Legal

Privacy Policy

This Policy describes how PivLinks ("we", "us") collects, uses, discloses, and protects personal information when you use our websites, applications, and escrow payment services. It is designed to align with GDPR, UK GDPR, and CCPA/CPRA expectations; it is not a substitute for legal advice.

Last updated: May 5, 2026Last reviewed: May 5, 2026
Terms of ServiceData SecurityContact

1. Summary at a Glance

What we collectAccount data (e.g., email, name), wallet addresses, invoice and payment metadata, support and dispute content, device/technical logs, and on-chain data that is public by design.
Why we use itTo provide escrow and invoicing, authenticate users, prevent fraud, comply with law, improve the Service, and communicate with you.
Who we share withInfrastructure providers (e.g., Privy, Supabase, Vercel), blockchain networks (public), payment processors, and authorities when required.
Your rightsAccess, correction, deletion (where feasible), restriction, objection, portability, and non-discrimination—subject to legal exceptions and on-chain immutability (see Section 11).

2. Who We Are & Scope

Controller (placeholder): PivLinks, [legal entity name], [registered address]. For EU/UK data subjects, we will designate a representative where required (contact below).

This Policy applies to personal information processed in connection with the Service. It does not apply to third-party sites or services that we link to.

3. Information We Collect

Account & identity: Name, email, organization, and similar profile fields; Solana wallet addresses associated with your Privy session; optional KYC/KYB documents if we request verification.

Transactional: Invoice identifiers, amounts, statuses, release password hashes (we do not store plaintext release passwords), payment and release transaction signatures where recorded, and workflow timestamps.

On-chain: Wallet addresses, token transfers, program logs, and transaction IDs on Solana are public and replicated globally; we cannot delete blockchain history.

Technical: IP address, device type, browser, approximate location derived from IP, cookies and similar technologies, diagnostics, and security logs.

Communications: Support tickets, dispute evidence, emails, and messages you send us, including attachments.

Integrity & transparency records: We may store a SHA-256 "transaction transparency signature" and payload snapshot per invoice to help verify that off-chain records match disclosed on-chain state (see our security page).

4. How We Use Information

  • Provide, secure, and improve the Service (including escrow orchestration and UI).
  • Authenticate sessions, prevent fraud, enforce sanctions screening, and protect users.
  • Operate support, disputes, and audit trails (including writes to our `activity_audit_events` table).
  • Comply with legal obligations and respond to lawful requests.
  • Send service-related notices; with consent, send marketing (you may opt out).
  • Generate aggregated or de-identified analytics that do not identify you.

6. Sharing & Sub-processors

  • Privy — authentication, embedded wallets, and card payments.
  • Supabase — hosted PostgreSQL, auth-related storage, and application data.
  • Vercel — application hosting, edge routing, and operational logs.
  • Solana validators & RPC providers — transaction broadcast and read access; on-chain data is public.
  • Circle / USDC ecosystem — stablecoin issuance rules and compliance may apply to USDC usage.
  • Professional advisors, acquirers, or lenders — under confidentiality obligations.
  • Law enforcement & regulators — when required by law or to protect rights and safety.

We do not sell your personal information as defined under CCPA/CPRA.

7. International Data Transfers

We may process data in the United States and other countries. Where GDPR/UK GDPR applies, we use appropriate safeguards such as Standard Contractual Clauses, UK Addendum, or adequacy decisions. You may request a copy of relevant mechanisms by contacting us.

8. Retention

  • Account & invoices: For the life of the account and a reasonable period thereafter, unless longer retention is required for disputes or law.
  • Financial & compliance records: Up to seven (7) years where required for AML, tax, or audit.
  • Security & application logs: Typically 30–90 days, unless needed for an investigation.
  • Support & disputes: Often 12–24 months after closure unless legal hold applies.
  • Audit events: Stored in `activity_audit_events` with timestamps for security and compliance traceability; retained per internal policy and legal requirements.

9. Security

We implement administrative, technical, and organizational measures described in our Data Security page, including encryption in transit, access controls, and monitoring. No method is 100% secure; you use the Service at your own risk.

10. Cookies & Similar Technologies

CategoryPurposeControl
Strictly necessarySession, authentication, security, load balancing.Required for Service; cannot be disabled without breaking core features.
FunctionalPreferences, language, UI state.Adjust in browser or in-app settings where available.
AnalyticsUnderstanding usage and reliability (e.g., Vercel Analytics if enabled).Opt out via cookie banner or browser controls where offered.

11. Your Rights

GDPR/UK GDPR: You may request access, rectification, erasure, restriction of processing, objection to certain processing, data portability, and to lodge a complaint with a supervisory authority.

CCPA/CPRA (California): You may request to know categories and specific pieces of personal information we collect, to delete personal information, to correct inaccurate information, and to opt out of sale/sharing (we do not sell). We will not discriminate for exercising rights.

How to exercise: Email privacy@pivlinks.example.com with sufficient detail for us to verify your identity. We may need additional information to protect your account.

On-chain immutability & hashed secrets: We cannot erase data that exists on public blockchains or that third parties have copied. Release password hashes may need to be retained for fraud investigations and integrity checks even after account closure. Where deletion conflicts with legal obligations, we will explain the limitation.

12. Automated Decision-Making

We may use automated tools for fraud scoring, sanctions screening, and anomaly detection. These may produce legal or similarly significant effects in limited cases (e.g., blocking a transaction). You may request human review of such decisions where applicable law requires.

13. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have, contact us for prompt deletion.

14. Do Not Track

There is no consistent industry standard for DNT signals. We currently do not respond to browser DNT flags; you may manage cookies through browser settings and any in-app controls we provide.

16. Changes to This Policy

We may update this Policy from time to time. We will post the revised version and update the "Last updated" date. Material changes may require additional notice. Continued use after the effective date constitutes acceptance unless objection is permitted by law.

17. Contact

Privacy inquiries: privacy@pivlinks.example.com

Data Protection Officer (placeholder): dpo@pivlinks.example.com

EU/UK representative (placeholder): [Name, address] — to be appointed before serving EU/UK users at scale.

General contact form

Related

Terms & security

Rules of use and how we protect the platform.

Terms of ServiceData Security