Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Monerixa ("the Platform," "we," "us," or "our") collects, uses, stores, shares, and protects information when you access or use our website, web application, APIs, and associated services. This Policy applies to all users of the Platform, including Creators, Buyers, and visitors.

Monerixa is designed with privacy as a foundational principle. Unlike traditional platforms, we do not require accounts, email addresses, passwords, phone numbers, or any other personally identifiable information to use the core features of the Platform. Your Solana wallet address serves as your sole identifier.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of information as described in this Policy. If you do not agree with this Policy, you must discontinue use of the Platform. This Policy is incorporated into and subject to our Terms of Service.

2. Definitions

• "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identifiable individual.
• "Wallet Address" means the public key of a Solana-compatible cryptocurrency wallet, which is a pseudonymous identifier publicly visible on the Solana blockchain.
• "On-Chain Data" means any data recorded on the Solana blockchain, including transaction signatures, sender/receiver addresses, timestamps, and token transfer amounts.
• "Content Data" means files, text, links, metadata (titles, descriptions), and associated materials uploaded to the Platform by Creators.
• "Usage Data" means information automatically collected through your interaction with the Platform, including IP addresses, request timestamps, and rate-limiting counters.
• "Submission Data" means information you voluntarily provide through Platform forms, including DMCA takedown requests and abuse reports.

3. Information We Collect

3.1 Wallet Addresses

When you connect a Solana wallet to the Platform, we receive your public Wallet Address. This address is used to:

• Identify you as a Creator or Buyer across sessions.
• Verify cryptographic wallet signatures for authenticated actions (uploads, edits, deletions, downloads).
• Associate uploaded Content, payment records, and access tokens with your identity.
• Display your dashboard data (paywalls created, purchases made, credit balance).
• Enforce per-wallet rate limits and storage quotas.
• Check wallet ban status for moderation enforcement.

Wallet Addresses are pseudonymous. They do not inherently reveal your real-world identity, but they are publicly visible on the Solana blockchain and may be linkable to your identity through external means outside our control (e.g., if you have publicly associated your wallet with your identity on social media or other platforms).

3.2 On-Chain Transaction Data

When a payment is made through the Platform, we store the following Transaction data in our database:

• The Solana transaction signature (a unique identifier for the on-chain transaction).
• The sender (Buyer) wallet address, extracted directly from the on-chain transaction data — never trusted from the client.
• The payment amount in USDC, including the Creator share and Platform Fee breakdown.
• The payment timestamp.
• The payment status (pending, completed, or failed).

This data is already publicly available on the Solana blockchain. We store it in our database for payment verification, replay attack prevention, access token issuance, deposit refund eligibility tracking, and Creator/Buyer dashboard display.

3.3 Content Data

When Creators upload Content, we collect and store:

• Files — stored encrypted on our servers using industry-standard encryption. Each file receives its own encryption key. The plaintext file content is never written to or stored on disk. Duplicate files are deduplicated to minimize storage.
• Text content — stored in the same encrypted manner as files.
• Links — stored as-is in the database (links are not encrypted as they contain no file data).
• Metadata — titles, descriptions, prices, content type, file size, MIME type, original filename, expiration date, and view/payment counters.
• Deposit information — deposit amount, deposit status, deposit transaction signature, and refund status.

3.4 IP Addresses

We collect IP addresses in the following contexts:

• Rate limiting — IP-based rate-limit counters are maintained in-memory (not persisted to disk or database) and expire automatically. These counters are used to enforce download rate limits and global API rate limits.
• Abuse reports — when a user submits an abuse report, the reporter's IP address is stored alongside the report to prevent duplicate report flooding. These IP addresses are partially redacted in server logs.
• DMCA submissions — IP addresses may be logged as part of the DMCA submission event for anti-abuse purposes.

We do not use IP addresses for user tracking, behavioral profiling, advertising, geolocation targeting, or any purpose beyond rate limiting and abuse prevention.

3.5 DMCA Submission Data

When you submit a DMCA takedown request through the Platform, we collect:

• Your full legal name (as the complainant).
• Your email address (for correspondence regarding the request).
• The URL of the allegedly infringing content on our Platform.
• The URL of your original copyrighted work (optional).
• A description of the infringement.

This information is stored as a permanent legal record in accordance with DMCA requirements, even if the associated Content is subsequently removed or the DMCA request is rejected. Email addresses in server logs are partially redacted for security.

3.6 Abuse Report Data

When you submit a content abuse report, we collect:

• The content ID of the reported item.
• The report reason (illegal, CSAM, copyright, spam, malware, or other).
• An optional description of the abuse.
• Your wallet address (optional — reports can be submitted anonymously).
• Your IP address (for duplicate report prevention).

3.7 Content Edit Audit Trail

When a Creator edits Content metadata (title, description, or price), we store an audit log entry containing the editor's wallet address, the field that was changed, the old value, the new value, and the timestamp of the edit. This audit trail exists for dispute resolution and moderation purposes.

4. Information We Do Not Collect

The Platform is specifically designed to minimize data collection. We do not collect, store, or process the following categories of information:

• Email addresses — except when voluntarily provided in DMCA takedown submissions.
• Real names or legal identities — except when voluntarily provided in DMCA takedown submissions.
• Phone numbers — never collected for any purpose.
• Physical addresses or locations — we do not perform geolocation lookups on IP addresses.
• Date of birth or age — age eligibility (18+) is declared by the user per our Terms of Service; we do not verify or store age data.
• Browser fingerprints — we do not use canvas fingerprinting, WebGL fingerprinting, font enumeration, or any other browser fingerprinting technique.
• Cookies — the Platform does not set any cookies (first-party or third-party). See Section 10 for details.
• Private keys, seed phrases, or recovery phrases — these never leave your wallet application. Any request for these credentials is fraudulent.
• Payment card or bank account information — all payments are made in USDC on the Solana blockchain; no fiat payment processing occurs on the Platform.
• Social media profiles or connections — we do not integrate with social media login providers or collect social graph data.
• Device identifiers — we do not collect IMEI numbers, device IDs, advertising IDs, or hardware serial numbers.
• Behavioral analytics — we do not track page views, click patterns, scroll depth, session duration, or user journeys for analytics or behavioral profiling purposes.

5. How We Use Information

We use collected information solely for the following purposes:

5.1 Platform Operation

• Authenticating wallet ownership via cryptographic signature verification.
• Processing and verifying on-chain USDC payments against the Solana blockchain.
• Issuing and validating JWT access tokens for content delivery.
• Storing, encrypting, and delivering Content to authorized Buyers.
• Managing Creator dashboards (content listings, sales history, credit balances).
• Managing Buyer dashboards (purchase history, active access tokens).
• Computing and enforcing deposit amounts and credit-back eligibility.

5.2 Security and Abuse Prevention

• Preventing payment replay attacks via transaction signature uniqueness enforcement.
• Enforcing upload rate limits (per-wallet sliding window) and storage quotas.
• Enforcing download rate limits (per-wallet and per-IP).
• Preventing deposit transaction replay.
• Detecting and preventing abuse report flooding (IP-based deduplication).
• Enforcing wallet bans for Terms of Service and Content Policy violations.
• Protecting against content spoofing (wallet signature verification on uploads).

5.3 Content Moderation

• Reviewing abuse reports and DMCA takedown requests.
• Auto-hiding content when abuse report thresholds are reached.
• Maintaining moderation audit trails for transparency and appeals.

5.4 Legal Compliance

• Maintaining DMCA takedown records as required by applicable copyright law.
• Responding to valid legal process (subpoenas, court orders, law enforcement requests).
• Reporting CSAM to the appropriate authorities as required by law.

6. How We Do Not Use Information

We explicitly do not use any collected information for:

• Advertising, ad targeting, or ad personalization of any kind.
• Behavioral profiling, user segmentation, or predictive analytics.
• Selling, renting, leasing, or trading data to third parties for any purpose.
• Building user profiles beyond what is necessary for Platform operation.
• Cross-site tracking or participation in advertising networks.
• Training machine learning models on user Content without explicit consent.
• Sending unsolicited marketing communications (we have no mechanism to do so, as we do not collect email addresses for general users).

7. Data Sharing and Disclosure

7.1 No Sale of Data

We do not sell, rent, lease, trade, or otherwise transfer your information to third parties for monetary or other valuable consideration. This applies to all categories of information we collect, without exception.

7.2 Service Providers

We may share limited information with trusted third-party service providers who assist in operating the Platform, including:

• Hosting providers — server infrastructure for storing encrypted Content and running the backend application.
• Database providers — PostgreSQL hosting for payment records, content metadata, and moderation data.
• Solana RPC providers — for on-chain transaction verification (only transaction signatures are sent; no user data is shared).
• Content moderation providers — text content from text paywalls is sent to OpenAI's content moderation service for automated content policy checks. Only the text content itself is sent — no wallet addresses, metadata, or other user data is included in the moderation request.

These providers are contractually obligated to use your information solely for the purpose of providing services to us and are prohibited from using it for their own purposes. They do not receive decryption keys, plaintext Content, or any data beyond what is strictly necessary for their service.

7.3 Legal Disclosure

We may disclose information if we reasonably believe that disclosure is necessary to:

• Comply with a valid legal obligation, including subpoenas, court orders, search warrants, or other compulsory legal process.
• Respond to a verified law enforcement request, provided it is issued by a government agency with proper jurisdiction and legal authority.
• Protect the rights, property, or personal safety of Monerixa, its users, or the public.
• Enforce our Terms of Service, Content Policy, or DMCA Policy.
• Report CSAM or other content that we are legally required to report to law enforcement.

When legally permitted, we will attempt to notify affected users before disclosing their information in response to legal process.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or other corporate transaction involving Monerixa, your information may be transferred as part of the transaction. In such an event, the acquiring entity will be bound by the terms of this Privacy Policy with respect to your information, and we will provide notice of any material changes to data handling practices.

7.5 Aggregate and De-Identified Data

We may create, use, and share aggregate or de-identified data that cannot reasonably be used to identify any individual. For example, we may publish aggregate statistics about total platform usage (number of paywalls created, total transaction volume, storage used) without revealing any individual user's information. Such aggregate data is not subject to the restrictions of this Privacy Policy.

8. Data Retention

We retain different categories of information for different periods, based on the purpose for which it was collected and our legal obligations:

8.1 Content Data

Encrypted files and text content are stored for the duration of the Paywall's Access Period or until the Creator deletes the Paywall, whichever occurs first. When a Paywall expires or is deleted, the associated Content is marked for removal. Encrypted files are physically deleted from disk when no remaining Paywall references them. Content metadata (titles, descriptions, prices) is deleted from the database when the Content record is deleted.

8.2 Payment Records

Payment logs (transaction signatures, amounts, wallet addresses, timestamps) are retained indefinitely. This is necessary for: (a) financial record-keeping; (b) dispute resolution; (c) deposit refund eligibility tracking (cumulative revenue threshold); (d) Buyer access verification (proving a Buyer has paid for Content); and (e) Creator payment history on the Dashboard. Because this data is already permanently recorded on the public Solana blockchain, our database retention does not create additional privacy exposure.

8.3 Content Unlocks and Access Tokens

Records of which wallets have unlocked which Content are retained for as long as the associated Content exists, plus a reasonable period afterward for dispute resolution. Access tokens are self-expiring and are not revocable — they simply become invalid after expiry.

8.4 DMCA Records

DMCA takedown requests are retained permanently, regardless of whether the request was upheld or rejected, and regardless of whether the associated Content was subsequently removed. This is required by applicable copyright law and serves as a permanent legal record of the notice-and-takedown process.

8.5 Abuse Reports

Content abuse reports are retained for the operational life of the Platform. Reports are used for moderation history, pattern detection (identifying repeat offenders), and maintaining a record of enforcement actions taken.

8.6 Content Edit Audit Logs

Edit audit trail entries are retained for as long as the associated Content exists. They are deleted when the Content record is deleted.

8.7 Wallet Ban Records

Wallet ban records (including the banned wallet address, reason, and ban date) are retained indefinitely to prevent banned wallets from regaining access. Soft-unbanned records are retained with an inactive flag for audit purposes.

8.8 Rate-Limiting Data

All rate-limiting counters (upload timestamps per wallet, download timestamps per wallet, download timestamps per IP) are stored exclusively in application memory (RAM). They are not persisted to disk, database, or any durable storage. They are lost when the server process restarts and expire automatically based on the configured time windows (hourly and daily).

8.9 Server Logs

Structured server logs (including HTTP request logs and business event logs) may contain wallet addresses, partial IP addresses, content IDs, and event metadata. Log retention depends on the hosting provider's configuration. We configure log retention to the minimum period necessary for operational debugging and security incident response. Logs do not contain plaintext Content, decryption keys, or full IP addresses (IPs are partially redacted in business event logs).

9. Data Security

We implement technical and organizational security measures designed to protect information under our control. These measures include:

9.1 Encryption at Rest

All uploaded files are encrypted with industry-standard authenticated encryption before being written to disk. Each file receives a unique, randomly generated encryption key, which is wrapped using a server-side master secret. The plaintext content is never stored on disk at any point in the pipeline.

9.2 Encryption in Transit

All communications between your browser and the Platform are encrypted using HTTPS (TLS). API requests, wallet signatures, content uploads, and content downloads all occur over encrypted connections.

9.3 Authentication and Access Control

• Wallet authentication uses cryptographic signature verification. The server verifies that signed messages originate from the claimed wallet address.
• Upload authentication requires a wallet signature with a short freshness window to prevent replay of authentication headers.
• Download access requires a fresh wallet signature for each download request. The server issues a short-lived download token after verifying the signature and confirming payment records.
• Admin panel access is protected by a separate API key (ADMIN_API_KEY), independent of wallet authentication.
• The JWT secret used for access token signing is required at server startup — the server will not start without it, preventing silent use of a default or empty secret.

9.4 Payment Security

• Payment verification occurs server-side by fetching the transaction directly from the Solana blockchain via RPC. The sender wallet is extracted from on-chain transaction data and is never trusted from the client.
• Transaction signatures are stored with uniqueness enforcement to prevent replay attacks.
• Fee calculations are performed exclusively server-side and cannot be manipulated by the client.

9.5 Rate Limiting and Abuse Prevention

• Upload rate limits: configurable per-wallet sliding window.
• Download rate limits: per-wallet and per-IP limits.
• Global API rate limiting.
• Anti-spam deposit system requiring USDC commitment for each upload.

9.6 Security Limitations

No system is completely secure. Despite our reasonable security measures, we cannot guarantee that our security measures will prevent all unauthorized access, data breaches, data loss, or security incidents. You use the Platform at your own risk. In the event of a security incident that affects your data, we will notify affected users as required by applicable law.

10. Cookies, Tracking Technologies, and Analytics

10.1 No Cookies

The Platform does not set, read, or use any cookies — neither first-party nor third-party. We do not use session cookies, persistent cookies, authentication cookies, preference cookies, or tracking cookies. No cookie consent banner is necessary because no cookies are used.

10.2 Local Storage

The Platform uses your browser's local storage exclusively for storing your theme preference (dark mode or light mode). This data is stored entirely on your device, is never transmitted to our servers, and can be cleared at any time through your browser settings.

10.3 No Third-Party Analytics

We do not integrate with Google Analytics, Mixpanel, Amplitude, Segment, Hotjar, FullStory, or any other third-party analytics, session replay, or user behavior tracking service. No third-party JavaScript is loaded for the purpose of tracking user behavior.

10.4 No Advertising Technology

We do not integrate with any advertising network, demand-side platform, data management platform, or ad exchange. No advertising pixels, conversion tracking scripts, retargeting tags, or similar technologies are present on the Platform.

10.5 Do Not Track

Because the Platform does not track users across websites or over time, there is no change in behavior when a Do Not Track (DNT) signal is received from your browser. We honor the spirit of DNT by default.

11. Blockchain-Specific Privacy Considerations

11.1 Public Nature of Blockchain Data

The Solana blockchain is a public, permissionless, immutable ledger. When you make a payment through the Platform, the transaction — including your wallet address, the recipient wallet address, the amount transferred, and the timestamp — is permanently and publicly recorded on the blockchain. This data cannot be deleted, modified, or made private by Monerixa or any other party. Anyone with access to the Solana blockchain (which is everyone) can view this data.

11.2 Pseudonymity, Not Anonymity

Wallet addresses are pseudonymous identifiers. While they do not inherently contain your real-world identity, they may be linked to your identity through various means outside our control, including:

• Centralized exchanges where you may have completed identity verification (KYC).
• Public social media posts associating your wallet with your identity.
• Blockchain analytics services that cluster wallet activity.
• ENS-like naming services or on-chain profiles.

We do not perform blockchain analytics or attempt to de-anonymize wallet addresses. However, we cannot prevent third parties from doing so using publicly available blockchain data.

11.3 Immutability of On-Chain Data

Transaction data written to the Solana blockchain is immutable and permanent. Even if you delete your Content from the Platform or we remove it through moderation, the on-chain payment records (transaction signatures, amounts, wallet addresses) remain permanently visible on the blockchain. This is an inherent property of blockchain technology and is outside our ability to control.

12. International Data Transfers

The Platform is operated globally, and your information may be processed and stored in jurisdictions other than your own. Our servers and service providers may be located in different countries, and data may cross international borders in the course of normal Platform operations.

By using the Platform, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your home jurisdiction. We take reasonable steps to ensure that your information is treated in accordance with this Privacy Policy regardless of where it is processed.

13. Children's Privacy

The Platform is not directed at, and is not intended for use by, individuals under the age of 18 (or the age of majority in their jurisdiction, whichever is greater). We do not knowingly collect Personal Information from children under 18.

If we become aware that we have inadvertently collected information from a child under 18, we will take prompt steps to delete such information. If you believe that a child under 18 has used the Platform, please notify us through the Report page.

14. Your Rights and Choices

14.1 General

Because the Platform does not collect traditional Personal Information (no names, emails, phone numbers, or accounts for general users), many standard data subject rights have limited applicability. However, we respect your rights to the fullest extent applicable under your jurisdiction's laws.

14.2 Right to Access

You can view all information associated with your wallet through the Platform's Dashboard, including: Content you have uploaded, payment history, purchase history, credit balance, and active access tokens. This information is available to you at any time by connecting your wallet.

14.3 Right to Deletion

You can delete your Content (Paywalls) at any time through the Dashboard, subject to the 24-hour buyer protection window described in our Terms of Service. When Content is deleted, associated encrypted files are permanently removed from storage when no other Paywall references them. Content metadata is deleted from the database. Payment records associated with your deleted Content are retained as described in Section 8.2.

14.4 Right to Portability

Your on-chain transaction history is inherently portable — it exists on the public Solana blockchain and can be accessed by any block explorer or wallet application. For off-chain data, the Dashboard provides visibility into your Content, sales, and purchase history.

14.5 Right to Rectification

You can edit your Content metadata (title, description, price) at any time through the Dashboard. Edits are logged in the audit trail for transparency. The underlying file, text, or link content cannot be modified — you must create a new Paywall for a new version.

14.6 Right to Object / Restrict Processing

You may cease using the Platform at any time by disconnecting your wallet. We do not process your data for marketing, profiling, or automated decision-making purposes, so there is no additional processing to object to beyond the core Platform functionality described in Section 5.

15. European Economic Area (EEA) and GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent local data protection laws.

15.1 Legal Basis for Processing

Our legal basis for processing information under GDPR is:

• Contract performance — processing necessary to perform our contract with you (the Terms of Service), including payment verification, content delivery, and access control.
• Legitimate interests — processing necessary for our legitimate interests that are not overridden by your rights, including security, fraud prevention, abuse prevention, and platform stability.
• Legal obligation — processing necessary to comply with applicable laws, including DMCA record-keeping and CSAM reporting obligations.
• Consent — for DMCA submissions where you voluntarily provide personal information (name and email).

15.2 Data Protection Officer

For GDPR-related inquiries, you may contact us through the Report page on the Platform. We will respond to requests within 30 days as required by GDPR.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with additional rights regarding your personal information.

16.1 Categories of Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers — wallet addresses (pseudonymous), IP addresses (for rate limiting only).
• Commercial information — records of transactions (payment amounts, timestamps).
• Internet activity — limited to rate-limiting counters (not browsing history or search queries).

16.2 Your CCPA Rights

• Right to Know — you may request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete — you may request deletion of personal information, subject to legal exceptions (e.g., DMCA records).
• Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
• Right to Opt Out of Sale — we do not sell personal information and have not done so in the preceding 12 months.

16.3 Do Not Sell or Share

We do not sell or share (as defined under CCPA/CPRA) personal information for cross-context behavioral advertising purposes. No opt-out mechanism is necessary because no sale or sharing occurs.

17. Other Jurisdictional Rights

Users in other jurisdictions may have additional rights under their local data protection laws, including but not limited to:

• Brazil (LGPD) — rights to access, correction, anonymization, deletion, portability, and information about sharing practices.
• Canada (PIPEDA) — rights to access and correct personal information held by organizations.
• Australia (Privacy Act) — rights to access and correct personal information under the Australian Privacy Principles.
• Japan (APPI) — rights to disclosure, correction, and cessation of use of personal information.
• South Korea (PIPA) — rights to access, correction, suspension of processing, and deletion of personal information.

We will endeavor to comply with applicable data protection requirements in your jurisdiction. If you wish to exercise rights under your local law, please contact us through the Report page.

18. Third-Party Services and Links

The Platform interacts with or references third-party services that have their own privacy policies. These include:

• Solana blockchain — a public, permissionless blockchain. All transaction data is publicly and permanently visible.
• Wallet providers (Phantom, Solflare, Backpack, and others) — these providers have their own privacy policies governing how they handle your wallet data, connections, and browsing activity.
• USDC / Circle — USDC is issued by Circle, which is a regulated financial entity with its own privacy and compliance practices.
• Solana RPC providers — we use third-party RPC providers to communicate with the Solana blockchain. These providers may log request data according to their own policies.

Creators may include links to external websites as Content. We are not responsible for the privacy practices of any external website or service. We encourage you to review the privacy policies of any third-party service you interact with.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We may, but are not required to, provide additional notice of material changes through the Platform interface.

Your continued use of the Platform after the posting of a revised Policy constitutes your acceptance of the revised Policy. If you do not agree with the changes, your sole remedy is to discontinue use of the Platform. We encourage you to review this Policy periodically.

20. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the Report page on the Platform. For copyright-related inquiries, please use our DMCA takedown form. We will endeavor to respond to all privacy-related inquiries within 30 days.