Privacy Policy

Last updated: 18 May 2026

This Privacy Policy explains how CryptoCities ("CryptoCities", "we", "us", or "our") handles personal data. It applies to cryptocities.net and any of its sub-domains.

Please read it carefully. By using the site you agree that we may process your data as described here.

1. Who we are

CryptoCities is operated by Webcandy Limited, a company registered in England and Wales.

Registered Office: c/o Taxassist Accountants, 175 Wokingham Road, Reading, England, RG6 1LT.

ICO registration number: Z2687058.

For privacy enquiries, email [email protected] or message us on our Discord channel.

2. Our lawful basis

We rely on two lawful bases under Article 6 of the UK GDPR, depending on the category of personal data:

  • Contract necessity (Article 6(1)(b)) applies to data we need to provide the service to you - your wallet address (which identifies your account and the assets you own) and any email address you provide for password recovery or support replies.
  • Legitimate interests (Article 6(1)(f)) applies to data we process to operate, secure, and improve the site - IP addresses, device information, usage logs, and any username you choose to display.

The specific use of each category is described in section 3.

3. The personal data we process

We group the personal data we process into four categories, described below. We do not collect any other personal information.

3a. Email addresses

You may optionally provide an email address when you create or manage an account. Email is not required to use the site, since your wallet acts as your primary identifier.

We treat email addresses as private. We currently use them only to:

  • send you a password-recovery message when you request one;
  • reply to support queries that you have sent us.

We do not send marketing emails or newsletters. If we offer such communications in future, we will only send them to users who have separately opted in - for example, via a dedicated email sign-up page or an opt-in setting in your account. We will update this Privacy Policy before we start sending any such messages.

3b. Public Ethereum addresses

Ethereum addresses are the public identifiers recorded on the blockchain when you connect a wallet (for example, MetaMask) to the site.

We classify these as personal data even though they are publicly readable. We process them in order to provide the game and marketplace - without them we could not track ownership of the assets held in the smart contracts.

Ethereum addresses are permanently recorded on the Ethereum blockchain. We cannot delete them from there, and neither can anyone else.

3c. IP addresses, device info, usage data

When you use the site we automatically process limited technical data including:

  • IP address;
  • browser type and user agent;
  • device information;
  • requested URLs and referrer;
  • timestamps and usage logs.

We process this data to deliver the site, defend against abuse and hacking attempts, diagnose faults, and improve the service.

3d. Usernames

You may optionally choose a username when you create or manage an account. A username is not required to use the site; your wallet address can identify you instead.

Usernames are displayed publicly on the site alongside your wallet activity (for example, on listings, profile pages, and any leaderboards). Do not choose a username that contains information you wish to keep private.

4. Retention

We retain personal data only for as long as it is needed.

  • Email addresses - retained while your account is active. If an account becomes dormant we stop sending email but may retain the address so you can be identified if you return.
  • Usernames - retained while your account is active.
  • IP, device, and usage data - most detailed logs are retained for less than five years. Aggregated, non-identifying analysis may be retained longer. IP addresses associated with abuse may be retained indefinitely.
  • Ethereum addresses - permanently recorded on the blockchain. We cannot delete them.

5. Cookies

We currently use one cookie: a session cookie that keeps you signed in while you are using the site. It is strictly necessary for the site to function and does not require consent under the exemptions in the Privacy and Electronic Communications Regulations.

6. How your data is stored

Your data is held on secure servers. Depending on our hosting and infrastructure providers, limited technical data may be transferred to, and processed in, destinations outside the United Kingdom or European Economic Area. Where this happens we rely on appropriate safeguards as required by applicable data protection law.

The transmission of information over the internet is never entirely secure. While we use reasonable technical measures to protect your data, we cannot guarantee the security of data transmitted to the site; any transmission is at your own risk.

7. Sharing your data

Service providers. We may share data with third-party providers we rely on to operate the site - hosting, DNS, infrastructure, payment processing, and security tooling. These providers are bound by contract to process data only as required to deliver their service and must comply with applicable data protection law.

Legal and corporate disclosures. We may also disclose your personal data:

  • to members of our corporate group, as defined in section 1159 of the UK Companies Act 2006;
  • to a prospective buyer or seller in connection with the sale or purchase of a business or assets, and to any third party that acquires our assets;
  • where required by law, court order, or law enforcement request, or to enforce our Terms.

We do not sell your personal data.

8. Your rights

Subject to applicable law, you have rights in relation to your personal data, including:

  • the right to access the personal data we hold about you;
  • the right to request correction, erasure, or restriction of processing;
  • the right to object to processing, including processing for marketing purposes;
  • the right to withdraw your consent at any time, where we rely on consent as the lawful basis (this does not affect the lawfulness of any processing carried out before you withdraw your consent);
  • the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not currently make any such decisions;
  • the right to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office).

To exercise any of these rights, email [email protected].

9. Children

The site is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under that age. If you believe we hold data for a user under 18, contact us and we will remove it.

10. Third-party websites

The site may contain links to third-party websites. We are not responsible for the privacy practices of those sites. You should review their own privacy notices before submitting any personal data to them.

11. Changes to this policy

We may update this Privacy Policy from time to time by publishing a revised version on the site. The updated version takes effect when published. Where appropriate we will notify registered users by email.