Privacy policy

• We collect only what we need to run the service safely and pay you out.
• We never sell your data, full stop.
• You can export or delete your data from Account → Privacy.
• Some data must be retained by law (KYC: 7 years, tax records: 7 years, audit logs: 5 years).

From you, when you sign up:

• Email, username, password (hashed with bcrypt — we cannot read it)
• Date of birth and country (for age and jurisdiction checks)
• Optional avatar image you choose to upload

From you, when you transact:

• UPI VPA for withdrawals
• KYC documents (Aadhaar / PAN / passport / driving licence) when required
• The amount, currency, and provider reference of every deposit and withdrawal

Automatically, when you use the site:

• IP address (used for rate limiting, fraud detection, and the audit log)
• Browser user-agent and approximate device fingerprint (multi-account detection)
• Bet history, win history, session times — required to settle and prove every round

• Run the games — we can't pay you out if we don't know your wallet balance.
• Fraud and AML — we are required by law to flag suspicious patterns.
• Provably-fair audit — every round is reproducible from stored seeds.
• Customer support — when you message us, we need history to help.
• Legal & tax — TDS reporting, regulator requests, court orders.

We share data only with vetted processors required to run Lucid. We have signed data- processing agreements with each:

• Payment provider — UPI handle and amount only
• KYC vendor — your government ID, only at the time you upload it
• Cloud infra (Render, Supabase, Cloudflare) — encrypted at rest, EU/IN regions only
• Email provider — your email address and the message we send you

We do not sell, rent, or trade your data to advertisers, brokers, or affiliates. We never will.

We will disclose data when legally compelled (court order, regulator demand). We'll tell you when we can.

We use exactly two kinds of cookies:

• Authentication. A short-lived JWT and a longer-lived refresh token, both HTTP-only. These are the only way you stay logged in.
• Preference. Theme, language, and a multi-tab synchronisation channel. No third-party trackers.

We do not use Google Analytics, Facebook Pixel, ad SDKs, or any cross-site tracker. What you do on Lucid stays on Lucid.

• Passwords stored as bcrypt hashes (cost factor 12)
• JWTs signed with a long random secret stored only in the runtime env, rotated periodically
• Single-session enforcement — a new login revokes the previous session immediately
• TLS 1.3 in transit; AES-256 at rest on Supabase
• Audit log of every privileged action (admin overrides, KYC approvals, wallet adjustments) — write-only and indexed
• Vulnerability program: report at security@lucid.games

You can, from Account → Privacy:

• Export a JSON of every datum we hold about you
• Correct any inaccurate personal info
• Delete your account (subject to legal retention)
• Restrict further processing while a complaint is open

We respond to every request within 30 days. If we can't comply (legal hold, ongoing investigation), we'll explain why.

• Account & bet history — life of the account, plus 5 years (audit)
• KYC documents — 7 years from last transaction (statutory)
• Tax / payout records — 7 years (statutory)
• Marketing prefs — until you unsubscribe

Lucid is strictly 18+. We do not knowingly collect data from anyone under 18. If we discover that an account belongs to a minor we close it immediately, refund the verified deposits, and forfeit the bonus and winnings.

Email dpo@lucid.games. We aim to acknowledge within 48 hours and resolve within 30 days. If you're unhappy with our response you can escalate to your local data-protection regulator.