Legal

Privacy Policy

Effective 2026-05-15 (revised)

This Privacy Policy describes how OpenSettle Labs, Inc. collects and uses information about our users.

We collect (a) account information you provide during signup, (b) wallet addresses and transaction metadata you submit, (c) usage and log data generated by your interaction with the Service, and (d) limited technical data necessary to detect abuse.

We use this information to operate the Service, provide support, prevent fraud, and meet our legal obligations. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not profile or retarget end users. We do not run third-party ad pixels or marketing trackers.

Error monitoring and operational telemetry. We use Sentry (operated by Functional Software, Inc.) to capture client-side and server-side errors so that we can detect bugs and outages. Sentry receives the URL that triggered the error, the JavaScript stack trace, your browser and operating-system identifiers, and a coarse IP-derived location. We do NOT run session replay, do NOT capture form contents or keystrokes, and do NOT identify you to Sentry beyond the workspace and account IDs that error reports may carry. Sentry processes this data as a subprocessor on our documented instructions (see /legal/subprocessors). The lawful basis under GDPR is our legitimate interest in operating a secure and reliable service. If you would prefer not to have errors reported, you may disable error reporting from your browser using a content blocker that targets sentry.io; this will not affect your ability to use the Service.

Retention periods. Today we operate one programmatic retention rule: when you delete a workspace it enters a 90-day soft-delete window during which it can be restored on request, after which the workspace and its related records — transactions, customers, products, webhook endpoints and deliveries, events, and sessions — are permanently purged from primary systems via foreign-key cascade. Audit-log rows survive workspace hard-delete (the workspace_id column is nulled, not the row) so we keep a compliance trail for at least 90 days after deletion. Application logs are retained on our hosting provider (Hetzner, single-VPS deployment as of 2026-05-17) with a 30-day rolling window. Encrypted off-VPS database backups roll off on a 30-day cadence once the off-site backup destination is configured. We have not yet implemented fixed per-category caps on the age of records inside an active workspace (for example a 7-year cap on transaction metadata or a 1-year cap on webhook-delivery records). When those caps are added — or when an explicit deletion job is shipped — this page will be updated to describe the new schedule.

Your rights. You may request export, correction, or deletion of your account data at any time by emailing privacy@opensettle.io. We aim to respond within 30 days (45 days for California residents under CCPA/CPRA, extendable once with notice). We may need to verify your identity before fulfilling sensitive requests. You may use an authorized agent to act on your behalf; we accept agent requests accompanied by notarized written authorization.

Regional notices. For users in the EU/EEA and UK, we act as a data processor on your behalf under the GDPR and UK GDPR. Our standard Data Processing Addendum is linked from /legal/dpa. An Article 27 GDPR representative will be appointed before we actively offer the Service to data subjects established in the EU/EEA; until that appointment is in place we do not direct the Service to EU residents and we respond to data-subject requests directly through privacy@opensettle.io within the timelines set out above. The appointed representative will be listed on this page when in place. California residents are covered by a supplemental notice at /legal/ca-privacy that sets out CCPA/CPRA-specific disclosures and rights.

Security incidents. If a confirmed security incident affects your data, we will notify you within 72 hours and follow the procedure published at /legal/incident-response. Our published commitment is to apply the strictest applicable breach-notification timeline when laws conflict.

Vulnerability reports. Researchers can report security issues under our Vulnerability Disclosure Policy at /legal/vulnerability-disclosure. Good-faith reports receive safe-harbor protection as set out in that policy.

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.