Legal

Privacy Policy

Last updated: May 25, 2026

This Privacy Policy explains how Zafeguard Inc. (“Zafeguard,” “we,” “us”) collects, uses, discloses, and protects information when you use our website at zafeguard.com, our visual workflow builder, MPC key-management infrastructure, AI agent (MCP) integration, payment workflows, gas station, developer SDK, and any other product, feature, integration, network connector, hosted service, on-premise component, API, library, or interface that Zafeguard now offers or may offer at any time in the future (collectively, the “Services”). Any new product or feature we release after the date of this Policy is automatically covered by it unless we publish a supplementary notice for that product.

Capitalized terms used and not otherwise defined in this Policy have the meanings given in our Terms of Service.

By registering for Zafeguard or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. If we materially change this Policy, we will notify you via the Services or by email; your continued use of the Services after the effective date of the change will be considered your acceptance of and consent to the updated Policy.

1. Who we are

Zafeguard Inc. is a Delaware-incorporated company providing blockchain infrastructure and developer tools. We act as the data controller for personal information processed in connection with the Services, except where we process information on behalf of a customer (in which case we act as a data processor and the customer is the controller).

For privacy questions, requests, or complaints, contact us at hello@zafeguard.com. Mail addressed to privacy@zafeguard.com is forwarded to the same intake.

EU Representative. Where required under Article 27 of the GDPR, our designated EU Representative is [to be designated when an EEA user base is established]. UK Representative. Where required under Article 27 of the UK GDPR, our designated UK Representative is [to be designated when a UK user base is established]. Until designation, EEA and UK users may contact us using the email addresses above and we will respond within applicable statutory timelines.

2. Information we collect

We collect the following categories of information:

Account and profile data

  • Your name, email address, password (stored as a salted hash), and workspace identifiers when you create a Zafeguard account.
  • OAuth identifiers (Google, Apple, LINE, or similar) when you sign in via a supported identity provider. We receive your provider-issued user ID, email, and display name — not your provider password.
  • Optional profile information you supply (job title, organization, avatar, contact preferences).

Workspace and workflow data

  • Workflow definitions, component configurations, scheduled triggers, and other content you create on the visual canvas or via our SDK.
  • API keys and credentials you store for integrations. These are encrypted at rest and only decrypted in memory at workflow execution time.
  • Workflow run logs — inputs, outputs, timestamps, step states, error traces, and the on-chain transaction hashes produced by each run.

Wallet and key material

  • Public keys, derivation paths, and on-chain addresses associated with your workspace wallets.
  • MPC shard metadata. Under multi-party computation, no complete private key ever exists — key shards are held by separate nodes (whether ours or, for self-hosted deployments, yours), and we never have access to a combined key.
  • Public on-chain transaction history associated with your wallet addresses, which is by nature publicly visible on the blockchain.

AI agent and MCP data

  • Prompts, tool invocations, parameters, and responses exchanged between connected AI agents (Claude, GPT, your own agents) and your workspace via the MCP server endpoint.
  • If you bring your own AI provider keys, we route requests but do not retain prompt content beyond what is needed for run logs and error diagnosis.

Payment data

  • For subscription billing, our payment processor (e.g. Stripe) collects card or bank details directly. Zafeguard does not store full card numbers.
  • For payment workflows you build (multi-currency checkout, escrow, treasury), we process and log the on-chain payment metadata you direct us to handle. We do not act as a money transmitter or custodian of customer funds.

Technical and usage data

  • IP address, browser type, user-agent, language, device identifiers, and approximate location derived from IP.
  • Pages viewed, features used, request timestamps, error rates, and other interaction metadata.
  • Cookies and similar technologies as described in our Cookie Policy.

3. How we use information

We use the information above to:

  • Provide, operate, and maintain the Services, including authenticating users and executing your workflows.
  • Run MPC signing ceremonies on your behalf with the threshold of nodes you have configured.
  • Issue OAuth 2.0 / OpenID Connect tokens to third-party applications that you have explicitly authorized, and store the granted scopes, consent record, refresh-token rotation chain, and per-request audit log entry tied to those authorizations.
  • Process subscription payments and invoice billing.
  • Monitor service health, detect abuse, prevent fraud, and protect against unauthorized access.
  • Communicate with you about service updates, security advisories, and (where you have opted in) product news.
  • Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
  • Improve the Services through aggregate analytics and product research.

5. How we share information

We do not sell personal information. We share data only as follows:

  • Service providers — cloud hosting (e.g. Cloudflare for the marketing site), database providers, payment processors, communication tools, and identity providers, each under contractual confidentiality and processing obligations.
  • Blockchain networks — on-chain transactions you initiate via the Services are by nature publicly broadcast and indelible. We do not control what others do with public chain data.
  • MPC nodes — when you use built-in MPC, key shards are held across geographically distributed nodes we operate; for self-hosted MPC, the nodes are entirely under your control.
  • AI providers — when you connect external AI agents via MCP, prompts and tool responses flow through those providers under their own privacy practices. Third-party AI providers act as independent controllers of the data you send to them, and their handling of that data is governed by their own terms and privacy policies.
  • Third-party applications you authorize (“Login with Zafeguard”) — when you sign in to a third-party application using your Zafeguard account, we transmit a defined set of claims about you to that application based on the OAuth scopes you grant on the consent screen: at minimum a stable user identifier (sub); optionally your email address and verification status (if you grant the email scope), your display name (if you grant profile), and a workspace identifier you select to authorize the application against. We never transmit your password, your refresh-token chain, or any data from workspaces you did not select. Third-party applications act as independent controllers of the personal data they receive, and their handling of that data is governed by their own terms and privacy policies, not ours. You can revoke a previously granted authorization at any time from the workspace's Connected apps page, after which the application can no longer obtain new access tokens for that workspace; data already disclosed to the application before revocation is outside our control and cannot be recalled.
  • Legal and safety — to comply with valid legal process, enforce our Terms, or protect rights and safety of users and third parties.
  • Corporate transactions — in connection with a merger, acquisition, or asset sale, with notice to affected users where required by law.

6. International data transfers

Zafeguard is headquartered in the United States and uses service providers globally. When personal data of EEA, UK, or other non-US users is transferred to the United States or other countries, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) — Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable to the transfer — the UK International Data Transfer Addendum, the Swiss Federal Data Protection and Information Commissioner's addendum where Swiss data is involved, or other lawful transfer mechanisms. We conduct transfer impact assessments where required. Copies of the relevant transfer instruments are available on request to hello@zafeguard.com.

7. Retention

We retain personal information for as long as necessary to provide the Services and as required by law. Account and workspace data is retained while your account is active. After account closure, we retain run logs for up to 90 days for operational continuity, billing records as required by applicable tax law (typically 7 years in the US), and security and audit logs as required for our compliance program.

OAuth-specific retention: authorization codes issued during a sign-in flow live for at most 60 seconds and are single-use; refresh tokens are retained for 30 days from issuance and rotate on every use (replay revokes the chain); consent records (the user's grant of an application's access to a particular workspace) are retained for 180 days from grant or until you revoke them, whichever is sooner; audit-log entries that capture which third-party application took which action on which workspace are retained for 12 months for security forensics.

Public on-chain data (transaction hashes, public addresses, balances, contract interactions) is permanently stored on the relevant blockchain and cannot be deleted by us or any other party. To the extent on-chain data constitutes personal data under applicable law, we rely on the impossibility carve-outs to the right to erasure recognized under GDPR Article 17(3) and equivalent provisions, because deletion of immutable distributed-ledger entries is technically impossible. Requests to erase on-chain identifiers can be honored only with respect to identifiers we hold off-chain (e.g., the mapping between a user account and a wallet address).

8. Security and security incidents

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

  • MPC-based key custody so no complete private key ever exists in our infrastructure;
  • Encryption in transit (TLS) and at rest for stored credentials and sensitive workspace data;
  • Role-based access controls and audit logging for internal system access;
  • Threshold approvals and rate limits on high-impact actions;
  • Regular security reviews, penetration testing, and dependency scanning.

No security measure is, or can be, infallible. You acknowledge and agree that despite our efforts, the Services, the underlying internet, third-party providers, MPC nodes, blockchain networks, and your own devices may be subject to unauthorized access, intrusion, malware, software bugs, denial-of-service attacks, social engineering, supply-chain compromise, insider misconduct, and other security events outside our reasonable control.

You use the Services entirely at your own risk. You are solely responsible for safeguarding your account credentials, multi-factor factors, recovery factors, API keys, signing keys, and the security of your own devices and networks. Loss of those factors may result in irreversible loss of access to wallets, workflows, and on-chain assets, and we cannot restore them on your behalf.

In the event of a security incident affecting personal information we process, we will use reasonable efforts to investigate, contain, and remediate the incident. Where we act as a controller and applicable law requires it, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a notifiable breach (GDPR Article 33), and we will notify affected data subjects without undue delay where required (GDPR Article 34 and equivalent statutes). Where we act as a processor, we will notify the relevant controller without undue delay. Notification is provided solely to the extent required by applicable law and is not a contractual commitment, an admission of liability, or a waiver of any defense. To the maximum extent permitted by applicable law, Zafeguard disclaims all liability for losses arising from any security incident, including loss, theft, or unauthorized disclosure of data, credentials, keys, or digital assets, whether the incident was caused by us, by third parties, or by you.

9. Automated decision-making

We use automated processing for limited purposes including: sanctions and watch-list screening of wallet addresses, counterparties, and account identifiers; fraud and abuse detection (e.g., anomalous sign-in or workflow patterns); and AI-assisted risk scoring of transactions and workflow runs. Outputs of these systems may result in a transaction being blocked, an account being suspended, or a request for additional verification.

Where these processes produce a decision that has a legal or similarly significant effect on you and is based solely on automated processing, you have the right under GDPR Article 22 and equivalent statutes to (i) obtain meaningful information about the logic involved, (ii) request human review, (iii) express your point of view, and (iv) contest the decision. To exercise these rights, email hello@zafeguard.com.

10. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access and obtain a copy of the personal data we hold about you;
  • Request correction of inaccurate or incomplete data;
  • Request deletion of personal data, subject to legal retention requirements;
  • Object to or restrict certain processing, including direct marketing;
  • Receive your data in a portable, machine-readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your local data protection authority.

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt out of “sales” or “sharing” (we do not sell or share personal information for cross-context behavioral advertising). California residents also have the right to non-discrimination for exercising their privacy rights.

How to make a request. Email hello@zafeguard.com from the address associated with your account, or use an authorized agent by providing the agent with written, signed permission and verifying your identity directly with us. We will acknowledge receipt promptly and respond within the timelines required by applicable law — generally within 30 days under the GDPR / UK GDPR (extendable by two further months for complex requests with notice) and within 45 days under the CCPA / CPRA (extendable by an additional 45 days with notice). We may need to verify your identity before acting on a request. If we decline a request in whole or in part, we will explain why and inform you of your right to appeal our decision by replying to our response email, and of your right to lodge a complaint with your data protection authority or attorney general.

11. Children

The Services and account creation are intended for users who are at least 18 years old, as required by our Terms of Service. We do not knowingly collect personal information from children. Specifically, we do not knowingly collect personal information from children under 13 in the United States (COPPA) or under 16 in the European Economic Area and the United Kingdom. If you believe a child has provided us information, contact us and we will take reasonable steps to delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice via the Services or by email before the change takes effect. The “Last updated” date at the top reflects the most recent revision. Earlier versions of this Policy are available on request.

13. Contact us

Zafeguard Inc.
hello@zafeguard.com