Privacy Policy
1. Who We Are
RHIZOME B.V. (referred to as “Rhizome,” “we,” “us,” or “our”) operates the Rhizome Web3 Quests platform available through the Telegram Mini App (the “Service”). Our registered address is Zuid-Hollandlaan 7, 2596 AL The Hague, Netherlands. You can reach us at aleksei@rhi.toys.
2. Scope
This Policy explains how we handle personal data of users (“you”) when you use the Service, connect your TikTok account, or otherwise interact with us. It complements, and should be read together with, our Terms of Service.
3. Data We Collect
Source | Category | Examples |
|---|---|---|
Telegram | Account identifiers | user_id, username, first name, last name, profile photo URL, language code, any other fields Telegram may expose to bots/mini-apps |
TikTok | OAuth profile data | TikTok user-ID, display name, avatar, access token & refresh token expiry timestamps |
User-supplied links | Post engagement metrics | Public counts of likes, comments, views and shares for TikTok posts that you submit to verify quest completion |
Automatically collected | Usage & device data | IP address, browser/OS type, time zone, session event logs, cookies or local storage IDs |
Optional analytics | Service performance | Aggregated error reports and feature usage (e.g., Sentry, Plausible/GA) |
We do not knowingly collect data from children under 16. If we learn that we have done so, we will delete it promptly.
4. Why We Use the Data (Purposes & Legal Bases)
Purpose | Legal basis (GDPR) |
|---|---|
Provide, secure and maintain the Service, including authenticating you through Telegram and TikTok | Performance of a contract (Art. 6 (1)(b)) |
Validate completion of Web3 quests by checking engagement metrics on user-provided links | Legitimate interests in operating the platform fairly (Art. 6 (1)(f)) |
Send transactional notifications inside Telegram (e.g., quest status) | Performance of a contract |
Improve the Service via aggregated analytics, bug-tracking, and feature usage stats | Legitimate interests (service quality) |
Comply with legal obligations (tax, fraud-prevention, law-enforcement requests) | Legal obligation (Art. 6 (1)(c)) |
Optional marketing emails or future newsletters (none at present) | Consent (Art. 6 (1)(a)) – you may opt-in and withdraw at any time |
5. Sharing Your Data
We share personal data only as needed:
Infrastructure & hosting – cloud servers in the EU (e.g., Hetzner Cloud / AWS eu-central-1) store our databases and media.
Content delivery & security – services such as Cloudflare to deliver assets and mitigate DDoS.
Error & performance monitoring – Sentry or comparable provider processes pseudonymised event data.
Analytics – Plausible or Google Analytics collect aggregated, cookie-free usage statistics.
Email delivery – SendGrid (or equivalent) handles outbound emails if you opt-in.
Legal purposes – authorities, advisors or acquirers if required by law or during a merger.
We sign data-processing agreements with each provider and require adequate safeguards, including Standard Contractual Clauses for any transfer outside the EEA.
6. International Transfers
Where we transfer personal data outside the European Economic Area, we rely on adequacy decisions or Standard Contractual Clauses and implement supplementary measures as needed.
7. Data Retention
Data set | Typical retention |
|---|---|
Telegram & TikTok identifiers | While your account is active. Deleted within 30 days after you disconnect both accounts or request deletion. |
Quest logs & engagement metrics | Kept for 180 days for audit and dispute resolution, then aggregated or deleted. |
Server logs & analytics | Up to 12 months. |
Legal, security & back-up records | Up to 6 years where required by Dutch/EU law. |
8. Security
We protect data using TLS in transit, encryption at rest, network segmentation, least-privilege access, regular security patching, and staff training. No method is 100 % secure, but we strive to follow industry best practices for Telegram Mini Apps.
9. Your Rights
Under GDPR (and similar laws) you may:
Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete (“right to be forgotten”) your data.
Restrict or object to processing.
Port data to another controller.
Withdraw consent at any time (e.g., marketing emails).
To exercise any right, disconnect your TikTok account inside the Mini App or email aleksei@rhi.toys. We may verify your identity before acting.
You can also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
10. Changes to This Policy
We may update this Policy from time to time. We will notify you through the Mini App or Telegram message and post the new version with a revised “Effective date.” Continued use after changes means acceptance.
11. Contact
Questions? Email aleksei@rhi.toys or write to RHIZOME B.V., Zuid-Hollandlaan 7, 2596 AL The Hague, Netherlands.