Privacy Policy

1. Who we are

This Privacy Policy describes how Survey Tokens ("we", "us") processes personal data when you use SurveyTokens (the "Service") at https://surveytokens.org. The controller within the meaning of the GDPR is:

Survey Tokens Schwarzwaldallee 12, 4058 Basel, Switzerland E-mail: info@surveytokens.org

2. Data we collect

When you create an account and use the Service we process:

• Account data: name, e-mail address, password (stored as bcrypt hash).
• Wallet addresses you provide to receive payouts.
• Activity data: completed surveys, balance, transactions, withdrawals, login attempts (with IP address) for security and fraud prevention.
• Survey provider data: when you take a survey, our partners (CPX Research, ayeT Studios, OGAds, AdGem) may process demographic data you submit to them. They send us a postback indicating completion plus a country code.
• Technical data: IP address, user agent, request timestamps — used for rate limiting and abuse prevention.

3. Legal basis & purpose

• Performance of the contract you enter when registering (Art. 6(1)(b) GDPR): operating the account, crediting earnings, processing withdrawals.
• Legal obligations (Art. 6(1)(c) GDPR): tax / accounting retention.
• Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, rate limiting, abuse mitigation, IT security.

4. Recipients

We share data only with processors and partners strictly necessary to operate the Service:

• Survey panels (CPX Research, ayeT Studios, OGAds, AdGem) — they receive a per-user pseudonymous identifier so completions can be attributed.
• Payment processors: IOTA Foundation network for IOTA payouts; NOWPayments OÜ for non-IOTA cryptocurrencies.
• Transactional e-mail provider (Resend) for account verification e-mails.
• Hosting / infrastructure providers operating our database and servers.

Cryptocurrency transactions are inherently public on the respective blockchain. Your wallet address and the amount sent become part of the public ledger and cannot be deleted retroactively.

5. International transfers

Some of the processors above may be located outside the EU/EEA. Where this is the case we rely on Standard Contractual Clauses or comparable safeguards recognised by the European Commission.

6. Retention

Account data is kept while your account exists. Login attempts are retained for up to 90 days for security purposes. Transaction and withdrawal records are kept for as long as required by accounting and tax law (typically up to 10 years).

7. Cookies

We use only essential cookies required to keep you signed in (NextAuth session cookie). We do not use advertising cookies and we do not share data with ad networks.

7a. Self-hosted, privacy-preserving page-view analytics

To understand which pages visitors actually use, we run a small, self-hosted page-view analytics backend on our own infrastructure in Frankfurt, Germany (operated by the same operator listed above). Per page-load we collect: the requested URL, the referring domain (e.g. google.com), an approximate geographic region (country and region derived from the IP address), the device type (desktop/mobile/tablet), and the browser family. No cookies are set by this analytics tracker and no unique identifier is stored in your browser.

Cross-day re-identification is technically prevented: a daily-rotating HMAC of (IP address ‖ user-agent) is used as a short-lived pseudonymous session id; the secret rotates every UTC midnight, so a returning visitor cannot be linked across days from the database alone. The raw IP address is not stored. If your browser sends the Do-Not-Track (DNT) header or the Global Privacy Control (Sec-GPC) signal, the request is dropped before any row is written. Bot and crawler traffic is filtered out automatically. The aggregates are accessible only to the operator, are never shared with third parties, and are deleted after 12 months.

8. Your rights

Under the GDPR you have the right to:

• Access the personal data we process about you (Art. 15).
• Have inaccurate data corrected (Art. 16).
• Have your data erased, subject to legal retention (Art. 17).
• Restrict processing (Art. 18) and data portability (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at info@surveytokens.org.

9. Changes

We may update this Privacy Policy from time to time. We will indicate the "Last updated" date above and, where the changes are material, notify registered users by e-mail.