Privacy Policy

Last updated: 6 March 2026 — changes: removed placeholder Umami analytics section (not deployed); added Privy auth cookie disclosure; added on-chain data disclosure; added account data section.

This policy is written in plain language. See also our Terms of Service.

1. Who we are

Controller: Anthony Eckert, operating as MoreRight (moreright.xyz).

Contact: [email protected]

2. What we collect

If you just browse the site

No tracking cookies. No analytics. No ads. No fingerprinting.
No personal data. We don't know who you are.
localStorage — used for first-visit notice state, scoring tool state, inventory data. Never sent to our server.
Standard server logs — IP address, page requested, timestamp, browser string. Processed by Azure (our host). Not combined with any other data, not shared, auto-deleted per Azure's retention policy.

If you sign in (Privy auth)

We use Privy for wallet authentication. When you sign in, Privy sets one HttpOnly session cookie on moreright.xyz. This is a functional auth cookie — not a tracking cookie.

The cookie is HttpOnly — JavaScript cannot read it
It contains a session token only — no personal data
It is cleared when you sign out (privy.logout()) or when your session expires
Privy processes authentication server-side. See Privy's privacy policy.

This cookie is strictly necessary for the login feature to function. No consent is required under GDPR ePrivacy Art. 5(3) for strictly necessary cookies.

If you create an account

When you sign in and use the platform, we store in our database (MongoDB on Azure):

Your Solana wallet address (used as your account identifier)
Your MegaETH wallet address, if you register one for $ATH rewards
Platform scores you submit (ICC-accepted scores become part of the public dataset)
Credit balance and transaction history
Game session data (Pe scores, campaign progress)

On-chain data — permanent public record

Some interactions write permanent data to the MegaETH blockchain. Blockchain data cannot be deleted. This includes:

WishWell wishes — your wish text and Luna's response are written as permanent on-chain calldata. Anyone can read them. Forever.
$ATH transactions — all token transfers, burns, and staking events are public on MegaETH
Binder Card mints — NFT metadata and wallet address are public

Do not submit wishes or other on-chain interactions containing personal data you would not want permanently public. We cannot remove it.

If you submit data voluntarily

Some tools let you submit assessments, scores, or survey responses to contribute to the research. When you do:

Submissions are public and available via our data export API
Raw text you paste into tools (Vocabulary Scorer, etc.) is not stored on our server
Wallet addresses for operator accounts are partially masked in public views
No account, email, or login required for any public tool

3. Legal basis (GDPR Article 6)

Browsing	Legitimate interest — basic server operation
localStorage	Strictly necessary for tool functionality (ePrivacy Art. 5(3) exemption)
Privy auth cookie	Strictly necessary for login functionality (ePrivacy Art. 5(3) exemption)
Account data (MongoDB)	Contract performance — necessary to provide the service you signed up for
On-chain data	Your explicit action (you initiated the transaction)
Research submissions	Your consent (you click submit)

4. Data sharing

We do not sell, rent, or trade any data.

Third parties with incidental access:

Cloudflare	DNS and CDN proxy. Processes requests in transit. Their privacy policy.
Microsoft Azure	Server hosting. Standard server logs. Their privacy policy.

No data goes to Google, Meta, advertising networks, data brokers, or any analytics provider. We have no analytics system.

5. International transfers

Our server is hosted on Microsoft Azure (US region). If you access the site from the EU, your request passes through Cloudflare's CDN (which has EU nodes) and reaches our server. Server logs containing IP addresses are processed by Azure under their GDPR Data Processing Agreement. Account data is stored in MongoDB on Azure. We have no analytics system — no data is sent to analytics providers. On-chain data is written to MegaETH, a public blockchain.

6. Data retention

Server logs	Azure default retention (typically 30–90 days)
Privy auth cookie	Duration of session or until logout. Cleared by `privy.logout()`.
Account data (MongoDB)	Retained while your account is active. Contact us to request deletion.
localStorage	Until you clear it. Your browser, your data.
Research submissions	Retained indefinitely as part of the public research dataset. Contact us to request removal.
On-chain data	Permanent. Blockchain data cannot be deleted by anyone.

7. Your rights

Under GDPR (EU), UK GDPR, CCPA (California), and similar laws, you have the right to:

Access — ask what data we hold about you
Rectification — correct inaccurate data
Erasure — request deletion of your data
Restrict processing — limit how we use your data
Data portability — receive your data in a structured format
Object — object to processing based on legitimate interest
Withdraw consent — clear localStorage in your browser to reset stored preferences. Sign out to clear the Privy auth cookie. On-chain data cannot be withdrawn by anyone.

To exercise any right: [email protected]. We will respond within 30 days.

CCPA note: We do not sell personal information. We do not use personal information for targeted advertising. California residents have additional rights under CCPA/CPRA — the same email address handles those requests.

8. Children

This site is a research project. We do not knowingly collect personal data from anyone under 16. If you are a parent and believe your child has submitted data, contact us and we will delete it.

9. Complaint

If you believe we are mishandling your data, you have the right to lodge a complaint with your local data protection authority. In the EU, find yours at edpb.europa.eu.

10. Changes

If this policy changes, the date at the top updates and a note appears here describing what changed. No silent edits.