privacy policy

This Privacy Policy describes how Sloppywood (“we”, “us”) collects, uses, and shares your information when you use the Sloppywood website at sloppywood.com and related services. Read it alongside our Terms of Service.

1. the on-chain caveat — read first

The rest of this policy describes the off-chain data we collect and what we do with it.

2. information we collect

2.1 information you provide directly

• Profile data: optional username, display name, bio, social media handles, avatar URL, and personal website. Stored when you save changes via /profile/edit. Public to anyone who looks up your wallet address.
• Email address: optional, used for verification and (with your permission) future notifications. Stored in our database as a hashed verification token plus the email itself. Email is private — never displayed publicly, never visible to other users.
• Communications: if you contact us via email or a contact form, we keep records of the conversation.

2.2 information collected automatically

• Server logs: when you visit the website, our servers log standard web request data including IP address, user agent string, request path, response status, and timestamp. Used for security, anti-abuse, and operational diagnostics.
• Wallet address: read from your connected wallet via standard Web3 protocols. Stored in session state and used to query on-chain ownership of tickets, SLOP-N holdings, and theater authorship.
• Subgraph queries: requests for on-chain data (e.g., which theaters you hold tickets for) are routed through The Graph protocol. Standard query telemetry may be logged by The Graph; refer to their privacy practices.

2.3 information we do NOT collect

• Private keys or seed phrases: never. We cannot help you recover them.
• Real-name identity, KYC, or government ID: we don't collect these. We don't verify your identity.
• Payment card information: all transactions are on-chain via your wallet. We never see card numbers.
• Third-party tracking pixels or fingerprinting: none currently. If we ever add analytics, this policy will be updated and disclosed prominently.

3. how we use your information

• Provide the service: deliver film streams to activated ticket holders, gate features by wallet ownership, display profiles, route comments.
• Email verification: send a confirmation link to email addresses you add to your profile.
• Notifications: with your permission, we may send infrequent emails about activity in theaters you support (new films, claimable revenue, etc.). You can disable these at any time in your profile settings.
• Security and abuse prevention: rate-limit requests, detect fraud, identify content-policy violations.
• Operational diagnostics: investigate bugs, measure performance, plan capacity.
• Legal compliance: respond to subpoenas, court orders, or other legal process where required.

4. who we share information with

We do not sell your personal information. We share data only with:

4.1 service providers (sub-processors)

The following third parties process data on our behalf to deliver the service. We choose vendors with robust security and privacy practices, but their handling of data is governed by their own policies.

• Cloudflare — DNS, R2 storage for film files, D1 database for off-chain data (profiles, comments index, moderation actions).
• Vercel — frontend hosting and serverless function execution.
• SendGrid (Twilio) — transactional email delivery for verification and notification messages.
• Pinata — IPFS pinning for theater banners and film posters.
• The Graph — decentralized indexing of on-chain protocol events.
• Base / Ethereum RPC providers — communication with the blockchain. May include Alchemy, Infura, or self-operated nodes.
• Reown (formerly WalletConnect) — wallet connection infrastructure.

4.2 legal disclosure

We may disclose information if required by law, subpoena, court order, or when we believe disclosure is necessary to protect rights, property, or safety. We'll attempt to notify you before disclosure unless legally prohibited.

4.3 business transfers

If Sloppywood is acquired or merged, your information may be transferred to the successor entity. The successor will remain bound by this policy unless you're given notice of a material change.

5. your rights

5.1 rights you have over off-chain data

• Access: see the off-chain data we have about you via /profile/edit (your saved profile and email).
• Correction: edit or update your profile data at any time via the same interface.
• Deletion: clear your profile fields, or contact us to delete your full profile record. After deletion, future server-log entries with your IP/wallet may still accumulate until they expire.
• Portability: contact us for a machine-readable export of your profile data.
• Email opt-out: every notification email includes an unsubscribe link. You can also remove your email from your profile at any time.

5.2 limits we cannot exceed

On-chain data — wallet addresses, ticket ownership, SLOP-N holdings, theater publications, on-chain comments — is recorded on a public blockchain that we do not control. We cannot delete this data, anonymize it, or prevent third parties from indexing it. Any “right to be forgotten” we offer is necessarily limited to the off-chain layer.

5.3 jurisdiction-specific rights

If you reside in a jurisdiction with specific privacy laws (e.g., the EU/UK under GDPR, California under CCPA), you may have additional rights such as the right to object to processing, restrict processing, or lodge a complaint with a supervisory authority. Contact us at [contact: enable JavaScript or write to the address above] to exercise these rights.

6. data retention

• Profile data: kept until you delete it or request deletion.
• Email and verification tokens: kept until you remove the email or request deletion. Verification tokens expire 24 hours after issuance.
• Server logs: typically retained for 90 days, then automatically purged.
• Communications and support records: retained for up to 3 years to maintain context for ongoing issues.
• DMCA notices and counter-notices: retained for at least 3 years per legal requirement.
• On-chain records: retained forever, by the blockchain, outside our control.

7. security

We use industry-standard security measures (encrypted transport, hashed verification tokens, scoped API tokens, strict CORS policies) to protect off-chain data. However, no system is perfectly secure. You acknowledge there is some risk that unauthorized parties may gain access despite our efforts.

For on-chain data, security depends on the integrity of the Base blockchain itself and the security of your wallet. Sloppywood cannot recover lost private keys or reverse fraudulent transactions you authorize.

8. children's privacy

Sloppywood is not directed to children under 13 (or under 16 in jurisdictions where that's the digital-services threshold). We don't knowingly collect data from such children. If you believe we have inadvertently collected data from a child, contact us at [contact: enable JavaScript or write to the address above] and we will delete it.

9. international data transfers

Sloppywood is operated from the United States. Our service providers (Cloudflare, Vercel, SendGrid) operate global infrastructure, and your data may be processed in or transferred to countries other than your country of residence. By using the Platform, you consent to this transfer and processing. Where required by law, we use appropriate safeguards (e.g., Standard Contractual Clauses) for transfers.

10. changes to this policy

We may update this Privacy Policy from time to time. The “last updated” date at the top reflects the most recent revision. Material changes will be announced via the Platform homepage or by email (if you've provided one). Your continued use of the Platform after changes take effect constitutes acceptance of the revised Policy.

11. contact

For privacy questions, data requests, or to exercise your rights under this Policy, contact us at [contact: enable JavaScript or write to the address above].