Privacy Policy — TreeChain

1. Introduction

This Privacy Policy explains how TreeChain (“we”, “us”) collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). By using the TreeChain platform you acknowledge that you have read and understood this policy.

2. What We Collect

TreeChain collects only the minimum data necessary to provide the Service:

Email address — required for account creation and communication
Payment information — processed and stored exclusively by Stripe; TreeChain does not store card numbers or bank details
API usage logs — request counts, endpoints called, response codes; anonymized and aggregated for analytics
IP addresses — collected solely for rate limiting and abuse prevention; rotated and deleted on a rolling 30-day basis

3. What We Do NOT Collect

Customer encrypted data is never accessible to TreeChain. Due to the zero-knowledge architecture of the platform, all customer content is encrypted client-side before transmission. TreeChain does not possess decryption keys and it is mathematically impossible for us to read, inspect, copy, or produce your encrypted content.

4. Data Retention

Account data (email, profile) — retained for the lifetime of the account plus 30 days after deletion request
Payment records — retained for 7 years as required by Polish tax law
API usage logs — anonymized after 90 days; aggregated statistics retained indefinitely
IP addresses — deleted on a rolling 30-day cycle
Encrypted customer data — purged within 30 days of account termination

5. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access — request a copy of all personal data we hold about you
Right to rectification — correct inaccurate or incomplete personal data
Right to erasure — request deletion of your personal data (“right to be forgotten”)
Right to data portability — receive your data in a structured, machine-readable format
Right to restrict processing — limit how we use your data
Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact us at security@treechain.ai. We will respond within 30 days as required by the GDPR.

6. Cookies

TreeChain uses minimal, session-only cookies strictly necessary for authentication and security. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required under the ePrivacy Directive because we use only technically necessary cookies.

7. Third-Party Processors

We share data only with the following processors, each bound by a Data Processing Agreement (DPA):

Stripe — payment processing (PCI DSS Level 1 certified)
MongoDB Atlas — database infrastructure (metadata only; customer content is encrypted)
Hetzner — primary server infrastructure (EU data centers)
Render — cloud hosting fallback (EU/US regions)

8. International Data Transfers

TreeChain infrastructure is hosted within Swiss and EU data centers. We do not routinely transfer personal data outside the European Economic Area. Where a sub-processor operates outside the EEA, transfers are protected by EU Standard Contractual Clauses (SCCs) or an adequacy decision.

9. Contact

For privacy inquiries, data subject requests, or to report a concern:

security@treechain.ai

TreeChain’s Data Protection Officer can be reached at the same address.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email at least thirty (30) days before they take effect.