Data Processing & Retention Policy
Last Updated: 1 January 2025
1. Introduction
This Data Processing and Retention Policy explains how WalletX collects, processes, stores, and retains your personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
Contract Performance (Art. 6(1)(b))
Processing necessary to provide our services:
- • Account creation and authentication
- • Subscription management
- • API access provisioning
- • Wallet analysis services
Legitimate Interests (Art. 6(1)(f))
Processing for legitimate business purposes:
- • Service improvement and optimization
- • Fraud prevention and security
- • Analytics and usage statistics
- • Customer support
Consent (Art. 6(1)(a))
Optional processing with your explicit consent:
- • Marketing communications
- • Optional cookies and analytics
- • Newsletter subscriptions
Legal Obligation (Art. 6(1)(c))
Processing required by law:
- • Tax reporting
- • Regulatory compliance
- • Legal proceedings
3. Data We Collect and Process
Identity and Contact Data
- • Email address (required for registration)
- • Username (optional, user-provided)
- • Account ID (auto-generated)
Retention: Duration of account plus 30 days after deletion
Authentication Data
- • Hashed passwords (encrypted)
- • Authentication tokens
- • Session data
Retention: Active session duration; deleted on logout or expiry
Subscription and Payment Data
- • Subscription tier and status
- • Payment transaction IDs (from Helio/Stripe)
- • Subscription start and expiry dates
Retention: 7 years for tax and accounting purposes
Note: We do NOT store credit card numbers or payment credentials
Usage and Analytics Data
- • Wallet addresses analyzed (public blockchain data)
- • API requests and usage statistics
- • Feature usage patterns
- • Scan history
Retention: 30 days for scan history; aggregated analytics indefinitely
Technical Data
- • IP address
- • Browser type and version
- • Device information
- • Cookies (see Cookie Policy)
Retention: 90 days for security logs; cookie duration varies
4. Data Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Active account + 30 days | Service provision |
| Scan history | 30 days | User convenience |
| Payment records | 7 years | Tax/legal compliance |
| Security logs | 90 days | Fraud prevention |
| API usage stats | Indefinite (aggregated) | Service improvement |
| Support tickets | 3 years | Quality assurance |
5. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
Right of Access (Art. 15)
Request a copy of your personal data we hold. Email[email protected]to receive your data within 30 days.
Right to Rectification (Art. 16)
Update inaccurate or incomplete data through your profile settings or by contacting us.
Right to Erasure / "Right to be Forgotten" (Art. 17)
Request deletion of your account and personal data from your profile page or by emailing us. Note: Some data may be retained for legal compliance (payment records for 7 years).
Right to Restriction of Processing (Art. 18)
Request limitation of how we process your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your data in a machine-readable format (CSV/JSON) for transfer to another service.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent for optional processing (e.g., marketing emails) at any time.
6. Data Processing Activities
We process your data for:
- Account creation and authentication
- Providing wallet analysis services
- Processing payments and managing subscriptions
- API access and rate limiting
- Fraud detection and security monitoring
- Customer support
- Service improvement and analytics
- Legal and regulatory compliance
7. Data Security Measures
We implement industry-standard security measures to protect your data:
- Encryption in transit (HTTPS/TLS)
- Password hashing with bcrypt
- Secure authentication via Supabase Auth
- Regular security audits
- Access controls and least-privilege principles
- Secure infrastructure (Supabase/AWS)
8. International Data Transfers
Your data may be processed in the United States and other jurisdictions where our service providers operate. We ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs) for non-EU transfers
- Privacy Shield framework compliance (where applicable)
- Vendor due diligence and data protection agreements
9. Third-Party Data Processors
We work with the following third-party processors:
- Supabase - Database, authentication, hosting (USA)
Privacy: supabase.com/privacy - Google Analytics - Website analytics (USA)
Privacy: policies.google.com/privacy - Helio - Crypto payment processing (Cayman Islands)
Privacy: hel.io/privacy - Stripe - Credit card payment processing (USA)
Privacy: stripe.com/privacy - ConsentManager - Cookie consent management (Germany)
Privacy: consentmanager.net/privacy
10. Data Protection Impact Assessment (DPIA)
We have conducted a Data Protection Impact Assessment for our high-risk processing activities. Our assessment concluded that:
- Privacy risks are minimized through encryption and access controls
- We only collect necessary data for service provision
- Data retention periods are appropriate and justified
- Third-party processors meet GDPR requirements
- Users have full control over their data through profile settings
11. Automated Decision Making
WalletX does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you under GDPR Article 22.
12. Children's Privacy
Our services are not intended for individuals under 18 years of age. We do not knowingly collect data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify affected users within 72 hours of discovery
- Report to relevant supervisory authorities as required
- Provide details of the breach and mitigation steps
14. Supervisory Authority
You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR. A list of EU supervisory authorities can be found at:edpb.europa.eu
15. Contact Our Data Protection Officer
For questions about data processing, to exercise your rights, or to contact our Data Protection Officer, email us at:[email protected]
Subject line: "Data Protection Inquiry" or "GDPR Request"