Privacy Policy

Last Updated: June 8, 2026

1. Introduction

Breakroom Drops is a trading-card retail and authenticated-collectibles marketplace operated by Keystone Cards, LLC, a Tennessee limited liability company ("Company," "we," "us," or "our"). We sell sealed trading-card products, card-protection supplies, and operate the Breakroom Vault — a marketplace where Members purchase randomized packs containing physical, third-party-graded (PSA, CGC, BGS, TAG) or raw collectible cards drawn from a tier-eligible pool. Cards drawn from the Vault are held in our physical custody on the Member's behalf until redeemed for shipping or sold back to Breakroom under the discretionary buyback program.

We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website breakroomdrops.com (the "Site"), make purchases, use your free VIP member access, or use the Breakroom Vault and its associated non-custodial USDC wallet-funding infrastructure (collectively, the "Services").

Please read this Privacy Policy carefully. By using the Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not access or use the Services. This Privacy Policy applies across both the Drops (retail) and Vault (randomized-pack marketplace) product surfaces; certain sections call out Vault-specific data handling where it differs from standard retail.

This Privacy Policy is incorporated by reference into our Terms of Service and Vault Terms of Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide, including:

  • Account Information: Name, email address, password, phone number, and date of birth when you create an account.
  • Payment Information: Credit card number, billing address, and payment details (processed securely through Stripe; we do not store full payment-card numbers).
  • Shipping Information: Delivery address, recipient name (collected for Drops orders, Vault redemption shipments, and card supplies).
  • Communications: Emails, in-app messages, support tickets, or other correspondence you send to us.
  • Preferences: Marketing preferences, notification settings, Responsible Play preferences (Vault spend caps, self-imposed breaks).
  • Referral Information: Referral codes used or shared.

2.2 Identity Verification (KYC) Data

When you redeem a Vault card for physical shipping for the first time, or when you withdraw sale proceeds, we may require identity verification (KYC). Depending on the flow, KYC is performed through Stripe Identity, a service provided by Stripe, Inc. (https://stripe.com/legal/privacy-policy), or — for bank withdrawals processed by Coinflow — through Persona, an identity-verification service engaged by Coinflow Labs Limited (https://withpersona.com/legal/privacy-policy).

During KYC, you may be asked to submit:

  • A government-issued photo ID (driver's license, passport, or state ID);
  • A real-time selfie or live-capture image for liveness verification;
  • Address and date-of-birth confirmation.

Stripe Identity is the data controller for the submitted documents. We receive only the verification outcome (verified / failed / requires-input), a verification timestamp, and a session reference. We do not receive copies of your ID documents or selfies, and we do not have ongoing access to them through Stripe's systems. Stripe's retention practices for verification artifacts are governed by Stripe's own privacy policy linked above.

2.3 Vault Wallet & Blockchain Data

If you use the Vault and fund your Vault wallet with USDC, additional categories of information are processed:

  • Privy Decentralized Identifier (DID): A persistent identifier issued by Privy (our embedded-wallet infrastructure provider) for the wallet associated with your account.
  • Solana Wallet Address: The public on-chain address of your Privy-issued embedded wallet. This address is public on the Solana blockchain by design.
  • On-chain Transaction Data: USDC deposit transactions to your wallet (from Coinbase Onramp or other licensed fiat-to-USDC providers) and pack-purchase transactions from your wallet to our treasury address. Transaction hashes, block timestamps, amounts, and on-chain memo fields where applicable.
  • Wallet-Account Bindings: The cryptographic linkage between your Breakroom account and your Privy wallet, established via a domain-separated nonce signature at first wallet-funding.
  • Pack-Opening Records: Cryptographic evidence (server seed hash, RNG draw inputs, eligible-card snapshot hash) recorded per pack opened, used by our public verifier at /vault/verify.

Important note about on-chain data: Information that is recorded on the Solana blockchain is, by design, public and effectively permanent. We cannot delete or modify on-chain records. Linking your Solana wallet address to your Breakroom account is, however, information we hold off-chain and can delete from our own systems on request (see § 8.3); the on-chain transaction itself persists independent of our records.

Private keys: Your Privy wallet's private keys are derived from your authentication credentials and held within Privy's trusted execution environment (TEE). We do not store, access, or control your private keys.

2.4 Information Collected Automatically

When you access the Services, we automatically collect:

  • Device Information: IP address, browser type, operating system, device identifiers, device fingerprint signals (used for fraud prevention and multi-account detection).
  • Usage Data: Pages visited, time spent, click patterns, referring URLs, in-app events (including Vault pack views, opens, and buyback / redemption flows).
  • Location Data: General location based on IP address, used for geographic eligibility enforcement (see Terms § 2 and Vault Terms § 2).
  • Cookies and Tracking Technologies: See Section 5.
  • Error and Performance Telemetry: Crash reports, performance metrics, and exception traces (processed through Sentry; PII fields are redacted at capture time).

2.5 Information from Third Parties

We may receive information about you from:

  • Payment processors (Stripe) — transaction confirmation, dispute notifications, fraud signals;
  • Identity verification providers (Stripe Identity) — verification outcome and timestamp;
  • Wallet infrastructure providers (Privy) — wallet provisioning events, webhook notifications;
  • Fiat-to-USDC onramp providers (Coinbase Onramp via Privy, and other licensed onramp providers where applicable) — completion confirmations and on-chain settlement events;
  • Blockchain data providers (Helius, for Solana RPC) — on-chain transaction confirmations and account state;
  • Shipping carriers (USPS, FedEx, UPS via EasyPost) — tracking, delivery confirmation, and delivery exceptions;
  • Social media platforms if you interact with us there.

3. How We Use Your Information

3.1 Providing the Services

  • Processing and fulfilling Drops orders;
  • Managing your account and VIP member access;
  • Providing customer support;
  • Sending transactional emails and notifications (order confirmations, shipping updates, dispute communications, security alerts);
  • Processing payments and refunds.

3.2 Vault & Pack-Opening Processing

  • Executing pack-opening draws, recording cryptographic evidence, and pinning the eligible-card snapshot at the moment of opening (per Vault Terms § 5.2);
  • Maintaining ownership records and physical-custody chains for cards drawn from the Vault;
  • Calculating and presenting buyback offers using our published FMV pipeline;
  • Operating Responsible Play features (spend caps, self-imposed breaks, marketing suppression);
  • Generating verifier receipts and supporting public independent verification at /vault/verify.

3.3 Wallet Funding & On-Chain Settlement

  • Provisioning and binding your Privy embedded wallet to your Breakroom account;
  • Coordinating fiat-to-USDC onramp sessions through Coinbase Onramp or other licensed providers;
  • Reconciling on-chain deposit events against your internal Vault balance;
  • Authorizing pack-purchase transactions from your wallet to our treasury address under the server-constrained authorization mechanism described in Vault Terms § 5.11 (the transaction's destination and per-transaction and per-day limits are constrained server-side);
  • Auditing chain inflows against ledger entries to maintain reserve and reconciliation integrity.

3.4 Communications and Marketing

  • Sending promotional emails about drops, Vault tiers, and products (with your consent);
  • Notifying you about upcoming drops (drop preview notifications);
  • Personalizing your experience;
  • Displaying targeted communications about VIP benefits and Vault Credits.

3.5 SMS / Text Messaging

If you provide your phone number and opt in to SMS notifications, we may send you text messages related to:

  • Order confirmations and shipping/delivery updates;
  • VIP member alerts (drop notifications);
  • Account security and verification codes;
  • Vault-account security events (wallet binding, large transactions);
  • Promotional messages about upcoming drops (with your consent).

Your phone number is used solely for the purposes described above and is never sold, rented, or shared with third parties for their marketing purposes. SMS messages are delivered through our third-party messaging provider, Twilio. Message frequency varies based on your account activity. You can opt out of SMS messages at any time by replying STOP to any message or by disabling SMS notifications in your account settings. For help, reply HELP to any message or contact us at support@breakroomdrops.com.

3.6 Security and Fraud Prevention

  • Detecting and preventing fraud, account takeover, and abuse;
  • Enforcing our Terms of Service, Vault Terms of Service, and Acceptable Use Policy;
  • Detecting multi-account behavior via device fingerprint, payment-instrument analysis, and behavioral signals;
  • Verifying chargeback evidence and resolving payment disputes;
  • Performing anti-money-laundering (AML) and sanctions screening on identity-verified withdrawals or shipments.

3.7 Legal and Regulatory Compliance

  • Complying with applicable federal, state, and local laws and regulations;
  • Responding to lawful subpoenas, court orders, and government requests;
  • Cooperating with regulators in connection with payment processing, identity verification, and consumer protection;
  • Maintaining records required for tax, audit, and dispute-evidence purposes (including the dispute-evidence retention contemplated by Vault Terms § 5.2).

3.8 Service Improvement

  • Analyzing usage patterns to improve the Services;
  • Developing new features and products;
  • Conducting internal research and analytics;
  • Troubleshooting technical issues.

4. How We Share Your Information

We share your information only with the categories of third parties described below, each of which performs a specific function on our behalf or as an independent counterparty in a transaction you initiate. We do not sell your personal information.

4.1 Payment and Identity Verification

  • Stripe, Inc. — payment processing for Drops orders and (where applicable) Vault redemption shipping fees. Stripe receives payment details, billing address, and transaction metadata. Stripe's privacy policy: https://stripe.com/legal/privacy-policy.
  • Stripe Identity — KYC verification for Vault redemption and sale-proceeds withdrawals. Receives ID documents and selfie images directly from you; we receive only the verification outcome. Same privacy policy as Stripe above.
  • Coinflow Labs Limited — payment processing for Vault card deposits and bank withdrawals (payouts of withdrawable balances to your linked bank account). Coinflow receives the transaction amount, your account identifier, and — for withdrawals — your linked bank-account details, which you provide to Coinflow directly through its hosted interface; we store only a bank token, account alias, and last four digits. Coinflow's privacy policy: https://coinflow.cash/privacy-policy.
  • Persona (engaged by Coinflow) — KYC verification for bank withdrawals. Receives ID documents and biometric/liveness images directly from you through its hosted flow; we receive only the verification outcome. Persona's privacy policy: https://withpersona.com/legal/privacy-policy.

4.2 Wallet and Blockchain Infrastructure

  • Privy — non-custodial embedded-wallet provider. Receives your Breakroom account identifier and a derived Privy DID; provisions a Solana wallet on your behalf with TEE-held keys derived from your authentication credentials. We do not have access to your private keys. Privy's privacy policy: https://www.privy.io/privacy-policy.
  • Coinbase Onramp (via Privy) — fiat-to-USDC conversion. Coinbase performs its own KYC where required and receives your payment-instrument data directly; we do not receive Coinbase's KYC artifacts. Coinbase's privacy policy: https://www.coinbase.com/legal/privacy.
  • Helius — Solana RPC infrastructure. Receives transaction-confirmation queries and webhook events corresponding to deposits and pack-purchase settlement.
  • The Solana blockchain — public, permissionless. On-chain transactions involving your wallet address (deposits to your wallet, pack-purchase debits from your wallet to our treasury) are visible to anyone with chain access. This is an inherent property of public blockchains and is not a disclosure made by Breakroom.

4.3 Communications

  • Resend — transactional and marketing email delivery.
  • Twilio — SMS message delivery (see § 3.5).

4.4 Shipping

  • EasyPost — shipping rate aggregation and label purchase across USPS, UPS, and FedEx.
  • Shipping carriers (USPS, UPS, FedEx) — receive your shipping address and contact information for delivery.

4.5 Infrastructure and Hosting

  • Render — application hosting (backend services and frontend static assets).
  • Cloudflare — DNS, content delivery, and edge-layer fraud and bot mitigation.
  • Sentry — error and performance telemetry. PII (including authentication headers, payment information, KYC content, and webhook signatures) is redacted at capture before transmission.

4.6 Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to:

  • Comply with legal obligations;
  • Protect our rights or property;
  • Prevent fraud or illegal activity;
  • Protect personal safety;
  • Respond to lawful regulatory inquiries (including those from financial regulators, consumer protection authorities, and state attorneys general).

4.7 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity, subject to the protections of this Privacy Policy or its successor.

4.8 With Your Consent

We may share information with third parties when you provide explicit consent (for example, when you opt to import a referral code or connect a social account).

4.9 No Sale of Personal Information

We do not sell your personal information, and we do not share personal information with third parties for their own cross-context behavioral advertising or marketing purposes.

5. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Keep you logged in;
  • Remember your preferences;
  • Analyze Site traffic and usage;
  • Personalize content;
  • Detect fraud and prevent multi-account abuse.

Types of Cookies

  • Essential Cookies: Required for Site functionality, including session management and CSRF protection;
  • Analytics Cookies: Help us understand how visitors use the Site;
  • Fraud-Prevention Cookies: Device fingerprint and behavioral signals used to detect multi-account behavior and protect member and Vault eligibility (per our Terms);
  • Marketing Cookies: Used to deliver relevant communications about drops and Vault features.

You can control cookies through your browser settings. Disabling essential cookies may affect Site functionality, including the ability to remain logged in or complete purchases.

6. Data Retention

We retain your personal information for as long as necessary to:

  • Provide the Services you requested;
  • Comply with legal obligations (including tax recordkeeping, anti-money-laundering requirements, and applicable consumer-protection statutes);
  • Resolve disputes (including chargebacks and arbitration claims);
  • Enforce our agreements;
  • Maintain forensic evidence of pack-opening receipts, on-chain settlement, ownership transfers, and reconciliation events (Vault-specific; see Vault Terms § 5.2).

Specific retention windows:

  • Account and transaction records: Retained for the life of the account and for the longer of seven (7) years after closure or the period required by applicable tax and financial-services law.
  • Pack-opening receipts and ownership chains: Retained indefinitely (Vault forensic integrity).
  • KYC outcomes and identity verification metadata: Retained for the duration of the account plus the period required by applicable AML rules, typically five (5) years after the most recent qualifying transaction.
  • On-chain transaction data: Recorded permanently on the Solana blockchain by design; not within our control.
  • Marketing and analytics data: Retained for up to twenty-four (24) months from collection, unless you opt out earlier.

When information is no longer needed for the purposes above, we securely delete or anonymize it.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • Encryption of data in transit (HTTPS / TLS) across all customer-facing surfaces and webhooks;
  • Encryption at rest for sensitive operational secrets (including admin multi-factor-authentication seeds, which are stored with AES-256-GCM envelope encryption);
  • Secure password hashing (industry-standard adaptive algorithm with per-user salt);
  • Access controls, authentication, and step-up authentication for administrative actions;
  • Webhook signature verification and replay-window protection across payment, identity, and wallet provider integrations;
  • PCI-compliant payment processing through Stripe (we do not store full card numbers);
  • Sentry-side PII redaction filters at error-capture time to prevent secret leakage into telemetry;
  • Regular security review of access patterns and operational logs.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information. In the event of a security incident affecting your personal information, we will notify you and applicable regulators in accordance with applicable state breach-notification laws (including the Tennessee Information Protection Act and analogous state statutes where applicable).

8. Your Rights and Choices

8.1 Account Information

You may update or correct your account information at any time by logging into your account settings.

8.2 Marketing Communications

You may opt out of marketing emails by clicking the "unsubscribe" link in any email or by updating your preferences in your account settings. SMS opt-out is via reply STOP to any message (see § 3.5). You may still receive transactional emails and SMS related to your account, orders, security, and legal notices regardless of marketing-channel opt-out.

8.3 Data Access and Deletion

You may request access to, correction of, or deletion of your personal information by contacting us at support@breakroomdrops.com. We will respond within 30 days. Note that some information may be retained for legal, regulatory, dispute-evidence, or Vault forensic purposes for the windows described in § 6.

On-chain data (Solana blockchain) is not subject to deletion — once a transaction is confirmed on the Solana blockchain, it persists permanently and is outside our control. We can delete the linkage between your account and your wallet address from our off-chain systems, but the on-chain transaction remains visible on the chain.

Identity-verification documents submitted directly to Stripe Identity during KYC are subject to Stripe's retention policies, not ours. To request deletion of those documents, contact Stripe directly per their privacy policy.

8.4 California Residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know what personal information is collected, used, shared, and sold;
  • Right to delete personal information (subject to retention exceptions);
  • Right to correct inaccurate personal information;
  • Right to limit use of sensitive personal information (including KYC data and government-issued ID);
  • Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share your data — see § 4.9);
  • Right to non-discrimination for exercising these rights.

To exercise these rights, contact support@breakroomdrops.com. We may need to verify your identity before fulfilling certain requests.

8.5 European Residents (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you may have rights including:

  • Right of access to your personal data;
  • Right to rectification of inaccurate data;
  • Right to erasure (subject to retention exceptions);
  • Right to restrict processing;
  • Right to data portability;
  • Right to object to processing based on legitimate interests;
  • Right to withdraw consent at any time where processing is based on consent;
  • Right to lodge a complaint with a supervisory authority.

Note that access to certain Services — including the Vault — is geographically restricted (see Vault Terms § 2). Where the Vault is unavailable in your jurisdiction, certain Vault-specific data categories will not apply to you.

8.6 Tennessee Residents (TIPA)

Tennessee residents have rights under the Tennessee Information Protection Act, Tenn. Code Ann. § 47-18-3201 et seq. (effective July 1, 2025), which include the rights to confirm, access, correct, delete, and obtain a portable copy of personal information, and to opt out of targeted advertising, sale of personal data, or significant profiling. To exercise these rights, contact support@breakroomdrops.com.

9. Children's Privacy

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will promptly delete it.

If you believe we have collected information from a child, please contact us immediately at support@breakroomdrops.com.

10. Third-Party Links

The Site may contain links to third-party websites (including payment processors, identity verification flows, onramp providers, and grading-service product pages). We are not responsible for the privacy practices of these sites. We encourage you to review the privacy policies of any third-party sites you visit. Where you are directed off-site to complete a verification (Stripe Identity) or wallet-funding flow (Coinbase Onramp or another licensed onramp provider), the linked provider's privacy policy governs the data you submit to them.

11. International Data Transfers

Breakroom Drops is operated from the United States. Your information may be processed in the United States and in countries where our service providers operate. These countries may have different data protection laws than your country of residence. By using the Services, you consent to such transfers.

Where required, transfers from the European Economic Area, the United Kingdom, or Switzerland are protected by appropriate safeguards (including the European Commission's Standard Contractual Clauses where applicable) and the safeguards adopted by the named processors in § 4.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the "Last Updated" date at the top of this page. Material changes will be communicated by (a) email to your registered address and (b) in-app notification on next sign-in. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Keystone Cards, LLC (d/b/a "Breakroom Drops")

A Tennessee limited liability company.