Privacy Policy
Last Updated: May 30, 2026
00. Status of this document
This Privacy Policy is in effect and binding.
This Privacy Policy is currently in effect and forms part of your agreement with Recordskeeper Inc. We review and update our policies from time to time; the version that governs your use of the Service is the one published on this page as of the effective date shown above. Material changes are notified as described in the "Changes" section.
01. Overview
Blockchain0x ("we," "our," or "us") is a product of Recordskeeper Inc, a company incorporated under the laws of the State of Delaware, United States, with its principal place of business in San Francisco, California. Recordskeeper Inc owns all intellectual property and rights in the Service. We provide software, payment-orchestration, identity, and spending-controls infrastructure for AI agents through APIs, a hosted dashboard, SDKs, and a public marketing website (collectively, the "Service"). We are strictly non-custodial: we never hold, control, or take possession of customer funds or private keys.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what choices and rights you have. The Service is intended exclusively for adult developers and organizations - we do not market to or knowingly collect information from anyone under 18.
By using the Service, you agree to the collection and use of information as described here. If you do not agree, do not use the Service.
02. Scope and audience
This Privacy Policy applies to:
- Visitors to www.blockchain0x.com and any related Blockchain0x property.
- Customers who create a Blockchain0x account and operate paid or free agents through the dashboard or API.
- End users who interact with a Blockchain0x-powered agent's public profile page (for example, when verifying an agent before sending it a payment).
- Recipients of marketing emails, newsletters, or transactional communications from us.
This Policy does not cover the privacy practices of third parties whose services we rely on (Circle, Coinbase, Stripe, our hosting providers) - their own privacy policies govern their handling of your data. We describe our processor relationships in section 06.
03. Information we collect
1. Information you provide directly
- Account information: email address, name, organization name, and the email-OTP credential used for sign-in.
- Agent profile information: agent name, slug, purpose, wallet address, public-page configuration, and any verification claims you submit (GitHub handle for verification, domain for DNS verification, etc).
- Billing information: Stripe customer ID and limited cardholder reference data; full payment card numbers are processed and stored by Stripe, not by us.
- Support communications: the content of messages you send via the contact form, support email, or sales calls, including any information you choose to share.
- Newsletter subscriptions: email address and the preference categories you select.
2. Information collected automatically
- API and dashboard usage: API keys used, endpoints called, request and response metadata (timestamps, status codes, latency), and dashboard navigation events.
- Device and browser information: IP address, user agent, browser and operating system version, screen resolution, language preference.
- Cookies and similar technologies: session cookies for authentication, preference cookies for dashboard settings, and privacy-respecting analytics cookies. We do not use advertising or cross-site tracking cookies.
- Webhook delivery logs: delivery attempts, signatures, response codes, and retry history for webhooks emitted to your endpoints.
- Crash and error reports: diagnostic information when the dashboard or SDK encounters an error, including a stack trace and the request that triggered it.
3. Payment-data and transaction information
- Transaction metadata: payment request IDs, amounts in USDC, reason strings, agent IDs, counterparty wallet addresses, transaction hashes, confirmations, timestamps, and webhook event records. We retain transaction metadata for audit, reconciliation, and regulatory purposes.
- Wallet addresses and chain identifiers: the addresses your agents send and receive payments to, plus the chain on which each agent operates.
- What we do not collect: we do not custody crypto-assets, do not hold private keys, and do not have signing authority over any wallet. We do not store full payment card details (Stripe handles those).
04. How we use information
We process personal information for the following purposes:
- Providing the Service: creating accounts, authenticating users, executing API requests, delivering webhooks, rendering the dashboard, and maintaining payment-request and audit logs.
- Billing and account management: calculating fees, charging your payment method via Stripe, issuing invoices, and applying credits.
- Customer support: responding to inquiries, troubleshooting issues, and resolving disputes.
- Security and abuse detection: identifying anomalous spending patterns, suspected credential compromise, sanctions-list matches, and acceptable-use violations.
- Service improvement: understanding aggregated usage patterns to inform product decisions. We use de-identified or aggregated data for this where possible.
- Communications: sending transactional emails (account, security, billing, product), responding to your inquiries, and - with your consent - sending newsletter or product-update emails. Every marketing email includes a one-click unsubscribe.
- Legal compliance: meeting tax, accounting, sanctions, anti-money-laundering, and other regulatory obligations.
05. Lawful basis (GDPR / UK GDPR)
For visitors in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR or UK GDPR:
- Contract performance: processing your account information, transaction metadata, and billing data is necessary to deliver the Service you signed up for.
- Legitimate interests: security monitoring, abuse detection, fraud prevention, basic Service analytics, and the operation of our public marketing website rely on our legitimate interests, subject to a balancing test against your privacy.
- Legal obligation: tax, sanctions, anti-money-laundering, and other regulatory recordkeeping.
- Consent: marketing emails, newsletter subscriptions, and non-essential analytics cookies rely on your consent, which you can withdraw at any time.
07. Data retention
We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:
- Account information: retained for the duration of your account plus 24 months after closure, for billing reconciliation and dispute resolution.
- Transaction metadata and audit logs: retained for 7 years to meet tax, anti-money-laundering, and recordkeeping requirements. Public on-chain transaction records cannot be deleted from the underlying blockchain - that is a property of the technology, not a policy choice.
- Support communications: retained for 24 months.
- Newsletter subscriptions: retained until you unsubscribe.
- Logs (request, error, webhook delivery): retained for 90 days at high fidelity, then archived in aggregated form.
08. Security
We use industry-standard security practices to protect personal information, including encryption in transit (TLS) and at rest, principle-of-least-privilege access controls, secret-management infrastructure for credentials, signed webhooks, and regular review of dependencies and access logs. Our security posture, architectural guarantees, audit roadmap, and bug-bounty program are documented at /security.
No internet-based service is perfectly secure. While we take reasonable measures, you should use strong passwords, store API keys in secret managers (not in source control), and report suspected security issues to [email protected].
09. International transfers
Recordskeeper Inc is a Delaware corporation with its principal place of business in San Francisco, California. We, together with our service providers, affiliates, and sub-processors (including personnel located in India who provide engineering, support, and back-office services to us), operate cloud infrastructure that may store and process data in the United States, India, the European Union, and other regions where our providers operate. By using the Service, you understand and consent that your information may be transferred to, stored in, and processed in jurisdictions whose data-protection laws differ from those of your country of residence.
For transfers from the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses with our processors. Copies are available on request to [email protected].
10. Your rights (GDPR / UK GDPR / Swiss FADP)
If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal information:
- Access: request a copy of the personal information we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: request deletion of your data, subject to legal retention requirements (notably for transaction and audit logs).
- Restriction: ask us to limit how we process your data in defined circumstances.
- Objection: object to processing based on our legitimate interests, including direct marketing.
- Portability: receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent: where processing is based on consent, withdraw consent at any time.
- Lodge a complaint: with your local data-protection authority.
To exercise these rights, email [email protected]. We respond to verified requests within 30 days.
11. Your rights (California / CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- Right to know: the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties we have shared it with in the past 12 months.
- Right to delete: request deletion of personal information, subject to legal exceptions.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: we do not sell personal information and we do not share it for cross-context behavioural advertising.
- Right to limit use of sensitive personal information: we do not use sensitive personal information beyond what is necessary to provide the Service.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
To exercise these rights, email [email protected]. Authorized agents may submit requests on your behalf with appropriate authority documentation.
12. Your rights (India / DPDPA)
Under India's Digital Personal Data Protection Act, 2023, you have the right to access, correct, erase, and seek redressal for personal data that we process about you. To exercise these rights, contact [email protected]. You may also lodge a complaint with the Data Protection Board of India once it is operational.
13. Children
The Service is not directed at children under 18. We do not knowingly collect personal information from minors.
If we learn that we have collected personal information from a person under 18 without verifiable parental consent (which we do not seek), we will delete that information. If you are a parent or guardian and believe a minor has provided us personal information, contact [email protected] and we will take prompt action.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or via the dashboard at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact us
For privacy questions, data-subject requests, or to exercise your rights:
Email: [email protected]
For security disclosures: [email protected]
Postal: Recordskeeper Inc, 2261 Market Street STE 86483, San Francisco, CA 94114, United States. Email is the preferred channel for privacy requests.
Response time: within 30 days of a verified request. Any legal inquiries are subject to the Terms & Conditions.
Need legal clarification?
Our team can help clarify how this policy applies to your account and your agents. If you have any specific questions about our privacy policy, we're here to help.