Last updated · 2026-06-06

Privacy

This is what we collect, why, how long we keep it, and what you can do about it. The authoritative source for operators lives at docs/legal/privacy.md. The Git history at that path is the change-log; this page is updated together with it.

What we collect

Wallet address: Your public Solana base58 string, captured when you sign the SIWS challenge. We use it to identify your subscription state.
Auth-session token: Generated on SIWS verify. The raw value lives only in your browser cookie; the database stores the SHA-256 hash. A database leak yields hashes, not session credentials.
Subscription state: Your wallet, tier, cadence, and expiry. Created when the watcher confirms an on-chain payment to our treasury.
Telegram user ID: Stored when you redeem a grant code in the Telegram bot. Bound 1:1 with your wallet. Nullable and deletable via the right-to-erasure flow below.
Hashed client IP: We HMAC your IP with a server-side salt and use it as a rate-limit bucket key. The raw IP is never persisted.
Audit log entries: Each bot-route PII read or write appends a row with hashed subject + hashed IP + hashed UA prefix + outcome. The log doesn't contain raw identifiers and is retained 1 year.

What we don't collect

Emails, real names, postal addresses, phone numbers.
Browser fingerprints, device IDs, advertising IDs.
Analytics cookies — no Plausible, PostHog, Google Analytics, Vercel Analytics, Microsoft Clarity.
Behavioral tracking across sessions or marketing pixels.

Cookies we set

Two HttpOnly cookies, both server-set, both SameSite-scoped, both Secure in production:

Cookie	Purpose	TTL
vizzor.siws.nonce	One-time auth nonce	5 min
vizzor.auth	Browser session (raw value never persists server-side)	24 hours

Retention windows

A daily sweep prunes durable rows past their window:

· Failed / expired payment sessions — 30 days
· Confirmed payment sessions — 1 year (tax / audit retention)
· Grant codes after expiry — 90 days
· Wallet-link challenges — 7 days
· Idempotency keys — 7 days
· Rate-limit buckets — 1 day
· Audit log — 1 year

Right to erasure (GDPR Art. 17 / CCPA)

· Deletes your wallet_links row (binding removed)
· Nulls subscriptions.telegram_user_id and tombstones the wallet address
· Scrubs payer addresses on non-confirmed payment sessions
· Deletes every active auth session for the wallet
· Appends a hashed audit-log entry

Confirmed payment records are retained for 1 year for tax and audit compliance — after that window the daily sweep removes them too.

Third-party data flows

Solana RPC provider: Your IP when your browser or our server queries the RPC. Operator sets a private RPC URL to keep this out of public providers.
cdn.jsdelivr.net: Coin icons fallback. Bypassed for HYPE / POL / TON which we serve from /public/coins.
Sentry: Only if the operator has configured SENTRY_DSN. Cookies, signatures, bot tokens, and IPs are stripped by beforeSend before any event reaches Sentry.

Contact

Security disclosures: GitHub Security Advisories. Privacy-specific contact: privacy@vizzor.ai.

What we collect

Wallet address: Your public Solana base58 string, captured when you sign the SIWS challenge. We use it to identify your subscription state.

Auth-session token: Generated on SIWS verify. The raw value lives only in your browser cookie; the database stores the SHA-256 hash. A database leak yields hashes, not session credentials.

Subscription state: Your wallet, tier, cadence, and expiry. Created when the watcher confirms an on-chain payment to our treasury.

Telegram user ID: Stored when you redeem a grant code in the Telegram bot. Bound 1:1 with your wallet. Nullable and deletable via the right-to-erasure flow below.

Hashed client IP: We HMAC your IP with a server-side salt and use it as a rate-limit bucket key. The raw IP is never persisted.

Audit log entries: Each bot-route PII read or write appends a row with hashed subject + hashed IP + hashed UA prefix + outcome. The log doesn't contain raw identifiers and is retained 1 year.

Purpose

TTL

vizzor.siws.nonce

One-time auth nonce

5 min

vizzor.auth

Browser session (raw value never persists server-side)

24 hours

Retention windows

A daily sweep prunes durable rows past their window:

· Failed / expired payment sessions — 30 days

· Confirmed payment sessions — 1 year (tax / audit retention)

· Grant codes after expiry — 90 days

· Wallet-link challenges — 7 days

· Idempotency keys — 7 days

· Rate-limit buckets — 1 day

· Audit log — 1 year

Right to erasure (GDPR Art. 17 / CCPA)

· Deletes your wallet_links row (binding removed)

· Nulls subscriptions.telegram_user_id and tombstones the wallet address

· Scrubs payer addresses on non-confirmed payment sessions

· Deletes every active auth session for the wallet

· Appends a hashed audit-log entry

Confirmed payment records are retained for 1 year for tax and audit compliance — after that window the daily sweep removes them too.

Third-party data flows

Solana RPC provider: Your IP when your browser or our server queries the RPC. Operator sets a private RPC URL to keep this out of public providers.

cdn.jsdelivr.net: Coin icons fallback. Bypassed for HYPE / POL / TON which we serve from /public/coins.

Sentry: Only if the operator has configured SENTRY_DSN. Cookies, signatures, bot tokens, and IPs are stripped by beforeSend before any event reaches Sentry.