Blockchain0x ("we," "our," or "us") is a brand of Tosh Labs Private Limited, a company incorporated under the laws of India. We provide payment, identity, and spending-controls infrastructure for AI agents through APIs, a hosted dashboard, SDKs, and a public marketing website (collectively, the "Service").

This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what choices and rights you have. The Service is intended exclusively for adult developers and organizations - we do not market to or knowingly collect information from anyone under 18.

By using the Service, you agree to the collection and use of information as described here. If you do not agree, do not use the Service.

This Privacy Policy applies to:

• Visitors to www.blockchain0x.com and any related Blockchain0x property.
• Customers who create a Blockchain0x account and operate paid or free agents through the dashboard or API.
• End users who interact with a Blockchain0x-powered agent's public profile page (for example, when verifying an agent before sending it a payment).
• Recipients of marketing emails, newsletters, or transactional communications from us.

This Policy does not cover the privacy practices of third parties whose services we rely on (Circle, Coinbase, Stripe, our hosting providers) - their own privacy policies govern their handling of your data. We describe our processor relationships in section 06.

We process personal information for the following purposes:

• Providing the Service: creating accounts, authenticating users, executing API requests, delivering webhooks, rendering the dashboard, and maintaining payment-request and audit logs.
• Billing and account management: calculating fees, charging your payment method via Stripe, issuing invoices, and applying credits.
• Customer support: responding to inquiries, troubleshooting issues, and resolving disputes.
• Security and abuse detection: identifying anomalous spending patterns, suspected credential compromise, sanctions-list matches, and acceptable-use violations.
• Service improvement: understanding aggregated usage patterns to inform product decisions. We use de-identified or aggregated data for this where possible.
• Communications: sending transactional emails (account, security, billing, product), responding to your inquiries, and - with your consent - sending newsletter or product-update emails. Every marketing email includes a one-click unsubscribe.
• Legal compliance: meeting tax, accounting, sanctions, anti-money-laundering, and other regulatory obligations.

For visitors in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR or UK GDPR:

• Contract performance: processing your account information, transaction metadata, and billing data is necessary to deliver the Service you signed up for.
• Legitimate interests: security monitoring, abuse detection, fraud prevention, basic Service analytics, and the operation of our public marketing website rely on our legitimate interests, subject to a balancing test against your privacy.
• Legal obligation: tax, sanctions, anti-money-laundering, and other regulatory recordkeeping.
• Consent: marketing emails, newsletter subscriptions, and non-essential analytics cookies rely on your consent, which you can withdraw at any time.

We do not sell personal information. We share information only with the categories of recipients listed below, and only as needed.

• Payment processors and rails: Stripe (for fiat subscription billing), Circle (for stablecoin operations and USDC settlement on Base or other chains), Coinbase (for Smart Wallet integrations and chain interactions). Each provider has its own privacy policy.
• Infrastructure providers: our cloud hosting, database, error-tracking, and email providers process data on our behalf under contractual data-processing terms.
• Analytics: privacy-respecting analytics that aggregate usage without persistent cross-site identifiers.
• Public agent profiles: the agent profile page (at wallet.blockchain0x.com/a/{slug}) is intentionally public and exposes the information you choose to publish - agent name, purpose, wallet address, verification badges, and recent transaction history (anonymous counterparty addresses, amounts, and timestamps). Do not publish information you do not want public.
• Legal and regulatory: we may disclose information when required by law, in response to lawful process, or to protect our rights, property, or safety, or those of our customers or the public.
• Corporate transactions: in the event of a merger, acquisition, asset sale, or insolvency, information may be transferred subject to confidentiality undertakings.

We retain personal information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account information: retained for the duration of your account plus 24 months after closure, for billing reconciliation and dispute resolution.
• Transaction metadata and audit logs: retained for 7 years to meet tax, anti-money-laundering, and recordkeeping requirements. Public on-chain transaction records cannot be deleted from the underlying blockchain - that is a property of the technology, not a policy choice.
• Support communications: retained for 24 months.
• Newsletter subscriptions: retained until you unsubscribe.
• Logs (request, error, webhook delivery): retained for 90 days at high fidelity, then archived in aggregated form.

We use industry-standard security practices to protect personal information, including encryption in transit (TLS) and at rest, principle-of-least-privilege access controls, secret-management infrastructure for credentials, signed webhooks, and regular review of dependencies and access logs. Our security posture, architectural guarantees, audit roadmap, and bug-bounty program are documented at /security.

No internet-based service is perfectly secure. While we take reasonable measures, you should use strong passwords, store API keys in secret managers (not in source control), and report suspected security issues to [email protected].

We operate from India. The Service uses cloud infrastructure that may store and process data in the European Union, the United States, India, and other regions where our providers operate. By using the Service, you understand that your information may be transferred to and processed in jurisdictions with data-protection laws different from those of your country of residence.

For transfers from the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses with our processors. Copies are available on request to [email protected].

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal information:

• Access: request a copy of the personal information we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure: request deletion of your data, subject to legal retention requirements (notably for transaction and audit logs).
• Restriction: ask us to limit how we process your data in defined circumstances.
• Objection: object to processing based on our legitimate interests, including direct marketing.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Withdraw consent: where processing is based on consent, withdraw consent at any time.
• Lodge a complaint: with your local data-protection authority.

To exercise these rights, email [email protected]. We respond to verified requests within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties we have shared it with in the past 12 months.
• Right to delete: request deletion of personal information, subject to legal exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell personal information and we do not share it for cross-context behavioural advertising.
• Right to limit use of sensitive personal information: we do not use sensitive personal information beyond what is necessary to provide the Service.
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise these rights, email [email protected]. Authorized agents may submit requests on your behalf with appropriate authority documentation.

Under India's Digital Personal Data Protection Act, 2023, you have the right to access, correct, erase, and seek redressal for personal data that we process about you. To exercise these rights, contact [email protected]. You may also lodge a complaint with the Data Protection Board of India once it is operational.

The Service is not directed at children under 18. We do not knowingly collect personal information from minors.

If we learn that we have collected personal information from a person under 18 without verifiable parental consent (which we do not seek), we will delete that information. If you are a parent or guardian and believe a minor has provided us personal information, contact [email protected] and we will take prompt action.

We use the following categories of cookies:

• Strictly necessary: required for authentication and security. These cannot be turned off without breaking the Service.
• Preferences: remember your dashboard settings.
• Analytics: aggregated usage metrics with no persistent cross-site identifiers; we use privacy-respecting analytics rather than ad-targeted analytics.

We do not use advertising cookies, behavioural-tracking cookies, or cross-site tracking pixels. Where required by law, we obtain consent before setting non-essential cookies.

For privacy questions, data-subject requests, or to exercise your rights:

Email: [email protected]

For security disclosures: [email protected]

Postal: Tosh Labs Private Limited, Gurugram, Haryana, India.

Response time: within 30 days of a verified request. Any legal inquiries are subject to the Terms & Conditions.