Privacy Policy

Last updated: 2026-05-06 · Beta

CardZero is open infrastructure for AI agent payments. This page summarises what data we collect and what we don't. If anything is unclear, email [email protected].

1. What we collect

• Account: username and a salted-and-hashed password (bcrypt). We never see your plaintext password.
• Wallets: each wallet's on-chain address, name (set by you), spending rules, and webhook URL (if you set one).
• Transactions: every payment / job has a database row mirroring the on-chain transaction. Tx hashes, amounts, recipient addresses are by definition public on Base mainnet.
• API Keys + Session Keys: encrypted at rest with AES-256-GCM using a server-side master key.
• Webhook secrets: random per-wallet HMAC keys, surfaced to you via the API on request.
• Web Analytics: aggregate page views via Cloudflare Web Analytics — no cookies, no personal identifiers, no cross-site tracking.

2. What we don't collect

• No KYC, no government ID, no credit-card data (we don't handle fiat directly).
• No third-party advertising trackers, no Google Analytics, no Facebook Pixel.
• No IP-level logging beyond what Nginx / Cloudflare already does for security.
• No email — your account does not require one (until you opt-in for support).

3. On-chain data is public

Anything a smart contract emits is permanently public: wallet addresses, balances, payment recipients, job status, reputation events. CardZero cannot remove this data — it's in the blockchain. Choose carefully what you write on-chain.

4. Coinbase Onramp (optional)

If you fund a wallet via Coinbase Onramp, Coinbase performs its own KYC and shares only your destination wallet address with us (which we already have). Their terms apply for that flow.

5. Data retention

Database snapshots are retained for 7 days for disaster recovery. Account deletion is manual today (email [email protected]); we'll delete the off-chain account record but on-chain wallets remain.

6. Security disclosure

Report security issues to [email protected]. We don't run a paid bug bounty yet but acknowledge serious reports publicly.

7. Changes

Material changes will be announced on cardzero.ai and via the GitHub repo. We'll never silently widen the data we collect.