BulwkBulwk

Privacy Policy

Zero Personal Data. Maximum Privacy.

Last Updated: October 24, 2025

We Don't Collect Personal Information

Bulwk operates a zero-PII (Personally Identifiable Information) architecture. We don't ask for, collect, or store your name, email, phone number, physical address, or any other personal data.

Your cryptocurrency wallet address is your identity. Everything is public blockchain data.

What Data We Collect

We Collect

  • Wallet Addresses - Public blockchain addresses (already publicly visible)
  • Payment Transaction Hashes - Public on Ethereum/Sonic blockchains
  • License IDs (UUIDs) - Random identifiers NOT linked to your identity
  • Hashed API Keys - Irreversibly hashed for security
  • Hashed IP Addresses - Only for abuse prevention (cannot identify you)

We DON'T Collect

  • Names - Not asked, not stored
  • Email Addresses - Not required for any service
  • Phone Numbers - Never collected
  • Physical Addresses - No mailing addresses
  • Government IDs - No passport, SSN, or ID numbers
  • Company Names - Not stored in our systems

How We Use Data

1. License Verification

We verify License NFT ownership on the Sonic blockchain to grant API access. Your wallet address proves you own the license.

2. API Authentication

Your hashed API key is checked against our database to authorize signal access. We never store plaintext keys.

3. Abuse Prevention

Hashed IP addresses help us detect and prevent API abuse, DDoS attacks, and unauthorized access attempts. We cannot reverse hashes to identify individuals.

4. Payment Processing

We monitor blockchain transactions to detect payments and mint License NFTs. All payment data is public on Ethereum blockchain.

GDPR & Data Protection

GDPR Does Not Apply to This Service

Since we collect zero personal data, the EU General Data Protection Regulation (GDPR) does not apply to our license relationship. Wallet addresses are considered pseudonymous public data, not personal information under GDPR.

Your Data Rights

Right to Access: All license data is publicly viewable on blockchain. Use any blockchain explorer to see your NFT and payment history.
Right to Erasure ("Right to be Forgotten"): Not applicable - we have no personal data to delete. Your wallet address remains on blockchain (immutable, outside our control).
Right to Portability: Your License NFT is portable - it exists in your self-custodied wallet. You control it entirely.
Right to Object: You can stop using our service anytime by not renewing your license. No data deletion needed.

High-Value License Verification

For licenses exceeding $100,000 USD, we may require identity verification to comply with:

  • • Anti-Money Laundering (AML) regulations
  • • Know Your Customer (KYC) requirements
  • • OFAC sanctions screening

How High-Value Verification Works

  1. 1. Verification conducted by third-party KYC provider (Sumsub, Persona, etc.)
  2. 2. We receive only: verification_id + pass/fail status
  3. 3. We DO NOT receive or store your: name, DOB, SSN, passport, address
  4. 4. KYC provider retains your data per their privacy policy (not ours)
  5. 5. If you decline verification, we refund payment (minus gas fees)

Data Storage & Security

Database Security

  • • Encrypted at rest (AES-256)
  • • Encrypted in transit (TLS 1.3)
  • • Access restricted to authorized personnel only
  • • Regular security audits
  • • Daily encrypted backups

What If We're Hacked?

Even in a worst-case data breach, attackers get ZERO sensitive information:

  • ✅ No names, emails, or contact info
  • ✅ No credit card or bank details
  • ✅ No government IDs or SSNs
  • ✅ Only: Wallet addresses (public), License IDs (meaningless UUIDs), hashed keys (irreversible)

Result: Zero customer data leak. Zero liability. Zero notification requirements.

Cookies & Tracking

Essential Cookies Only

We use minimal essential cookies for:

  • • Session management (stay logged in with wallet)
  • • Security (CSRF protection)
  • • Preference storage (dark mode, language)

No Tracking or Analytics

We DO NOT use:

  • ❌ Google Analytics
  • ❌ Facebook Pixel
  • ❌ Advertising trackers
  • ❌ Third-party analytics services

Third-Party Services

Blockchain Infrastructure:

Alchemy (RPC provider), Etherscan, Sonic Explorer - for reading public blockchain data

Payment Processing:

Direct blockchain transactions - no Stripe, PayPal, or traditional payment processors

KYC (if applicable):

Sumsub or Persona for high-value verification - see their privacy policies

Hosting:

Vercel, Cloudflare - for website delivery and DDoS protection

Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect data from children. Since we collect zero personal information, we have no way to determine user age. By using our service, you represent that you are at least 18 years old.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Since we don't collect email addresses, we cannot notify you of changes. Please review this page periodically.

Questions?

If you have questions about this privacy policy or our data practices:

View our Legal Documentation

Note: We have no customer support email because we don't collect email addresses. For technical support, use on-chain messaging to our treasury wallet or open a GitHub issue.

TL;DR: Maximum Privacy by Design

Zero PII

No personal data collected or stored

Blockchain Identity

Wallet address = your identity

Breach-Resistant

Data breach = minimal customer impact