Legal

Privacy Policy

Last reviewed: 2026-05-06 — pending counsel review

1. Information We Collect

We collect the following information when you use the Service:

Account Information:

  • Email address (when you sign up via email or Google).
  • Wallet addresses (when you sign in via wallet, or link additional wallets).
  • Privy user ID (the auth provider's identifier for your account).
  • Tier status, subscription dates, and payment history.

Usage Data:

  • API request logs: timestamp, endpoint path, response status, key ID.
  • IP address (used for rate-limiting and abuse detection; not associated with personal identity beyond what's needed for those purposes).
  • Browser type and operating system (when you visit the website).

Communications:

  • Emails you send to us (e.g., support requests).
  • Survey or feedback responses you voluntarily provide.

We do not collect or store credit card data — payments are made directly via on-chain USDC transfer.

2. How We Use It

We use your information to:

  • Provide the Service — authenticate you, attribute payments, issue API keys, deliver ratings data, send transactional emails (e.g., payment confirmations, rating-change alerts).
  • Match payments — link incoming USDC transfers to your account by matching the FROM address against your linked wallets.
  • Enforce rate limits and detect abuse — monitor request patterns for anomalies that suggest credential sharing, automated scraping, or denial-of-service patterns.
  • Improve the Service — analyze usage in aggregate to identify popular endpoints, common errors, and feature priorities.
  • Communicate with you — send service announcements, security notices, and (with your consent) marketing emails.

3. Third Parties

We share information with the following service providers, each of whom is contractually bound to protect your data:

  • Privy (auth.privy.io) — authentication provider. Privy handles the wallet signature, email/Google login, and embedded wallet provisioning. Privy receives your email or wallet address at login. See Privy's privacy policy at https://privy.io/privacy.
  • Email provider (Resend) — delivers transactional emails. Resend receives your email address and the email content. See Resend's privacy policy at https://resend.com/legal/privacy-policy.
  • RPC providers (Cloudflare, Ankr, public chain RPCs) — used to read on-chain data when watching for incoming USDC payments. These providers receive on-chain query parameters but do not receive your account information.
  • Hosting providers (Vercel, Turso, Upstash) — host the website, database, and Redis cache. They receive request and database data necessary to serve the Service.

We do not sell your personal information.

We do not share your information with third parties for their own marketing purposes.

4. Cookies

We use cookies for the following purposes:

  • Session cookies — keep you logged in across page loads. Set by Privy.
  • Anti-CSRF cookies — protect against cross-site request forgery on form submissions.

We do not use third-party tracking, advertising, or analytics cookies.

5. Your Rights

Depending on your jurisdiction (notably the UK, EU, and California), you have the following rights:

  • Access — request a copy of the data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion of your data, subject to legal retention requirements.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to certain processing activities (e.g., direct marketing).
  • Withdraw consent — withdraw any consent you previously gave us.

To exercise any of these rights, contact support@verdict.finance. We will respond within 30 days.

If you are in the EU, you also have the right to lodge a complaint with your national data protection authority. If you are in the UK, that authority is the Information Commissioner's Office (ICO).

6. Data Retention

We retain your data for the following periods:

  • Active accounts: indefinitely while your account is active.
  • Deleted accounts: pseudonymised within 30 days of deletion request. Pseudonymised data retains aggregate usage statistics but cannot be linked back to you.
  • Legal and financial records (payment history, audit logs, tax records): retained for the period required by applicable financial record-keeping rules in our jurisdiction of incorporation (British Virgin Islands) and any jurisdictions in which we have tax or regulatory obligations.
  • Email communications with support: 2 years from the date of the last message in the thread.

7. Security Measures

We protect your data through the following technical and organisational measures:

  • Encryption in transit: TLS 1.3 for all website and API connections.
  • Encryption at rest: database and backups encrypted using industry-standard ciphers.
  • API key hashing: we store API keys as bcrypt hashes; we cannot recover a lost key, only issue a new one.
  • Access control: production database access is limited to a small number of authorised personnel with audit logging.
  • Vulnerability management: we run dependency audits and address security issues promptly.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. Notify us immediately at support@verdict.finance if you suspect your account has been compromised.

8. Contact

Questions about this privacy policy? Contact us at support@verdict.finance.

If you are in the UK or EU and wish to lodge a formal complaint, you may also contact the relevant data protection authority directly.