callsheet.predictions for hackathons
round 01
privacy policy · last updated apr 30 2026

What we see, what we save.

we collect the bare minimum needed to run the game.

1 · what we collect

when you sign in with X, we collect from twitter:

  • your X user id (a stable numeric identifier — handles can change, this doesn't)
  • your X handle (lowercased, stored as @handle)
  • your display name
  • your avatar URL (we don't copy the image, we just link to twitter's)

we do not request, store, or read:

  • your tweets (read or write)
  • your DMs
  • your followers or following lists
  • your email address
  • any other twitter data beyond the four items above

when you submit answers, we store the answer payload (your picks) tied to your predictor record.

when you win a payout and request payment, we store:

  • the solana wallet address you provide
  • the prize amount and currency
  • the eventual payout transaction hash, after we send funds

2 · what we don't collect

  • no IP-level analytics, no third-party trackers, no facebook pixel, no google analytics
  • no fingerprinting
  • no behavioral profiling for advertising
  • no email — we have no way to email you, ever
  • no marketing pixel, no funnel tools, no session replay

we use rate limiting which is keyed by IP address in memory only. these IP records are never persisted to disk and reset on container restart.

3 · cookies

we set one cookie called callsheet_session. it's an encrypted, httpOnly, signed cookie containing your predictor id and (briefly, during sign-in) the OAuth state. it expires after 30 days. that's the only cookie we set for normal use.

admins also get a short-lived callsheet_admin cookie when authenticated. 8-hour expiry. only @25thprmr ever sees this.

we do not use third-party cookies. ever.

4 · who we share with

nobody. we don't sell, share, or transfer your data. we don't have advertising partners, analytics partners, or marketing partners.

the only third parties involved in callsheet's operation are: twitter/X (for sign-in), railway (where the app runs), solana mainnet (where pledges and payouts happen on-chain). these aren't parties we share data with — they're infrastructure callsheet runs on top of.

5 · public data

the following information is visible to other users by design:

  • your X handle and display name (on the leaderboard / roster)
  • your final score, after the round resolves
  • your project ownership claims, if you're a project owner

your specific answers are not shown to other users until the round resolves.

6 · how long we keep your data

for the active round, indefinitely while the round is open. after a round closes and all payouts are processed, predictor records and ballots are retained as a permanent record of the game.

if you want your account fully deleted, DM @25thprmr on X. we'll wipe your record from the database within 7 days.

7 · your rights

if you're in a jurisdiction with data rights laws (GDPR, CCPA, etc.), you have the right to: access the data we hold about you, correct it, delete it, and object to processing. to exercise any of these, DM the operator on X.

8 · children

callsheet is not for users under 18. if we discover a user is a minor, we will delete their account.

9 · changes

if this policy changes materially, the date at the top will change. we won't silently start collecting new data without saying so here.

10 · contact

questions, concerns, or requests: DM @25thprmr on X.