Privacy Policy

1. Information We Collect

We collect the following categories of information when you use the Platform:

• Wallet Addresses. Your Ethereum wallet address is collected when you connect via Sign-In with Ethereum (SIWE). Wallet addresses are public by nature on the blockchain.
• On-Chain Transaction Data. Records of your interactions with Zoryxon smart contracts, including asset registrations, license purchases, proof submissions, transfers, and other on-chain activity. This data is publicly visible on the blockchain.
• Voluntarily Provided Profile Information. If you choose to create a profile, you may provide a display name, email address, avatar, bio, and website URL. All profile information is optional.
• Encrypted Content Metadata. Decentralized storage identifiers associated with your encrypted content. We store only references to encrypted ciphertext and cannot access the underlying content.
• Usage Analytics. Anonymized, aggregated usage data including page views, feature usage patterns, and error reports. No personally identifiable information (PII) is included in analytics data.
• Zora AI Assistant Data. When you interact with Zora, our AI-powered chat assistant, the following data may be collected: chat transcripts stored in the Platform database, voluntarily provided contact information (name, email) for lead capture purposes, and conversation history. Zora is powered by Anthropic Claude, a third-party AI provider. Conversations are logged for service improvement, response quality monitoring, and follow-up with user consent.
• Chainalysis Sanctions Screening Results. Wallet addresses are checked against OFAC sanctions lists via the Chainalysis Sanctions Oracle for compliance purposes. Screening results (pass/fail status) are retained as part of our compliance audit log.

2. Information We Do NOT Collect

Zoryxon's non-custodial architecture is designed to minimize data collection. We explicitly do not collect, store, process, or have access to:

• Private Keys or Seed Phrases. Your wallet credentials never leave your device or browser extension. Zoryxon has no mechanism to access, view, or recover your private keys or seed phrases at any time.
• Unencrypted Content. All files are encrypted client-side with AES-256-GCM authenticated encryption before upload. Our servers only receive encrypted ciphertext and have no means of decrypting it.
• Biometric Data of Any Kind. Our Humanity Verification system uses attestation-based methods exclusively. We do not collect, capture, or store biometric identifiers, biometric scores, face geometry, fingerprints, voiceprints, retina scans, iris scans, hand geometry, or any other biometric data — at any tier of verification.
• Government-Issued Identification. We do not require or collect social security numbers, driver's license numbers, passport numbers, or similar government-issued identification for basic platform use.
• Payment Card Information. On-chain payments are conducted in ETH. Fiat subscription payments are processed by a third-party payment processor — Zoryxon never receives, processes, or stores credit card, debit card, or bank account information.
• IP Addresses for Tracking. We do not log or store IP addresses for user tracking purposes. IP addresses may be temporarily processed for security and rate-limiting purposes but are not retained beyond immediate operational use.

3. How We Use Information

We use the information we collect for the following purposes:

• Service Operation. To authenticate your identity, process transactions, manage your vaults, and provide the core functionality of the Platform.
• Analytics and Improvement. To understand how the Platform is used, identify issues, and improve the user experience using anonymized, aggregated data only.
• Security. To detect and prevent fraud, abuse, and unauthorized access to the Platform and smart contracts, and to conduct OFAC sanctions compliance screening as required by applicable law.
• Communication. To send transaction confirmations, security alerts, and platform updates to users who have opted in to notifications. We will not send unsolicited marketing communications.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Blockchain Data

You acknowledge that interactions with the blockchain are inherently public and permanent:

• All on-chain interactions — including transaction hashes, wallet addresses, proof hashes, license records, ownership transfers, and other on-chain data — are publicly visible to anyone and cannot be deleted or modified after confirmation.
• Content hashes stored on-chain are cryptographic fingerprints (SHA-256) that do not reveal the underlying content. They permanently establish that specific content existed at a specific time without disclosing what that content is.
• On-chain data settles on Arbitrum One (Layer 2) with final settlement on Ethereum Layer 1. Both are public, permissionless blockchain networks accessible to anyone.
• Zoryxon cannot delete, modify, or censor confirmed on-chain data. This is a fundamental and immutable property of blockchain technology, not a policy choice by Zoryxon.

5. Data Encryption

Zoryxon employs a client-side encryption architecture to ensure that your intellectual property remains private and under your exclusive control:

• Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit key with Galois/Counter Mode), a NIST-approved authenticated encryption standard that provides both confidentiality and integrity verification.
• Key Generation: Encryption keys are generated locally on your device using cryptographically secure random number generation. Keys never leave your device and are never transmitted to Zoryxon servers.
• Content Hash: A SHA-256 hash of your original content is computed client-side before encryption. This hash is submitted to the blockchain as proof of existence without revealing any information about the content itself.
• Non-Custodial Keys: Zoryxon has zero mechanism to access your encryption keys. We do not escrow, backup, or store your keys in any form. If you lose your keys, your encrypted content cannot be recovered by anyone, including Zoryxon. This is by design to ensure maximum security and privacy.

6. Third-Party Services

The Platform integrates with the following third-party services. Each provider is governed by their own privacy policies. Zoryxon selects providers with appropriate security standards and data protection practices.

• Arbitrum One / Ethereum. Public blockchain networks for transaction processing and data settlement. All on-chain data is publicly accessible.
• Alchemy. RPC provider facilitating blockchain interactions between the Platform and the Arbitrum One and Ethereum networks.
• Vercel. Frontend application hosting for the Platform's web interface.
• Railway. Backend API hosting for the Platform's server-side infrastructure.
• Neon. PostgreSQL database hosting. All data stored with Neon is encrypted at rest.
• Anthropic. AI provider powering the Zora assistant. Conversation content is processed by the Anthropic API to generate responses. Anthropic's data handling is governed by their privacy policy and data processing terms.
• Cloudflare. DNS management, content delivery network (CDN), and DDoS protection services.
• Chainalysis. Sanctions Oracle integration for OFAC compliance. Wallet addresses are screened against sanctions lists as required by law. This is a compliance-required data check, not commercial data sharing.
• Google Workspace. Email infrastructure for internal communications and user correspondence.
• SendGrid. Transactional email delivery service for sending transaction confirmations, security alerts, and platform notifications (when implemented).

7. Data Retention

Data retention periods vary by data type:

• Blockchain Data: Permanent and immutable by design. On-chain records cannot be deleted, modified, or censored by any party, including Zoryxon.
• Encrypted Content on Decentralized Storage: Retained while your account is active. Upon account deletion, encrypted content is removed from active storage. Copies may persist on the distributed network due to the decentralized nature of the storage infrastructure.
• Off-Chain Account Data: Profile information, preferences, and session data are retained as long as your account is active. Upon account deletion request, all off-chain personal data is permanently deleted within thirty (30) days.
• Zora AI Conversation Logs: Retained for up to twelve (12) months for service improvement and response quality purposes, then permanently deleted.
• Lead Capture Data: Retained until the user requests deletion or twenty-four (24) months from collection, whichever comes first.
• Analytics Data: Anonymized and aggregated usage data is retained for up to twelve (12) months for service improvement purposes.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access. You may request a copy of all personal data we hold about you.
• Right to Deletion. You may request deletion of your off-chain personal data. Please note that blockchain data is immutable and cannot be deleted — this is a technical limitation of the underlying technology, not a policy decision by Zoryxon.
• Right to Data Portability. You may export your account data, vault metadata, and license records in a machine-readable format at any time through the Platform settings.
• Right to Rectification. You may update or correct your profile information at any time through the Platform settings.
• Right to Object. You may opt out of non-essential communications at any time through notification settings in the Platform.

To exercise any of these rights, contact us at privacy@zoryxon.com. We will respond to verified requests within thirty (30) days.

9. GDPR Compliance (EEA/UK/Switzerland)

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, the following additional provisions apply under the General Data Protection Regulation (GDPR) and equivalent local data protection laws:

• Legal Bases for Processing. We process your personal data based on: (a) your consent where explicitly provided, (b) performance of our contract with you (the Terms of Service), (c) compliance with legal obligations (including sanctions screening), and (d) our legitimate interests in operating, securing, and improving the Platform.
• Data Controller. Zoryxon LLC acts as the data controller for personal data processed through the Platform.
• Data Protection Contact. For data protection inquiries and GDPR-related requests, contact our data protection contact at privacy@zoryxon.com.
• Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.
• International Transfers. Your data is processed in the United States. Zoryxon relies on applicable legal mechanisms to ensure adequate protection for cross-border data transfers as required by applicable law.

10. CCPA/CPRA Compliance (California Residents)

For residents of the State of California, the following additional provisions apply under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Categories of Personal Information Collected. Identifiers (wallet address, optional email address and display name), internet or other electronic network activity information (usage analytics, feature interaction data), and commercial information (transaction history, marketplace activity).
• No Sale of Personal Information. Zoryxon does not sell personal information as defined under the CCPA. We do not share personal information with third parties for cross-context behavioral advertising.
• Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions. Please note that blockchain data is immutable and cannot be deleted due to the inherent technical limitations of blockchain technology.
• Right to Opt-Out of Sale. While Zoryxon does not sell personal information, we acknowledge and respect this right for compliance purposes.
• Right to Non-Discrimination. Exercising your privacy rights under the CCPA will not result in discriminatory treatment, including denial of services, different pricing, or different quality of service.
• Right to Correct. You have the right to request correction of inaccurate personal information that we maintain about you.

To exercise any of these rights, submit a request via privacy@zoryxon.com or through the Platform settings.

11. BIPA Compliance (Illinois Residents)

For users in the State of Illinois, the following provisions apply in compliance with the Illinois Biometric Information Privacy Act (740 ILCS 14/):

• No Biometric Data Collection. Zoryxon does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as defined under BIPA, including but not limited to fingerprints, retina scans, iris scans, voiceprints, face geometry, hand geometry, or any other biometric identifier.
• Humanity Verification Design. Our 4-tier Humanity Verification system is specifically designed for BIPA compliance: Tier 1 uses self-attestation (signed statement). Tier 2 uses social vouching. Tier 3 uses behavioral analysis that stores only a boolean result (pass/fail) — no numeric scores derived from biometric analysis. Tier 4 uses zero-knowledge proofs that store only a proof hash — no raw biometric data is ever collected, transmitted, or stored at any tier.
• Database Storage. Our database stores only a humanity level (unverified, bronze, silver, gold, platinum) and a boolean verification status — never numeric scores, biometric templates, or any data derived from biometric analysis.

12. Education Data

When providing services to educational institutions through the Education vertical, the following data protection provisions apply:

• Zoryxon contracts with educational institutions, not with individual students. All institutional relationships are governed by a Data Processing Agreement between Zoryxon and the institution.
• When processing student education records on behalf of an educational institution, Zoryxon acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA) with a legitimate educational interest, as defined by the institution's annual notification.
• Student data is processed solely for the educational purpose specified in the institutional agreement. Student data is never used for marketing, advertising, profiling, or any purpose unrelated to the institutional agreement.
• Student identity is cryptographically separated from blockchain data. On-chain hashes contain no personally identifiable information (PII). The mapping between student identity and blockchain records is maintained only within the institution's secure environment.
• Zoryxon does not create direct individual accounts for students under 18. Students under 18 access the Platform exclusively through institutional Education accounts administered by their school.
• Institutional administrators maintain full control over all student data access, including the ability to request deletion, export, or modification of student data.

Contact us for complete details regarding education data handling, institutional responsibilities, and student privacy protections.

13. Children's Privacy

The Platform is not intended for individuals under the age of 18 for direct individual account creation. The following provisions apply:

• Students under 18 may access the Platform exclusively through institutional Education accounts administered by their school. They may not create individual accounts.
• In institutional Education contexts, the school or educational institution is responsible for obtaining any required parental consent under the Children's Online Privacy Protection Act (COPPA) and FERPA.
• Zoryxon does not knowingly collect personal information directly from children under the age of 13 outside of institutional Education contexts.
• If Zoryxon discovers that it has directly collected personal information from a child under 13 outside of an institutional Education account, the data will be deleted promptly.

If you believe a child under 13 has provided us with personal data outside of an institutional Education context, please contact us at legal@zoryxon.com to report your concern.

14. Cookies and Tracking Technologies

Zoryxon uses essential cookies for authentication and session management to ensure the proper functioning of the Platform. We do not use advertising cookies, third-party marketing cookies, or engage in cross-site tracking. For complete details about our use of cookies and related technologies, including how to manage your cookie preferences, please refer to our Cookie Policy.

15. Data Breach Notification

In the event of a data breach affecting personal information, Zoryxon will notify affected users and relevant regulatory authorities within the timeframes required by applicable law. Notification will include a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach. Zoryxon maintains incident response procedures designed to detect, contain, and remediate data breaches promptly.

16. Security

We implement comprehensive security measures to protect the Platform and your data:

• Non-Custodial Architecture. By design, Zoryxon never holds your private keys, unencrypted content, or user funds, eliminating the most critical attack vectors associated with centralized platforms.
• Client-Side Encryption. AES-256-GCM authenticated encryption ensures that even in the event of a server breach, your content remains encrypted and inaccessible without your locally-held keys.
• Smart Contract Security. All smart contracts are built using audited security libraries (OpenZeppelin) with role-based access controls, reentrancy protection, and emergency pause capabilities. A third-party smart contract audit is planned before major releases.
• Database Security. Off-chain data is stored with encryption at rest and transmitted over encrypted connections using TLS 1.3.
• OFAC Sanctions Screening. Wallet addresses are screened against OFAC sanctions lists via the Chainalysis Sanctions Oracle integration to ensure regulatory compliance.
• Post-Quantum Cryptography. ML-DSA-65 (NIST-standardized, formerly known as CRYSTALS-Dilithium) is integrated for future-proofed digital signatures, protecting against potential quantum computing threats.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated through the Platform interface and, where possible, via email to users who have provided an email address. We will provide at least thirty (30) days advance notice before material changes take effect and will update the "Last Updated" date at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy. If you do not agree with the changes, you must discontinue use of the Platform before the effective date.

18. SMS/Text Messaging

If you consent to receive SMS or text messages from Zoryxon, the following terms apply:

Zoryxon may send you text messages related to platform services, account support, and business communications. Message frequency varies. Message and data rates may apply.

You may opt out of receiving SMS messages at any time by replying STOP to any message you receive from us. After opting out, you will receive a confirmation message and no further SMS messages will be sent. For help, reply HELP to any message, or contact us at support@zoryxon.com.

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

By providing your phone number and opting in to SMS communications, you consent to receive text messages from Zoryxon at the number provided. Your consent is not a condition of any purchase or use of the Platform.

For questions about our SMS practices, contact us at privacy@zoryxon.com.

19. Contact

For questions or concerns regarding this Privacy Policy or our data practices, please contact: