Privacy Policy

This Privacy Policy (the “Policy”) explains how SHIROI (“SHIROI,” “we,” “us,” “our”) collects, uses, processes, and discloses information in connection with the tools and services available via https://docs.shiroi.io (the “Instrumental Site”), as well as other ecosystem components: Tools, APIs, code repositories, related websites, interfaces, services, and technologies (collectively, the “Services”). Use of the Services is also governed by the Terms of Use.

We may update the Policy. Changes are effective upon publication of the updated version; continued use of the Services signifies consent to the updates.

1. Data We Collect

We may collect:

• IP address and derived location information;

• API keys and other access credentials;

• unique identifiers (UUID), user agent, device information, client-library version;

• publicly available on-chain data: timestamps, events/packets, wallet addresses, public keys, transaction signatures;

• aggregated analytics on feature usage and access geography;

• information you voluntarily provide (support requests, forms, feedback);

• information from our contractors, providers, and analytics vendors.

Categories may be combined. We also derive inferences about you from analysis of on-chain data. Third-party technologies in the Services may collect data independently—review their policies. You are responsible for the security of addresses, wallets, and cryptographic keys.

2. Purposes and Legal Bases (GDPR/UK GDPR)

We use data for:

• providing, supporting, maintaining, and improving the Services — bases: contract (ACCEPTANCE OF OUR TERMS) and legitimate interests (ensuring functionality and quality);

• communications and responding to requests — bases: contract and legitimate interests; where necessary, consent;

• security, abuse prevention, logging, and incident investigations — bases: legitimate interests and legal obligations;

• analytics and internal quality control — basis: legitimate interests; for non-strictly-necessary cookies/SDKs — consent;

• complying with legal obligations and government requests — basis: legal obligation;

• actions for which you have provided consent — basis: consent (revocable prospectively).

Where we rely on legitimate interests, we conduct interest-balancing and do not use data contrary to your rights and reasonable expectations.

3. Sharing Information

We may disclose data to:

• hosting, infrastructure, security, analytics, and support providers as necessary to deliver the Services;

• via API/SDK as part of Service functionality;

• where necessary to comply with law, protect the rights, property, and safety of Shiori, our employees, agents, and users;

• business partners in the context of merger, acquisition, financing, reorganization, bankruptcy, asset sale, or service transition.

We do not transfer your information to third parties for their own marketing.

4. International Transfers

Data may be processed in the U.S. and other countries. For transfers from the EEA/Switzerland/UK we use EU Standard Contractual Clauses (SCCs) and/or the UK IDTA/Addendum and supplementary safeguards. You can request a copy or summary of safeguards at [[email protected]].

5. Retention

We retain data for as long as necessary for the purposes of collection, service delivery, dispute resolution, rights protection, audits, and legal compliance. Durations depend on legal requirements, volume and sensitivity of data, risks, and processing purposes. Illustrative ranges:

• logs and technical telemetry — 30 to 180 days;

• API keys — while active plus a reasonable rotation period;

• support records — up to 24 months from last contact;

• aggregated analytics — up to 24 months.

Actual periods may vary by category and purpose.

6. Your Rights and How to Exercise Them

Subject to applicable law, you may:

• obtain confirmation of processing and access to data, as well as a copy;

• request correction of inaccuracies and completion of incomplete data;

• request deletion;

• restrict processing or object to it;

• obtain data portability and direct data to another controller;

• withdraw consent prospectively;

• appeal our refusal of your request;

• lodge a complaint with a supervisory authority.

Send requests to [email protected]. Response time is 1 month, extendable for complexity. We may request identity verification and, where applicable, proof of representative authority.

7. Children

The Services are intended for users 18+. We do not knowingly collect children’s data. If you believe a child’s data was provided, contact [email protected].

8. Security

We apply reasonable technical and organizational measures (encryption in transit, access control, segmentation, logging, minimization, key rotation). Absolute security is not guaranteed.

9. Cookies and Similar Technologies

We use cookies and SDKs for strictly necessary purposes, functionality, and analytics. Non-essential technologies are used with consent. Manage preferences via the Cookie Policy and settings panel. We honor Global Privacy Control where applicable.

10. Automated Decisions

We do not make decisions with legal or similarly significant effects solely based on automated processing. If such scenarios arise, we will provide prior information on logic and effects and ensure rights provided by law.

11. Blockchain Specifics

Blockchain records are immutable and may be public. This means on-chain data cannot be deleted or corrected; we delete off-chain copies and cease publication, and we design Services to minimize personal data on-chain.

12. Jurisdiction-Specific Information

California (CCPA/CPRA). We do not “sell” or “share” personal information for cross-context behavioral advertising. Rights include: know, obtain a copy, delete, correct, appoint an authorized agent, appeal a denial, and non-discrimination for exercising rights. We honor GPC. Requests — [email protected]. For data protection we may request identity and agent-authority verification.

EEA, UK, Switzerland. Legal bases are listed above. Rights to access, rectification, deletion, restriction, objection, portability, and complaint to a regulator are available. Cross-border transfers rely on SCCs/UK Addendum. Contacts for representative/DPO — in Section 0.

Other U.S. States. We provide comparable rights (access, deletion, correction, portability, opt-out of targeting/profiling where applicable) and an appeals process. Response up to 45 days, extendable per law.

13. Changes

We may update the Policy and indicate the “Last Updated” date. Material changes may be additionally announced in the Services/on the Site.

14. Contacts

Data-subject questions and requests: [email protected]