Privacy Policy

1. Introduction

ValidTrust ("we", "us", "our") operates the validtrust.io website and the ValidTrust verification protocol. This Privacy Policy explains how we collect, use, and protect information when you use our service.

ValidTrust is an Identity-Stake Verification Protocol — not a social network, not a data broker, not a KYC provider, not a financial service, and not a payment processor. We exist to make it harder for bots and scammers to operate by requiring biometric verification and a small $SOL fee — steps that automated systems are unlikely to take. ValidTrust does not guarantee identity; it raises the cost and effort required to fake it.

All $SOL transactions happen directly on the Solana blockchain. ValidTrust does not hold, custody, or process any cryptocurrency at any point.

2. What We Collect

We collect significantly less data than most online services. Here is exactly what we store:

Third-Party Verification Services

ValidTrust uses several third-party services for identity verification. None of these services store your personal data permanently on our side:

3. What We Do NOT Collect

ValidTrust is built on the principle of minimal data collection. We explicitly do not collect or store:

• Names, addresses, or phone numbers
• Government ID, passport, or driver's license
• Passwords (we use biometrics instead)
• Location data or GPS coordinates
• Browsing history or tracking cookies
• Social media profiles or activity
• Financial information (beyond your public Solana wallet address)
• IP addresses for identification purposes
• Biometric templates or raw biometric data

4. How We Use Your Data

The data we collect is used exclusively for operating the verification protocol:

• Creating and displaying verification badges
• Processing biometric authentication via WebAuthn (on your device only)
• Sending temporary email verification codes (deleted after max 10 minutes)
• Processing $SOL transactions on Solana (note: all transactions happen directly on-chain — we only facilitate the user interface, not the transfer itself)
• Bookkeeping and tax compliance (logging transaction values in NOK)
• Sending newsletter updates (only if you voluntarily subscribed)

We do not sell, rent, or share your data with third parties. We do not use your data for advertising, profiling, or behavioral targeting.

5. GDPR Compliance (European Union)

ValidTrust complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA). Under GDPR, you have the following rights:

• Right to Access — Request a copy of any data we hold about you
• Right to Rectification — Request correction of inaccurate data
• Right to Erasure — Request deletion of your data ("right to be forgotten")
• Right to Data Portability — Receive your data in a machine-readable format
• Right to Object — Object to processing of your data
• Right to Withdraw Consent — Withdraw consent at any time (e.g., unsubscribe from newsletter)

To exercise any of these rights, contact us at privacy@validtrust.io.

6. CCPA Compliance (California, USA)

ValidTrust complies with the California Consumer Privacy Act (CCPA) for California residents. Under CCPA, you have the right to:

• Know — What personal information we collect (see Section 2 above — it's very little)
• Delete — Request deletion of your personal information
• Opt-Out of Sale — We do not sell personal information. Never have. Never will.
• Non-Discrimination — We will not discriminate against you for exercising your rights

Because ValidTrust collects minimal data and does not sell or share data with third parties, most CCPA requirements are automatically satisfied by our privacy-first design.

7. Data Storage & Security

Badge data is stored in our Supabase PostgreSQL database. All data is encrypted in transit (TLS) and at rest. Our database has Row Level Security (RLS) policies that restrict data access.

Blockchain transactions on Solana are publicly visible by design — this includes wallet addresses and $SOL transfers. This is inherent to blockchain technology and cannot be changed.

8. Third-Party Services

We use a limited number of third-party services:

• Supabase — Database hosting (EU region available)
• Cloudflare — Website hosting and DDoS protection
• Mailgun — Email delivery for OTP codes and newsletter (EU endpoint)
• Solana Blockchain — $SOL transactions (public by design — ValidTrust does not process or intermediate these transactions)

Each of these services has their own privacy policies. We have chosen providers that offer EU data regions where possible.

9. Data Retention

Badge data is retained for as long as the badge is active, plus a reasonable period for record-keeping. Expired badges and associated data may be deleted after 12 months. Wallet addresses and transaction data (including $SOL amounts and NOK values) are retained indefinitely for bookkeeping and tax compliance as required by Norwegian accounting law (Bokføringsloven). Note: all $SOL transaction data is already publicly available on the Solana blockchain — our records mirror what is already public. Email verification data is deleted immediately after verification (or within 10 minutes if unused). Newsletter subscriptions are retained until you unsubscribe — you can request deletion at any time.

You can request deletion of your data at any time by contacting us.

10. Children's Privacy

ValidTrust is not directed at children under 18. We do not knowingly collect information from minors. If you believe a minor has used our service, please contact us and we will delete the associated data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of ValidTrust after changes constitutes acceptance of the updated policy.