XVALID Privacy Policy

Wallet Addresses

When you connect a blockchain wallet to XVALID or perform on-chain transactions via our platform, we collect your public wallet address. This is used to authenticate you (as your "login" to our Web3 Services) and to link any content or actions you perform to your address. Wallet addresses are considered public information on the blockchain; however, we treat them as personal data where required by law.

Email Address (Optional)

We do not require any email to use the core Services. If you choose to provide an email (for example, by contacting support, subscribing to updates, or creating an optional user profile), we will collect your email address. This may be used for communication purposes (such as responding to inquiries or sending newsletters if you have opted in). You can always choose not to provide an email, but then you might not receive certain notifications or support responses.

Content Hashes and Metadata

XVALID allows users to submit or store content through our platform. Rather than storing the content itself on our servers, we store a content identifier (hash) of any user-submitted content. This hash is a cryptographic representation of the content and by itself does not reveal the content's plain form. We may also store basic metadata about the content (for example, timestamps, content type, or tags) necessary for the Service's functionality. The actual user content is stored on a decentralized storage network (as explained below in Data Storage).

User-Generated Content

Usage Data (Analytics Information)

Like most online platforms, we may automatically collect limited information about how you interact with our website or app. This may include technical data such as your IP address, browser type, device information, locale, and usage statistics (e.g. pages or screens viewed, clicks, and time spent). We collect this data through third-party analytics tools or cookies (see Cookies and Analytics below). This data does not identify you by name and is used only to analyze and improve our Services. Where required, we will treat IP addresses and similar identifiers as personal data, though we seek to anonymize or pseudonymize this data wherever feasible.

No Sensitive Personal Data

Providing the Core Service

Your wallet address and content hashes are used to operate the core features of XVALID. For example, we use your wallet address to authenticate your interactions (so you can publish or validate content) and to attribute content or actions to you on the platform. Content hashes allow us to reference and retrieve the content you submitted from decentralized storage. This processing is necessary to perform the services you request (i.e. it is needed to fulfill our contract with you when you use our platform).

Content Moderation and Safety

We are committed to maintaining a safe and legal platform. To achieve this, we utilize automated content moderation tools, including third-party artificial intelligence services, to scan or review content that users submit. For example, we use the OpenAI API (and similar AI moderation services) to analyze content for compliance with our Terms of Service and safety policies. This means that user content may be transmitted to an AI moderation service to detect prohibited material (such as hate speech, explicit imagery, personal data, or other content that violates our rules). The moderation process is used only to flag or filter out content that violates our policies or the law – we do not use it for advertising or profiling. Any third-party AI service we use is bound to only use the data for providing moderation analysis and not for their own purposes.

Communication

If you provided an email address or contact info, we use it to communicate with you. This includes responding to support requests or inquiries you send us, sending service-related announcements (e.g. updates to our terms or privacy policy, security alerts), and sending newsletters or project updates if and only if you subscribed to them. We will not send you marketing emails without your consent, and you can opt-out at any time (each non-essential email will contain an unsubscribe link or instructions).

Analytics and Improvement

We use usage data (like IP address, device and browsing info, and on-site interactions) to understand how our Services are used and to improve user experience. For instance, analytics help us detect site traffic patterns, debug performance issues, and decide on new features or enhancements. This analysis is typically done in aggregate form (overall trends rather than examining individual user behavior) and is carried out using third-party analytics providers. Where required by law or if feasible, we will obtain your consent for analytics cookies or use only anonymized data. We do not use your data for behavioral advertising or sell your data to advertisers.

Ensuring Security and Preventing Misuse

We may process data (including wallet addresses and technical usage logs) to monitor for fraudulent, suspicious, or malicious activity on the platform. This helps protect XVALID and its users from abuse such as spam, hacking attempts, or other violations of our Terms of Service. For example, if multiple content submissions from a single wallet are flagged for violating rules, we may investigate that wallet address. We also may use IP address or device information to implement security measures (like rate limiting or blocking suspicious network traffic). This processing is based on our legitimate interest in keeping the Service secure and fair, and in some cases to comply with legal obligations.

Compliance with Law

Decentralized Content Storage (IPFS)

Database Storage

Data such as content hashes, wallet addresses, and any account-related information (like optional email or settings) are stored in our secure database. We utilize a reputable cloud database provider (for example, MongoDB Atlas or an equivalent managed database service) to host our data. This database is protected by access controls, encryption at rest, and encryption in transit. Only authorized XVALID team members or service processes can access the database, and only for permitted purposes. We do not store plaintext passwords (in fact, XVALID uses crypto wallets for login, so no password is needed for that; any other authentication tokens are handled securely). We regularly backup the database to prevent data loss, and those backups are similarly secured.

OpenAI and Other Subprocessors

When we use the OpenAI API for content moderation (or any similar AI service), the content data is sent securely via encrypted connection to OpenAI's systems. We do not permanently store the content of these moderation checks on our own servers beyond perhaps a flag or score indicating if content was approved or rejected. OpenAI might temporarily retain the data we send for abuse monitoring (per their policies), but they will not use it to train their models or for other purposes without our instruction. All subprocessors we use are carefully vetted and contractually obligated to protect your data.

Third-Party Analytics Storage

Analytics providers may store usage data (page views, IP, etc.) on their servers. We ensure that any analytics partner either does not receive personal data or, if they do (like an IP address), they handle it in compliance with privacy laws (for example, by truncating/anonymizing IPs in the EU). We currently use third-party tools only to gather insights on a general level. We do not collect device advertising IDs or precise geolocation data.

Security Measures

We employ organizational and technical measures to secure your data. This includes using encryption (HTTPS/TLS) for all data in transit between your browser/wallet and our platform, encryption at rest for stored data, firewalls and network security to prevent unauthorized access, and continuous monitoring for potential vulnerabilities or attacks. Our team follows security best practices in software development to minimize bugs and conducts audits of smart contracts and backend systems where applicable. In addition, by limiting the personal data we collect, we inherently reduce the risk to your privacy in the event of any security incident.

Access Controls

Internal access to user data is strictly limited. XVALID team members access the minimal data necessary to perform their job (for example, support staff can see the email you provided to respond to you, but they cannot see data you didn't provide). Wallet addresses and content hashes are generally public information, but any link to an email or any non-public info is kept confidential internally. We also ensure that our service providers (database hosting, etc.) implement strong access control on their side.

Data Breach Response

Data Localization and Transfers

Our servers and service providers may be located in various countries (for example, our database may be hosted in the United States or European Union datacenters, and our team operates globally). This means your data may be transferred to or accessed from outside your home jurisdiction. International data transfers are addressed in detail below, but in short, we implement appropriate safeguards (such as Standard Contractual Clauses for EU data or ensuring providers are certified under frameworks like those between EU-US or meet PDPA requirements) when transferring data internationally.

Cloud Database and Hosting Providers

We use third-party cloud infrastructure to host our website, database, and Services. For example, our content hash and user data may be stored in a cloud database service (such as MongoDB Atlas or a similar database-as-a-service platform), and our servers may run on cloud providers like AWS, Azure, or others. These providers store and process data only to the extent needed to keep our Service running (e.g., storing data, performing backups, etc.). They are not permitted to access or use your data for any other purposes. We have agreements in place (including Data Processing Addendums where applicable) to ensure they protect your data under strict confidentiality and security standards.

Decentralized Storage Networks

As noted, XVALID uses IPFS for content storage. We may engage IPFS pinning services or gateways (third-party services that help store and retrieve IPFS content) to ensure content availability. Examples could include Infura, Pinata, or others. These services will handle the content (which might include personal data if you included any in the content) for storage and retrieval on the IPFS network. However, they do not interpret the data – they simply ensure it's stored across the network. All such services are chosen for reliability and their commitment to privacy (many IPFS providers have their own privacy practices which align with decentralized principles).

AI and Moderation Services

We integrate external AI services to help moderate and filter user content. The primary example is OpenAI's API for content moderation (checking text against safety policies). When content moderation is performed, the content is sent to these third-party AI systems, which then return an analysis (for instance, whether the content is safe or violates certain rules). These AI service providers act as our processors for this data. They are not allowed to use your content for any purpose other than providing us the moderation results. We ensure this via our contract or via the provider's terms (OpenAI, for example, commits not to use API-submitted data to train models without permission and to maintain confidentiality).

Analytics and Tracking Tools

We use third-party analytics tools (which may involve cookies or similar technologies) to gather usage statistics. These may include, for instance, Google Analytics, or other web analytics services. Such tools may automatically receive certain technical information from your device (as described under Usage Data). We configure these tools to respect privacy: for example, where possible, we enable IP anonymization and do not allow them to use data for their own advertising purposes. Analytics providers act as data processors for us – meaning they only process your information per our instructions (to provide aggregate stats, etc.). We do not share any directly identifying information (like names or emails) with our analytics partners. You have choices to limit this data collection (see Cookies and Your Choices).

Email and Communication Providers

If we send emails or transactional messages, we may use an email delivery service (for example, SendGrid, Mailchimp, or similar) to manage our mailing lists and send messages. These providers would handle your email address and the content of the messages on our behalf. They are only permitted to use that information to send communications as we direct, and not for anything else. We likewise ensure any such provider has strong security and privacy commitments.

Other Service Providers

We may use additional services for things like application performance monitoring, customer support ticketing, or community forums. If any personal data is processed by such services, it will be only what's necessary. For instance, if you engage with our community forum or social media via links on our site, any data you provide there is subject to those platforms' privacy policies (we do not automatically ingest that data into XVALID systems). We will always endeavor to list the categories of our subprocessors here and keep this section up to date as our service ecosystem evolves.

Legal Requirements and Asset Transfers

In addition to the above service providers, there are a couple of special circumstances where we might share data:

• If required by law or governmental authority, we may share data pursuant to a legal request (as detailed in How We Use Your Data – Compliance with Law). We will verify any request and only provide information that is necessary and proportionate.
• If XVALID undergoes a business transition, such as a merger, acquisition, or financing, your data (to the limited extent we have any personal data) may be transferred to a successor or affiliate as part of that process. If such a transfer occurs, we will ensure the recipient commits to respect this Privacy Policy or provide notice and possibly request your consent if required by law.

Functional Cookies

Some cookies are necessary for the site to function – for example, to remember your preferences or keep you logged in during a session (if applicable). Because XVALID uses crypto wallets for authentication, we may not use traditional login cookies, but we might use local storage or session storage to remember that you've connected your wallet or to store a session identifier for your visit. These functional cookies do not identify you personally and are typically exempt from consent requirements.

Analytics Cookies

We use analytics cookies (or similar trackers) to collect information about how users interact with our site. This information helps us count visitors, see which features are popular, and understand user pathways through our application. For instance, we might use Google Analytics which sets cookies to distinguish users and throttle request rates. The data collected may include your IP address and usage information as described earlier. We configure analytics to avoid collecting any more data than necessary – often we anonymize the last digits of IP addresses and we do not allow cross-site tracking.

Third-Party Tools

In addition to pure analytics, if we embed content or integrate with other platforms, those third parties might set cookies. For example, if in the future we integrate an optional chat support widget, that service might use cookies. We will endeavor to list any significant third-party cookie usage here and ensure you have notice of it. As of the latest update, our primary third-party cookies relate to analytics and performance (e.g., Cloudflare may set a cookie for security or caching reasons, which does not track personal data).

Your Choices for Cookies

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal that allows you to indicate your preference regarding tracking. Currently, there is no universal standard for how to interpret DNT signals. While we respect the intent of DNT, our site may not respond differently to a browser with a DNT signal. Instead, we provide the privacy controls described (consent for analytics in certain regions, and the ability for you to opt-out manually). We will update this policy if our practice changes in the future.

Analytics Opt-Out

If we use Google Analytics, you can opt out of Google Analytics data collection for this site and others by installing the Google Analytics Opt-out Browser Add-on, which prevents your browser from sending data to Google Analytics. Other analytics tools may have similar opt-out mechanisms. Additionally, you can contact us (see Contact Us section) to inquire if we currently use any analytics that support a manual opt-out, and we will provide guidance.

No KYC or Identity Verification

No Investor Token Sale (No Private or Public ICO)

XVALID's token distribution is structured to avoid the need for gathering investor information. We did not conduct any private sale, public ICO, or token pre-sale that would involve selling tokens to investors in exchange for funds. Many token projects that raise capital from investors are required to collect personal data for legal or regulatory reasons (such as KYC/AML for token sale participants, or maintaining a list of shareholders). XVALID deliberately avoided this model. Our token (the XVALID token) has been distributed through alternative means (for example, community rewards, on-chain emissions, or other non-investment mechanisms) that did not require us to collect anyone's personal identity or payment information. By not having outside investors or a token sale, we mitigate legal risks and ensure that we are not holding personal data related to such activities. This approach keeps the platform more compliant with securities laws and, from a privacy perspective, means there's no database of investor names, credit card details, or contribution records. All token transactions occur on-chain, and your wallet address is the only identifier involved.

Do Not Share Personal Data in Public Content

Content Compliance

You must ensure that any content you upload or actions you take on XVALID comply with our Terms of Service and all applicable laws. Do not use XVALID to publish illegal material, harassing or hateful content, or anything that violates the rights of others (such as copyright or privacy rights). Remember that we employ content moderation – content that violates rules may be removed and could be reported to authorities if it's unlawful. As a user, you are obligated to use the Service for its intended purpose and not to misuse it.

Account Security

Accuracy of Information

If you do choose to provide us with any information (such as an email for contact or any optional profile info), you agree that such information is accurate and belongs to you. Do not provide an email or contact that is not yours or that you are not authorized to use. If we discover information that appears fraudulent or misappropriated, we may delete it and, if necessary, restrict your use of the platform.

Respect Others' Privacy

If as a user you happen to collect or learn personal information about other XVALID users (for example, through their content or interactions), you agree to treat that information with care. You should not harvest data from the platform for unwarranted purposes, and you must not misuse any other user's information. Also, if you refer friends or share content, do not expose others' personal data without consent.

Opt-Out Choices

You have the choice of how you use XVALID. If you disagree with this Privacy Policy or the Terms, you should discontinue use of the Service. You may also use privacy tools (like VPNs or privacy browsers) if you wish, though note that interacting with the blockchain will always expose your wallet address by design. If you want to limit data collection, you can adjust your browser settings to block cookies or tracking (with the understanding that it may degrade functionality as mentioned). For any optional features like email newsletters or community forums, participation is voluntary – you can opt out or refrain from those features if you want to remain as anonymous as possible. We provide ways to unsubscribe or opt out wherever we offer such options, and you can always contact us to assist with any opt-out request.

EU/EEA (GDPR) Compliance

United States and CCPA (California)

Singapore (PDPA) and Other Countries

International Data Transfers

Right to Access

You have the right to request confirmation if we are processing your personal data, and to request a copy of the data we hold about you. This is sometimes called a Data Subject Access Request. Given the minimal data we collect, this would likely include things like any email you provided, your wallet address (which you likely know already), content hashes associated with your address, and any usage logs that are considered personal data (like IP addresses in logs, if not anonymized). We will provide this information in a concise, transparent format, usually within 30 days as required by GDPR (or 45 days under CCPA, which can be extended by another 45 days with notice if necessary).

Right to Rectification (Correction)

If you believe any personal data we have about you is inaccurate or incomplete, you have the right to request that we correct or update it. For example, if you provided an email and you want to update it or you think we logged something incorrectly, let us know. We will rectify incorrect data promptly. (Note: Most data we have comes directly from you or the blockchain, so mismatches are uncommon, but the right stands.)

Right to Deletion (Erasure)

Right to Restrict Processing

In some jurisdictions (like the EU), you have the right to request that we limit processing of your data in certain circumstances. For example, if you contest the accuracy of data, or if you object to our processing pending verification of something. Practically, since we do minimal processing, this might not often apply, but if you make such a request we can, for instance, stop using your email or pause analytics tracking for your sessions.

Right to Object

You have the right to object to certain processing activities. For instance, you can object to processing based on our legitimate interests or to receiving direct marketing. In our context, you might object to analytics collection or to any automated decision-making (though we don't really perform decisions that affect you legally—content moderation decisions are about content allowed on the platform, not about you personally).

Right to Withdraw Consent

Where we rely on your consent to process data, you have the right to withdraw that consent at any time. For example, if you consented to receive a newsletter, you can unsubscribe (withdraw consent) and we will stop sending it. Withdrawing consent won't affect the legality of what we did prior, but it will stop future processing.

Right to Data Portability

For data you provided to us, in some cases you have the right to request that we provide it in a structured, commonly used, machine-readable format so you can transfer it to another service. Given we don't have profile accounts in the traditional sense, the most likely portable data could be something like your content or your list of content hashes.

Exercising Your Rights

Wallet Addresses and Content Records

Email and Contact Information

If you provided an email for communications, we will retain that email address for as long as you continue to want to receive communications or need an account with us. If you unsubscribe from emails or request deletion, we will promptly remove your email from our active mailing lists. We may still keep a record of your email in an "opt-out list" to ensure we don't accidentally send you emails in the future.

Analytics Data

Analytics information is often collected in aggregate form and may be stored by our analytics providers for a certain retention period. We do not maintain identifiable analytics logs on our own servers long-term. Web server logs containing IP addresses are typically rotated and deleted within a short period (often 30 days to 90 days) unless needed for security analysis.

Content Moderation Data

Backups and Legal Obligations

• Our database backups may contain your data and could be retained for some additional time even after data is deleted from the live system.
• We might be required to keep certain data for a longer period to comply with laws or regulations.
• If we receive a legal notice or are involved in a dispute, we might need to preserve relevant data until it is resolved.

Minimum Age

By using XVALID, you represent that you are at least 18 years old or the age of majority in your jurisdiction. If you are under 18 (or under the relevant age of majority), you may only use XVALID with the involvement and consent of a parent or legal guardian.

No Collection from Children

We do not intentionally gather personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete that information as soon as possible.

Parental Guidance

Notification of Changes

Scope of Changes

Any updated policy will apply to all current and past users of our Services and will replace any prior versions, except to the extent we receive your consent for materially different uses of your data (if required). We will not reduce your rights under this Privacy Policy without your explicit consent.

Review Period

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continuing to use XVALID after a revised Privacy Policy has been posted means you accept the terms of the updated Policy.

Complaints

We prefer to address your privacy concerns directly and amicably. However, if you feel we have not adequately resolved an issue, you have the right to lodge a complaint with your local data protection authority. For EU users, this could be your country's supervisory authority. For Singapore, you can contact the Personal Data Protection Commission (PDPC). For California, you can reach out to the California Attorney General's office for CCPA-related complaints.