Privacy Policy

Effective date: 2026-04-24

This Privacy Policy describes how Galaxy 71 (the "Service", available at https://galaxy71.com) collects, uses, and protects your personal data. The Service is operated by the teams galaxy71.com (the "Operator", "we", "us").

By using the Service, you confirm that you have read this Policy.

1. Who we are

Service Operator: galaxy71.com.

Privacy contact: hello@galaxy71.com

2. What data we collect

2.1 Account data

• Email address — required for registration and verification.
• Nickname — chosen by you; publicly visible on your Stars.
• Password — stored as a bcrypt hash, never in plaintext.
• Account balance — internal balance in USD.
• Language preference — your selected interface language.
• Email verification status, admin flag, block flag.

2.2 Activity data

• Clicks — chunks you have purchased (chunk_hex, timestamp, amount paid).
• Sessions — session identifier (cookie), IP address, user-agent string, timestamps.
• Event log — system audit records (login, deposit, click, error). Email addresses in event metadata are stored as sha256 hashes for compatibility with the right to deletion.

2.3 Communications data

• Incoming emails received at hello@galaxy71.com (subject, body, sender, attachments).
• Outgoing emails sent to you (registration confirmation, password reset, broadcast notifications).

2.4 Payment data

• Payment processor transaction ID, network used, amount in USD, blockchain transaction hash.
• We do not collect, store, or have access to your card numbers, banking details, or wallet private keys.
• Where source-of-funds checks are required, KYC/AML is performed by the payment processor — we receive only the link to the transaction.

2.5 Data we do NOT collect

• Real names, addresses, phone numbers, identity documents (unless voluntarily provided in support correspondence).
• Browser fingerprints, behavioural profiles, advertising identifiers.
• Geolocation more precise than the country level inferred from the IP address.

3. How we use your data

We use your data only for purposes necessary to operate the Service:

• Service operation (account, balance, clicks, history);
• Email verification, security, fraud prevention;
• Transactional emails (registration confirmation, password reset, payment notifications);
• Broadcast notifications (Service news; opt-out available);
• Compliance with applicable tax and AML obligations;
• Defence of our rights in legal disputes.

4. Cookies

We use only essential cookies; no tracking or advertising cookies:

• sid — session identifier (HttpOnly, SameSite=Lax, max-age 1 year).
• lang — selected interface language (max-age 1 year).
• csrf_token — anti-forgery token (bound to the session).

You may disable cookies in your browser, but the Service requires sid to function (anonymous browsing of the authenticated area is not possible).

5. Sharing data with third parties

We share the minimum data necessary with the following categories of processors:

• Cryptocurrency payment processor — receives the transaction amount, our wallet, and the IPN callback URL. Does not receive your email or nickname.
• Transactional email provider — receives your email address, subject, and message body.
• BTC/USD price source — does not receive user data; we make anonymous API requests.

The specific contractors providing the listed services may change without separate notice. We do not sell your personal data to anyone, in any form, ever.

6. Data retention periods

We retain data for a reasonable period necessary to provide the Service and to fulfil our obligations to payment partners and applicable regulators. Payment records may be retained longer due to tax and AML obligations. The exact period for a specific category of data is provided on request.

On a request to delete an account, active data is removed within a reasonable time, except for information we are required to retain by law (payment records, AML logs).

7. Your rights

You may:

• request a copy of your data;
• correct inaccurate data;
• request deletion of your account;
• opt out of broadcast notifications at any time.

Send requests to hello@galaxy71.com from the email address of your account. We aim to respond within a reasonable time. Before processing your request, we may ask you to verify your identity to prevent unauthorised access.

8. Data security

We apply industry-standard technical and organisational measures:

• Passwords: bcrypt hashing (cost factor 12), never stored in plaintext.
• Sessions: cryptographically strong 256-bit identifiers, rotated on login and password change.
• Verification tokens: stored as sha256 hashes; the plaintext exists only in the email link.
• Transport: HTTPS/TLS encryption for all connections.
• CSRF protection: all state-changing endpoints require an anti-forgery token.
• Rate limiting: 5/min on authentication endpoints, 60/min globally.
• HMAC-SHA256 signatures on Star codes to prevent forgery.
• Audit log: sensitive actions are logged with automatic PII scrubbing.
• Regular security review: internal audits and dependency updates.

No system can be 100% secure. In the event of a data breach, we will notify affected users within a reasonable time.

9. International data transfers

Our infrastructure may be located in multiple jurisdictions, including for mirroring and backup purposes. By using the Service, you agree that your data may be transferred to and processed in those jurisdictions.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced on the website and, where reasonable, by email. The "Effective date" field at the top reflects the most recent revision.

11. Contact

Privacy questions, data requests: hello@galaxy71.com

---

© 2026 galaxy71.com. Not legal advice.