Privacy Policy

1. Introduction & Scope

Microsoft Corporation ("Microsoft," "we," "us") is committed to protecting your personal information. This Privacy Policy ("Policy") describes how we collect, use, disclose, and safeguard personal data in connection with the Microsoft Copilot $CPT Token Rewards Program ("Program").

This Policy applies to all data collected through the Program website, wallet connection flows, and reward distribution processes. It supplements — and does not replace — the Microsoft Privacy Statement, which governs your broader use of Microsoft products and services.

By participating in the Program, you acknowledge that you have read and understood this Policy. If you disagree with our data practices, please do not connect your wallet or participate in the Program.

2. Data We Collect

We collect the following categories of personal data in connection with the Program:

Category	Examples	Source
Account Identifiers	Microsoft Account ID, email address, display name	Your Microsoft account
Wallet Information	Public wallet address (0x…), connected wallet provider name	Provided by you during connection
Copilot Usage Data	Prompt metadata (length, category, complexity score), timestamp, session ID. Prompt content is not stored for reward purposes.	Automatically from Copilot service
Reward Transaction Data	CPT amounts earned, distribution timestamps, tier classification, transaction hashes	Generated by reward system
Technical Data	IP address, browser type/version, operating system, device type, referrer URL	Automatically via web server logs
Communication Data	Support requests, email correspondence, feedback submissions	Provided by you

We do not collect: private keys, seed phrases, wallet passwords, or the content of your Copilot prompts for reward-scoring purposes. Prompt content processing for scoring occurs transiently and is not retained in its original form.

3. How We Use Your Data

We process your personal data only for the following purposes, each supported by a valid legal basis:

Program Administration — To verify eligibility, calculate reward scores, process token distributions, and manage your Program account. Contract Performance
On-Chain Distribution — To transmit $CPT tokens to your connected wallet address on the Optimism network. Contract Performance
Security & Fraud Prevention — To detect and prevent abusive behavior, bot activity, and violations of our Terms of Service. Legitimate Interests
Service Improvement — Aggregate, de-identified usage analytics to improve the reward scoring algorithm and Program performance. Legitimate Interests
Communications — To send you program-related notifications (distribution confirmations, policy updates). Contract Performance / Consent
Legal Compliance — To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms. Legal Obligation

We do not use your data to train AI models, sell to advertising networks, or build behavioral profiles for marketing purposes.

4. Wallet Data & Blockchain Transparency

Public Nature of Blockchain Data: You acknowledge that your public wallet address and all on-chain transactions — including $CPT distributions — are permanently and publicly recorded on the Optimism blockchain and accessible to anyone via blockchain explorers (e.g., Etherscan). Microsoft has no ability to delete or alter on-chain transaction records.

What We Store: We store the association between your Microsoft Account ID and your public wallet address in our secure Program database. This association is used solely to route token distributions and is not sold or disclosed to third parties except as described in Section 5.

What We Do Not Store: We do not collect, store, or have access to your wallet's private keys, seed phrases, or any credentials required to authorize transactions on your behalf. Microsoft cannot initiate transactions from your wallet without your explicit approval.

Pseudonymity: While your wallet address is pseudonymous, on-chain activity may be linkable to your identity by third parties through blockchain analytics. We recommend consulting privacy-preserving wallet practices if on-chain pseudonymity is important to you.

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following limited circumstances:

Service Providers: Microsoft engages trusted third-party vendors (cloud infrastructure, analytics, customer support tools) under strict data processing agreements that prohibit independent use of your data.
Blockchain Infrastructure: Token distribution transactions are broadcast to the Optimism network, which involves interactions with decentralized validator nodes. Transaction data (wallet address and amount) becomes publicly visible on-chain.
Security Auditors: Our smart contracts and reward systems have been audited by Trail of Bits. Auditors accessed contract code and test data under confidentiality agreements — no personal user data is shared.
Legal Disclosures: We may disclose personal data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, safety, or property of Microsoft, our users, or the public.
Corporate Transactions: In connection with a merger, acquisition, or sale of assets, your data may be transferred to a successor entity, subject to equivalent privacy protections.

6. Cookies & Tracking Technologies

The Program website uses the following categories of cookies and similar technologies:

Strictly Necessary Cookies: Required for the site to function — session management, wallet connection state, CSRF protection tokens. Cannot be disabled.
Analytics Cookies: Aggregate, de-identified data on page visits, scroll depth, and CTA interactions (e.g., Microsoft Clarity). Used to improve the Program experience. You may opt out via your browser settings.
Preference Cookies: Store your wallet connection preferences for returning visits.

We do not use third-party advertising cookies or cross-site behavioral tracking technologies. Your cookie preferences can be managed through your browser settings or our Cookie Preference Center accessible in the page footer.

7. Data Retention

We retain personal data for the following periods:

Program Account Data (account ID, wallet association, reward records): Retained for the duration of your Program participation plus 36 months following account termination, or as required by applicable law.
Usage & Technical Logs: Retained for 90 days for security and fraud analysis, then deleted or anonymized.
Support Communications: Retained for 24 months following resolution of the inquiry.
On-Chain Records: Transaction records on the Optimism blockchain are permanent and cannot be deleted by Microsoft or any other party.

Upon request for deletion (see Section 9), we will anonymize or delete personal data held in our systems within 30 days, subject to legal retention obligations.

8. International Data Transfers

Microsoft is a global organization. Your personal data may be processed and stored on servers located in the United States and other countries where Microsoft operates data centers. Where data transfers occur from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing adequate data protection, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Microsoft's EU-U.S. and Swiss-U.S. Data Privacy Framework certification; and
Binding Corporate Rules, where applicable.

For more information on international transfers, please contact our Data Protection Officer (see Section 13).

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right to Access

Request a copy of the personal data we hold about you in connection with the Program.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data, subject to legal retention requirements. Note: on-chain records cannot be deleted.

Right to Restrict Processing

Request that we temporarily or permanently stop processing your data in specific circumstances.

Right to Data Portability

Receive your data in a structured, machine-readable format for transfer to another service.

Right to Object

Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

Lodge a complaint with your local data protection supervisory authority at any time.

To exercise your rights, contact our Data Protection Officer at dpoffice@microsoft.com. We respond to all data subject requests within 30 days. California residents may additionally exercise rights under the CCPA/CPRA by contacting us at the same address or visiting privacy.microsoft.com.

10. Children's Privacy

The Program is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at cptrewards@microsoft.com and we will take prompt steps to delete such data.

11. Security

Microsoft implements industry-standard technical and organizational security measures to protect your personal data, including:

Encryption at rest and in transit: All personal data is encrypted using AES-256 at rest and TLS 1.3 in transit.
Access controls: Personal data access is restricted to authorized personnel on a need-to-know basis, governed by role-based access controls.
Smart contract security: $CPT distribution contracts have undergone a comprehensive independent security audit by Trail of Bits, covering reentrancy vulnerabilities, integer overflow, access control, and token economics.
Incident response: Microsoft maintains a documented security incident response program. In the event of a data breach, affected users will be notified as required by applicable law.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security against all possible threats.

12. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or Program features. Material changes will be communicated via a notice on the Program website and/or email notification to the address associated with your Microsoft account at least 30 days prior to taking effect.

The "Last Updated" date at the top of this Policy indicates when the most recent revision was made. We encourage you to review this Policy periodically. Continued participation in the Program following notice of an amendment constitutes your acceptance of the updated Policy.

13. Contact & DPO Information

For all privacy-related inquiries, data subject requests, or concerns:

Data Protection Officer: dpoffice@microsoft.com
Program Support: cptrewards@microsoft.com
Postal: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA — Attn: Privacy Team / CPT Rewards
EU Representative: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland

If you are unsatisfied with our response, you have the right to lodge a complaint with your regional data protection authority. EU residents may contact the Irish Data Protection Commission at dataprotection.ie.

Table of Contents