Privacy Policy

We receive a minimal amount of information that is technically necessary for the Interface to function, to defend the Interface from abuse, and to comply with applicable law, including:

• Wallet and on-chain data: your public wallet address, smart-wallet address, and any transaction you sign and broadcast through the Interface, including hashes, parameters, blocks, counterparties, and any on-chain state that we read from public RPC endpoints.
• Authentication data (via Privy): if you log in via our authentication provider, we and the provider may receive your email address, any social handle you chose to log in with, and a device identifier. We do not receive or store your private key or seed phrase, ever.
• Device and connection data: IP address, approximate geolocation derived from IP, user agent, device type, OS, browser, language, timestamps, referrer, and pages viewed. We may collect this through standard web logs, edge logs, error-reporting tooling, and CDN providers.
• Operational telemetry: latency, errors, RPC responses, signing attempts, and other measurements used to keep the Interface stable.
• Cookies and local storage: strictly-necessary cookies and local-storage values for session, preferences, anti-abuse, and security. We do not run third-party advertising cookies.

We do not, and will not, request government-issued identity documents through the Interface unless required by applicable law. If law requires us to collect such documents in your case, we may suspend your access until the requirement is satisfied.

We use the information described above to: (a) operate, host, display and improve the Interface; (b) authenticate sessions and prevent fraud, abuse and security incidents; (c) enforce our Terms of Service, including geographic restrictions, sanctions screening, and the prohibition on Restricted Persons and Restricted Jurisdictions; (d) screen wallet addresses against sanctions lists and threat-intelligence feeds; (e) respond to lawful requests from regulators, law enforcement, courts and other authorities; (f) compute and collect any fees; (g) communicate with you about operational matters; and (h) carry out any other purpose disclosed at the time of collection or otherwise permitted by law.

Where applicable, we rely on the following legal bases: (a) performance of a contract — to provide the Interface you have asked us to provide; (b) legitimate interests — to secure, maintain and improve the Interface, to prevent fraud, to screen for sanctions, and to defend our rights; (c) legal obligation — to comply with sanctions, anti-money-laundering, counter-terrorism-financing, court orders, and other legal requirements; and (d) your consent, where required, which you may withdraw at any time without affecting the lawfulness of prior processing.

We share information only as follows:

• Service providers: authentication providers (e.g., Privy), wallet infrastructure providers (e.g., paymasters/bundlers), RPC providers, CDN and edge-compute providers (e.g., Cloudflare), error-tracking and analytics tools, and other vendors that act as our processors. They are bound to use the data only for the purposes we instruct.
• Blockchain and public ledgers: every transaction you sign and broadcast is published on the relevant public blockchain and is, by design, irrevocably visible to everyone forever. Once a transaction is signed, we cannot undo this.
• Compliance and legal: regulators, law-enforcement agencies, sanctions screeners, auditors, professional advisers, and courts, where required or where we believe in good faith that disclosure is necessary to comply with law, to enforce our Terms, to protect the rights, property or safety of any person, or to defend against legal claims.
• Successors: in connection with a merger, sale, reorganization, insolvency, or transfer of all or part of our business or assets.

We do not sell your personal information for money and do not share it with third parties for their own independent advertising.

We may process and store information in any country in which we or our service providers operate. By using the Interface you consent to such transfers. Where required, we rely on appropriate transfer mechanisms such as standard contractual clauses.

We retain information for as long as is necessary to operate the Interface, comply with our legal and tax obligations, resolve disputes, enforce our agreements, defend against claims, and maintain operational records. Some data is retained indefinitely on public blockchains and cannot be deleted by us. Logs and security records may be retained for up to seven (7) years.

We implement reasonable technical and organizational measures to protect the information we hold. No system is completely secure. You are solely responsible for keeping your wallet, seed phrase, device and credentials safe. We are not liable for any breach, leak, theft, hack, phishing, social engineering, or compromise affecting you or any third party.

Depending on where you live and on applicable law, you may have rights to access, correct, delete, restrict, or object to the processing of certain personal information, and to data portability. To exercise any such right, contact us at privacy@uponly.win. We will respond as required by applicable law. Note that:

• We cannot delete, alter, or anonymize information that has already been recorded on a public blockchain.
• We may need to verify your identity before responding.
• We may refuse a request that we believe is fraudulent, abusive, manifestly unfounded, excessive, or that conflicts with our legal obligations (including obligations under sanctions law).
• The exercise of certain rights may require us to terminate your access to the Interface.

Residents of restricted regions. If you are located in a Restricted Jurisdiction as defined in our Terms of Service, you must not use the Interface. We may, without notice and without liability, block your access, refuse to relay your transactions, and report your activity to relevant authorities. We expressly disclaim any obligation to provide the Interface or any related service to any person located in any such jurisdiction, and any data-subject right you assert from such a jurisdiction does not create any right to use the Interface.

The Interface is not directed to anyone under eighteen (18) years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it.

We may update this Policy at any time by posting a revised version. Your continued use of the Interface after the update constitutes acceptance of the revised Policy.

Privacy questions: privacy@uponly.win.
Legal notices: legal@uponly.win.