Last updated: May 25, 2026
This Privacy Policy explains how Zafeguard Inc. (“Zafeguard,” “we,” “us”) collects, uses, discloses, and protects information when you use our website at zafeguard.com, our visual workflow builder, MPC key-management infrastructure, AI agent (MCP) integration, payment workflows, gas station, developer SDK, and any other product, feature, integration, network connector, hosted service, on-premise component, API, library, or interface that Zafeguard now offers or may offer at any time in the future (collectively, the “Services”). Any new product or feature we release after the date of this Policy is automatically covered by it unless we publish a supplementary notice for that product.
Capitalized terms used and not otherwise defined in this Policy have the meanings given in our Terms of Service.
By registering for Zafeguard or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. If we materially change this Policy, we will notify you via the Services or by email; your continued use of the Services after the effective date of the change will be considered your acceptance of and consent to the updated Policy.
Zafeguard Inc. is a Delaware-incorporated company providing blockchain infrastructure and developer tools. We act as the data controller for personal information processed in connection with the Services, except where we process information on behalf of a customer (in which case we act as a data processor and the customer is the controller).
For privacy questions, requests, or complaints, contact us at hello@zafeguard.com. Mail addressed to privacy@zafeguard.com is forwarded to the same intake.
EU Representative. Where required under Article 27 of the GDPR, our designated EU Representative is [to be designated when an EEA user base is established]. UK Representative. Where required under Article 27 of the UK GDPR, our designated UK Representative is [to be designated when a UK user base is established]. Until designation, EEA and UK users may contact us using the email addresses above and we will respond within applicable statutory timelines.
We collect the following categories of information:
We use the information above to:
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
Zafeguard is headquartered in the United States and uses service providers globally. When personal data of EEA, UK, or other non-US users is transferred to the United States or other countries, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) — Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable to the transfer — the UK International Data Transfer Addendum, the Swiss Federal Data Protection and Information Commissioner's addendum where Swiss data is involved, or other lawful transfer mechanisms. We conduct transfer impact assessments where required. Copies of the relevant transfer instruments are available on request to hello@zafeguard.com.
We retain personal information for as long as necessary to provide the Services and as required by law. Account and workspace data is retained while your account is active. After account closure, we retain run logs for up to 90 days for operational continuity, billing records as required by applicable tax law (typically 7 years in the US), and security and audit logs as required for our compliance program.
OAuth-specific retention: authorization codes issued during a sign-in flow live for at most 60 seconds and are single-use; refresh tokens are retained for 30 days from issuance and rotate on every use (replay revokes the chain); consent records (the user's grant of an application's access to a particular workspace) are retained for 180 days from grant or until you revoke them, whichever is sooner; audit-log entries that capture which third-party application took which action on which workspace are retained for 12 months for security forensics.
Public on-chain data (transaction hashes, public addresses, balances, contract interactions) is permanently stored on the relevant blockchain and cannot be deleted by us or any other party. To the extent on-chain data constitutes personal data under applicable law, we rely on the impossibility carve-outs to the right to erasure recognized under GDPR Article 17(3) and equivalent provisions, because deletion of immutable distributed-ledger entries is technically impossible. Requests to erase on-chain identifiers can be honored only with respect to identifiers we hold off-chain (e.g., the mapping between a user account and a wallet address).
We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including:
No security measure is, or can be, infallible. You acknowledge and agree that despite our efforts, the Services, the underlying internet, third-party providers, MPC nodes, blockchain networks, and your own devices may be subject to unauthorized access, intrusion, malware, software bugs, denial-of-service attacks, social engineering, supply-chain compromise, insider misconduct, and other security events outside our reasonable control.
You use the Services entirely at your own risk. You are solely responsible for safeguarding your account credentials, multi-factor factors, recovery factors, API keys, signing keys, and the security of your own devices and networks. Loss of those factors may result in irreversible loss of access to wallets, workflows, and on-chain assets, and we cannot restore them on your behalf.
In the event of a security incident affecting personal information we process, we will use reasonable efforts to investigate, contain, and remediate the incident. Where we act as a controller and applicable law requires it, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a notifiable breach (GDPR Article 33), and we will notify affected data subjects without undue delay where required (GDPR Article 34 and equivalent statutes). Where we act as a processor, we will notify the relevant controller without undue delay. Notification is provided solely to the extent required by applicable law and is not a contractual commitment, an admission of liability, or a waiver of any defense. To the maximum extent permitted by applicable law, Zafeguard disclaims all liability for losses arising from any security incident, including loss, theft, or unauthorized disclosure of data, credentials, keys, or digital assets, whether the incident was caused by us, by third parties, or by you.
We use automated processing for limited purposes including: sanctions and watch-list screening of wallet addresses, counterparties, and account identifiers; fraud and abuse detection (e.g., anomalous sign-in or workflow patterns); and AI-assisted risk scoring of transactions and workflow runs. Outputs of these systems may result in a transaction being blocked, an account being suspended, or a request for additional verification.
Where these processes produce a decision that has a legal or similarly significant effect on you and is based solely on automated processing, you have the right under GDPR Article 22 and equivalent statutes to (i) obtain meaningful information about the logic involved, (ii) request human review, (iii) express your point of view, and (iv) contest the decision. To exercise these rights, email hello@zafeguard.com.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt out of “sales” or “sharing” (we do not sell or share personal information for cross-context behavioral advertising). California residents also have the right to non-discrimination for exercising their privacy rights.
How to make a request. Email hello@zafeguard.com from the address associated with your account, or use an authorized agent by providing the agent with written, signed permission and verifying your identity directly with us. We will acknowledge receipt promptly and respond within the timelines required by applicable law — generally within 30 days under the GDPR / UK GDPR (extendable by two further months for complex requests with notice) and within 45 days under the CCPA / CPRA (extendable by an additional 45 days with notice). We may need to verify your identity before acting on a request. If we decline a request in whole or in part, we will explain why and inform you of your right to appeal our decision by replying to our response email, and of your right to lodge a complaint with your data protection authority or attorney general.
The Services and account creation are intended for users who are at least 18 years old, as required by our Terms of Service. We do not knowingly collect personal information from children. Specifically, we do not knowingly collect personal information from children under 13 in the United States (COPPA) or under 16 in the European Economic Area and the United Kingdom. If you believe a child has provided us information, contact us and we will take reasonable steps to delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice via the Services or by email before the change takes effect. The “Last updated” date at the top reflects the most recent revision. Earlier versions of this Policy are available on request.
Zafeguard Inc.
hello@zafeguard.com