Privacy Policy

Last updated May 4, 2026

This Privacy Policy describes how oralab (“we”, “our”, “us”) collects, uses, and protects personal data when you use the dashboard at oralab.xyz (the “Service”). We aim to keep this readable and short. If anything is unclear, write to us at hello@oralab.xyz.

Who we are

oralab is an independent project run from Ukraine and hosted in the European Union (Hetzner, Germany). The Service is a real-time visualisation of public Polymarket on-chain trading activity. We are not affiliated with Polymarket.

What data we collect

We only collect what we need to operate the Service:

• Account data — only if you sign in. Depending on the provider you choose, this includes one or more of: email address (Email magic link via Resend), Ethereum wallet address (Sign-In with Ethereum / MetaMask), GitHub user ID and public profile (username, avatar, verified email), Discord user ID and public profile, or Telegram user ID, username, and avatar URL.
• Session data. A signed cookie (JWT) used to keep you logged in. We do not use third-party analytics cookies, and we do not run advertising trackers.
• Server logs. Standard request logs (IP address, user agent, path, status, timestamp), retained for up to 30 days for operational and abuse-prevention purposes.
• Product preferences. If you sign in, we store your dashboard preferences (e.g. row order) on the server so they follow you across devices.

We do not collect government IDs, payment-card data, or biometric data. We do not buy or sell personal data.

What we do not do with on-chain data

The Service displays public Polymarket trade data and aliases that Polymarket itself publishes through its public APIs (e.g. its leaderboard usernames, X handles, and verified flags). On-chain wallet activity is public by design; aggregating it does not turn it into private data. If you are a Polymarket user whose alias appears on the Service and you would like that link removed from our display, contact us at hello@oralab.xyz.

Why we use it

Lawful bases under the GDPR:

• Performance of the contract with you (running the dashboard, keeping you signed in, saving your preferences).
• Legitimate interests in operating the Service securely and preventing abuse (server logs, rate-limiting, fraud detection).
• Your consent, where required, e.g. for transactional emails about your account.

Subprocessors

We share the minimum data necessary with vetted third-party providers acting on our behalf:

• Hetzner Online GmbH — primary hosting (servers, database). Data processed in Germany.
• Resend — transactional email delivery for magic-link sign-in.
• GitHub, Discord, Telegram — only when you choose those sign-in methods. They receive a sign-in request from us and return basic profile data.

Polymarket and the Polygon blockchain are data sources, not data processors — we read public information from them and do not send them anything about you.

Where data is stored

Account data, sessions, and product preferences are stored on servers in Germany (EU). Some subprocessors (e.g. GitHub, Discord) may process limited account data outside the EU under standard contractual clauses or equivalent safeguards.

Product analytics

We collect anonymised usage events to understand which features people use — what ranges and metrics get switched, how often a cell gets clicked, when sign-in modals open, which signed-in providers complete, and similar product-level signals. The dataset is first-party (stored on our own server, not sent to any third-party analytics vendor) and is keyed by a random per-browser session id that you can wipe at any time by clearing site data.

We do not collect: form-input values, full URLs (we strip query strings), full IP addresses (we keep at most a country code from edge headers when available), browser fingerprints, mouse traces, or cross-site tracking identifiers.

You can opt out of this entirely by setting localStorage.setItem("analytics_optout", "1") in the browser console. The SDK becomes a no-op for the rest of the session and any future sessions in that browser.

Retention

• Account data: until you delete your account, plus up to 30 days in backups.
• Session cookies: until you sign out or the JWT expires.
• Server logs: up to 30 days.
• Analytics events: up to 365 days, then auto-purged.

Your rights

If you are in the EU/UK or another jurisdiction with comparable rights, you may request to: access your data, correct it, delete it, restrict or object to processing, receive a portable copy, or withdraw consent at any time. To exercise any of these, email hello@oralab.xyz from the address associated with your account. You also have the right to lodge a complaint with your local data-protection authority.

Children

The Service is not intended for users under 18, and we do not knowingly collect data from children. If you believe a child has signed in, contact us and we will delete the account.

Changes

We may update this policy as the Service evolves. Material changes will be flagged on the dashboard or by email. The “Last updated” date at the top reflects the current version.

Contact

Questions, requests, or complaints: hello@oralab.xyz.