Last updated: April 2026. The Zealynx Audit Grants program is operated by Carlos Vendrell Felici, doing business as Zealynx Security, based in Wroclaw, Poland. Zealynx is the data controller under GDPR.
Carlos Vendrell Felici, doing business as Zealynx Security. Privacy contact: contact@zealynx.io.
Applies to grants.zealynx.io. Other Zealynx services (zealynx.io, portal.zealynx.io, krait.zealynx.io, Zealynx Academy) have separate privacy notices.
Account data (email, password hash, name, role). Application data (protocol details, GitHub repo URL, contact info). Scoring task data (Krait reports, eMBA completion, social-share URLs, referral codes). Communications. Technical/usage data (IP, user-agent, server logs, Cloudflare Turnstile challenge results, Google Analytics events). We do not collect special-category data (Art. 9 GDPR).
Legal bases: Art. 6(1)(b) performance of contract (account, application review, awards), Art. 6(1)(f) legitimate interests (fraud prevention, social-post verification, analytics), Art. 6(1)(a) consent (marketing emails), Art. 6(1)(c) legal obligation (Polish tax/accounting). No automated decisions with legal effect under Art. 22 — final award decisions are human-reviewed.
Supabase (database, auth, storage), Vercel (hosting), Resend (transactional email), Google (Tag Manager, Analytics), Cloudflare (Turnstile bot challenge), GitHub (public repository metadata when you submit a repo URL). We do not sell, rent, or trade personal data.
Some sub-processors are based outside the EEA. Where transfers to non-adequacy countries occur, we rely on Standard Contractual Clauses (SCCs) and supplementary measures per Schrems II.
Awarded grants: 5 years (Polish accounting law). Rejected applications: 12 months. Inactive accounts: 12 months. Marketing opt-ins: until withdrawn. Server logs: 90 days. Analytics: 14 months.
Under GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdraw consent (Art. 7(3)), lodge a complaint with UODO (uodo.gov.pl) or your EU member state authority. Email contact@zealynx.io; we respond within one month.
Strictly necessary cookies (auth, session, security, bot challenges) — no consent required under Art. 5(3) ePrivacy. Analytics cookies (Google Tag Manager, Google Analytics) — loaded by default, opt out via Google's official add-on, browser settings, DNT/GPC, or by emailing contact@zealynx.io. We do not use cross-site tracking, advertising cookies, or fingerprinting.
TLS 1.2+ in transit, encryption at rest, RBAC on admin backend, bot challenges on auth/submission, server-side rate limiting, audit logging, strict CSP, and standard security headers. Breach notifications per Art. 33-34 GDPR.
Program intended for adults building Web3 protocols. We do not knowingly collect data from anyone under 18.
Material changes communicated by email at least 14 days before they take effect, where practical.
Email: contact@zealynx.io. Postal: Wroclaw, Poland. Supervisory authority: UODO.