligations described in Section 7.
- Right to restriction: ask us to limit processing of your data in specific circumstances.
- Right to data portability: receive your data in a structured, machine-readable format (JSON).
- Right to object: object to processing based on legitimate interests, including profiling for fraud purposes.
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Right not to be subject to solely automated decisions: request human review of significant automated decisions (Section 4).
- Right to lodge a complaint: with your local data protection authority (DPA). For Türkiye, this is the KVKK (kvkk.gov.tr). For the EU, find your DPA at edpb.europa.eu.
To exercise these rights, contact privacy@rewardpx.com. We will respond within 30 days. For identity verification, we may ask you to confirm details only an account holder would know.
8.1 California residents (CCPA/CPRA)
California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, the right to opt out of "sale" (we do not sell), and the right to non-discrimination for exercising these rights. Submit a verifiable consumer request via privacy@rewardpx.com.
9. Data Security
We implement industry-standard technical and organizational measures, including:
- Password hashing with bcrypt (12 rounds)
- HTTPS/TLS encryption in transit
- Encrypted database storage at rest
- Multi-factor authentication (TOTP) available to all users
- CSRF tokens, rate limiting, brute-force protection
- HMAC signature verification on all webhook/postback endpoints
- Sensitive fields (SMTP passwords, API keys) masked in admin interfaces
- Strict Content Security Policy (CSP)
- Audit logging of all administrator actions
- Role-based access control with per-page permissions for staff
- Regular vulnerability audits (most recent: 3 rounds completed prior to 2026-05-30)
Despite these safeguards, no system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours where required by law.
10. Children's Privacy
The Platform is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@rewardpx.com and we will delete it promptly.
11. Cookies and Tracking
We use only essential cookies (session, CSRF) and a localStorage preference for language. See our detailed Cookie Policy. We do not use third-party advertising or cross-site tracking cookies on the main Platform. Offerwall iframes and ad-network embeds may set their own cookies under their own privacy policies — review them before interacting.
12. Marketing Communications
Transactional emails (security alerts, withdrawal confirmations, ticket replies) are part of the Service and cannot be opted out of while the account is active. Marketing emails (announcements, promotions) require opt-in and can be unsubscribed via the link in every marketing message or via Settings → Notifications.
13. Do Not Track
The Platform does not respond to Do Not Track (DNT) browser signals because no consistent industry standard exists. However, we do not engage in cross-site behavioral advertising regardless of your DNT setting.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via an in-platform banner and/or email at least seven (7) days before they take effect. The "Effective Date" at the top reflects the current version. We encourage you to review this Policy periodically.
15. Contact & Complaints
Data Protection contact: privacy@rewardpx.com
General support: rewardpx.com → Support
Lodge a complaint: Türkiye KVKK at kvkk.gov.tr, or your local data protection authority.