Privacy

1. Introduction

402zk (“we”, “our”, “the Protocol”) is a decentralized payment infrastructure enabling public and private micropayments through the x402 and ZK-SNARK transaction standards. We are committed to upholding the highest standards of privacy, following the principles of:

  • Privacy-by-Design

  • Zero-Knowledge Data Minimization

  • Decentralized Key Ownership

  • GDPR-compliant architecture (where applicable)

  • No centralized tracking or profiling

This Policy describes what data we collect, how we process it, and your rights.

2. Data Controller

Because 402zk is a decentralized protocol, no single party acts as a traditional data controller.

  • Node operators, gateway operators, and third-party wallets may independently act as data controllers for their respective systems.

  • 402zk Foundation (or DAO) acts as the steward for documentation and compliance but does not control user personal data.

3. Categories of Data We Collect

We collect only the minimum data required to maintain secure operation. We NEVER collect identifiable personal information (PII).

3.1. Technical Metadata (Non-PII)

Collected automatically:

  • Device or browser type

  • OS version

  • SDK/API version

  • Error codes related to proof verification

  • Gateway performance metrics

  • Anonymized usage analytics (optional, opt-in)

Purpose: debugging, stability optimization, abuse prevention.

3.2. Verifier Gateway Logs

We log:

  • Whether a proof is valid or invalid

  • Whether nonce is used or expired

  • Whether TTL remains valid

Not logged:

  • Wallet addresses

  • Transaction amounts

  • User identity

  • Original payment transactions

  • Zero-knowledge proof contents

  • API endpoints users are accessing

3.3. Data We Explicitly Do NOT Collect

402zk explicitly does not collect or store:

  • Personal profile information (name, email, phone)

  • Public keys or wallet addresses

  • Private keys, seed phrases, or mnemonics

  • Payment history

  • Off-chain API access patterns

  • ZK-SNARK inputs or outputs

  • Geolocation data

  • Cookies for behavioral profiling

4. How Data Is Processed

Technical data is used exclusively for:

  • Maintaining protocol security

  • Detecting replay attacks

  • Analyzing proof failures

  • Optimizing latency

  • Preventing spam or abuse

We do not use data for:

  • Marketing

  • Profiling

  • Selling to third parties

  • Targeted advertising

All data is:

  • Encrypted (AES-256 or equivalent)

  • Access-controlled

  • Automatically deleted after 14–30 days

  • Never exported outside the system

5. Data Sharing

We do not share any identifiable user data with:

  • Third parties

  • Analytics providers

  • Advertisers

  • Centralized identity providers

However, infrastructure partners (e.g., cloud gateway operators) may process anonymized logs strictly for operational purposes under contractual obligations.

6. User Rights

Depending on jurisdiction (e.g., GDPR, CCPA), you have the following rights:

  • Right to access metadata

  • Right to request deletion

  • Right to withdraw consent (opt-out analytics)

  • Right to data portability (not relevant for private keys)

  • Right to operate pseudonymously

Because 402zk does not store personal data, many rights are automatically satisfied.

7. Data Security

We implement industry-leading controls:

  • End-to-end data encryption

  • Periodic vulnerability assessments

  • Zero-knowledge proof isolation

  • No production access to private keys

  • Hardened API endpoints

  • Rate limits & spam mitigation

  • Multi-region redundancy

8. Minors

402zk is not intended for individuals under 18 years old. We do not knowingly collect any data from minors.

9. Amendments to This Policy

Changes will be posted publicly at least 7 days prior to activation. Major changes require governance approval.

PreviousTOKENOMICSNextTemrs Of Use

Last updated