Privacy Policy
Last updated: 2026-06-17
Who we are
CardanoWall ("CardanoWall", "we", "us", "our") is a Cardano-anchored proof-of-existence service available at cardanowall.com. The service is operated by an independent entrepreneur established in the Czech Republic, who is the controller of the personal data described here. You can contact the operator at hello@cardanowall.com. The operator's identification and registered address are set out in the Legal Notice.
Scope
This policy describes what data cardanowall.com collects, when, and why. It also describes the boundary between data the operator can scrub on request and data that is structurally permanent — anchored on the Cardano mainnet ledger or content-addressed on Arweave or IPFS.
Account data
We store per-account records sufficient to authenticate you: an email address used for one-time codes, a salted hash of the email address used for lookup, sign-in bindings for Google and Apple where you use them, and per-account display labels you set yourself. We store telemetry events tied to your account for operational diagnostics.
Identity data
For every identity you create, we store its public Ed25519 signing key and its public X25519 receive key. These are public by design and are published on the Cardano mainnet ledger and on Arweave. We also store the WebAuthn credentials your authenticators register; the secret key material never leaves your authenticator.
Your account's identity bundle is held only as an encrypted vault — a single age-encrypted record addressed exclusively to your WebAuthn passkeys. Only your own authenticators can open it; the operator cannot, and no identity material is ever uploaded to Arweave.
Content data
For each proof-of-existence record you publish, we store the content hashes you submit. We do not store the underlying file content. For sealed records, the encrypted ciphertext is uploaded to Arweave and referenced from the on-chain record; the operator cannot decrypt it.
Composer drafts remain in your browser's IndexedDB only. The operator never receives draft metadata until you publish.
Legal bases for processing
Under the EU General Data Protection Regulation (GDPR) we rely on:
- Performance of a contract — creating and authenticating your account and carrying out the publishing you request.
- Legitimate interests — securing the service, preventing abuse, and diagnosing faults, balanced against your rights.
- Legal obligation — retaining billing and tax records where the law requires it.
- Consent — where we ask for it explicitly, such as analytics cookies (see Analytics below) and when you sign in through Google or Apple; you may withdraw it at any time.
How we use Google and Apple sign-in data
When you sign in with Google or Apple, we use the email address and basic profile information only to create and authenticate your account. We do not sell it, use it for advertising, or share it with third parties for their own purposes. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Cookies
We set the following cookies:
cw_theme— your theme preference (light or dark).cw_active_identity— pointer to the identity active in your current session.cw_cookie_consent— records whether you accepted or declined analytics cookies.- Auth.js session cookies — your signed-in state.
- Edge-proxy rate-limit cookies — abuse protection at the request layer.
The cookies above are strictly necessary or preference cookies. Analytics cookies (Google Analytics) are set only after you accept them in the cookie banner — until then, and if you decline, no analytics cookies are set and no analytics data is collected. We never set advertising or cross-site tracking cookies. You can change your choice at any time via "Cookie settings" in the footer.
Analytics
With your consent, we use Google Analytics 4 to understand in aggregate how the site is used — which pages are visited and which key actions (sign-up, sign-in, sign-out, balance top-up, identity creation, and publishing) occur. Analytics is off by default: Google Consent Mode keeps it disabled until you accept analytics cookies in the banner, and you can withdraw consent at any time via "Cookie settings" in the footer. We enable IP anonymization, and we do not use analytics data for advertising or sell it. Google LLC acts as our processor for this data; see Google's Privacy Policy.
Telemetry
We use structured server-side logging with strict redaction of sensitive fields. Errors are forwarded to a self-hosted GlitchTip instance under the same redaction policy. The redaction policy is enforced by automated test parity between the web and worker processes.
Service providers
We share the minimum data necessary with a small number of processors:
- Resend — transactional email delivery for one-time codes and notifications (receives your email address).
- Stripe — payment processing for account top-ups (receives the billing details you enter at checkout; we never store full card numbers).
- Cloudflare — content delivery and abuse protection at the network edge, including the sign-in challenge.
- Google Analytics (Google LLC) — consent-gated, IP-anonymized usage analytics; receives aggregated interaction events only after you opt in.
- Cardano gateways (Koios, Blockfrost) — read access to the Cardano mainnet ledger.
- Arweave gateways — read and write access to the Arweave permanent-storage network.
We do not engage marketing or advertising processors.
International transfers
Some of our processors are located outside the European Economic Area, including in the United States. Where that is the case, transfers are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses.
Retention
We keep account data for as long as your account exists. One-time codes are short-lived and deleted on use or expiry. Operational logs and telemetry are retained for a limited diagnostic period. Billing records are retained for the period required by Czech and EU tax law. The administrative audit log is append-only and retained for the legally required minimum; after account erasure, audit rows that referenced your account are pseudonymised.
Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. You can exercise the main rights yourself: a self-service export at /account/data produces a machine-readable archive of your scrubbable data, and account deletion on the account page removes all scrubbable account data, ends every session, and records an audit row. For anything else, contact hello@cardanowall.com.
You also have the right to lodge a complaint with the Czech supervisory authority, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.gov.cz).
Permanence of on-chain and content-addressed records
We cannot rewrite, delete, or suppress a Label 309 record on the Cardano mainnet ledger. We cannot un-pin Arweave envelopes or sealed ciphertext — content-addressing is permanent by Arweave design. We cannot un-pin IPFS-pinned content held by third-party gateways. Erasure requests therefore alter the operator's view of your data, not the ledger's view.
CardanoWall is not a custodian
We do not hold user assets or secret signing keys. Identity material is encrypted to your own authenticators, and the operator cannot open it, move funds, sign on your behalf, or access encrypted content.
Children
The service is not intended for, and may not be used by, anyone under the age of 18.
Changes to this Policy
This Policy may change. The current version is always the one published on this page, and the "last updated" date above reflects the most recent revision.
Contact
Privacy questions may be sent to hello@cardanowall.com.