Privacy Policy

1. Scope

This Privacy Policy applies to all BTNOMB properties: btnomb.com, cleanroom.btnomb.com, alerts.btnomb.com, cleanskills.btnomb.com, mcp.btnomb.com, and bounty.btnomb.com (collectively, the “Services”). By using any of our Services, you agree to the collection and use of information as described in this policy.

2. Data We Collect

We collect the minimum data necessary to operate our Services:

• Email address — when you sign up for Cleanroom rebuilds, Supply Chain Alerts, the Bounty Board, or any waitlist
• Wallet address — when you pay with USDC on Base or submit ideas to the Bounty Board
• Package URLs and metadata — GitHub URLs or npm package names submitted for Cleanroom rebuilds
• Bounty Board submissions — product ideas, descriptions, and tags you submit
• Usage data — pages visited, timestamps, referrer URLs, and browser type, collected automatically via server logs
• Payment records — transaction hashes, credit balances, and purchase history (we do not store credit card numbers; crypto payments are on-chain)

3. What We Do Not Collect

We do not use tracking cookies, analytics pixels, or third-party advertising networks. We do not collect biometric data, location data, or device identifiers beyond what appears in standard server logs. We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. How We Use Your Data

We use the data we collect to:

• Deliver the Services you request (rebuilds, alerts, bounty payouts)
• Send transactional notifications (rebuild complete, alert triggered, bounty status)
• Process payments and manage credit balances
• Improve and debug our Services
• Comply with legal obligations

We do not use your data for advertising or profiling.

5. Cookies

Our Services use minimal cookies:

• Session cookies — to maintain login state and CSRF protection. Expire when you close your browser.
• Cloudflare cookies — set by Cloudflare for security and performance (e.g., __cflb, cf_clearance).

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

6. Payments

USDC on Base L2 — on-chain payments are processed on the Base network (chain ID 8453). Transaction hashes, wallet addresses, and amounts are publicly visible on the blockchain. BTNOMB does not control or have the ability to delete on-chain data.

Stripe — if card payments are available, they are handled by Stripe. Your card details never touch our servers.

7. Third-Party Services

We share data with third parties only as necessary to operate the Services:

• Resend — email delivery provider. Receives your email address to send transactional emails. (privacy policy)
• Cloudflare — CDN, DNS, and DDoS protection. Processes IP addresses and request metadata. (privacy policy)
• Base network (Coinbase L2) — on-chain payment settlement. Wallet addresses and transactions are publicly visible.
• Stripe — card payment processing, if applicable. (privacy policy)

We do not use advertising networks, social media pixels, or third-party analytics platforms.

8. Data Retention

• Account data (email, credits) — retained while your account is active and for 12 months after last activity
• Rebuild metadata (package URLs, rebuild logs) — retained indefinitely to improve rebuild quality
• Payment records — retained for 7 years for tax and accounting compliance
• Server logs (IP, user agent) — retained for 90 days, then deleted
• Bounty submissions — retained indefinitely (submissions are public by design)
• Alert subscriptions — retained while your subscription is active; email removed within 30 days of unsubscribe

You may request deletion of your personal data at any time (see Sections 9 and 10).

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) grants you the following rights:

• Right of Access — request a copy of the personal data we hold about you
• Right to Rectification — request correction of inaccurate or incomplete data
• Right to Erasure — request deletion of your personal data (“right to be forgotten”)
• Right to Restriction — request that we limit processing of your data
• Right to Data Portability — receive your data in a structured, machine-readable format
• Right to Object — object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time

Legal basis for processing: (a) Contract performance — processing necessary to deliver the Services you requested; (b) Legitimate interest — improving service quality and preventing abuse; (c) Consent — where you opt in to communications.

To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

10. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know — request what categories and specific pieces of personal information we have collected, used, and disclosed about you
• Right to Delete — request deletion of your personal information, subject to certain exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing — we do not sell or share your personal information as defined by the CCPA/CPRA
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

Categories of personal information collected: identifiers (email, wallet address), commercial information (purchase history, credits), and internet activity (server logs). We do not collect sensitive personal information as defined by the CCPA.

To exercise your rights, email [email protected]. We will verify your identity and respond within 45 days.

11. Data Security

We use commercially reasonable measures to protect your data, including: encrypted connections (TLS/HTTPS) for all Services, access controls on databases and servers, and regular security reviews. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

12. International Transfers

Our servers are located in the United States. If you access the Services from outside the US, your data will be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses as the legal mechanism for international data transfers.

13. Children

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be posted on this page with a revised “last updated” date. Continued use of the Services after changes constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions, data access or deletion requests, or complaints:

Email: [email protected]
General inquiries: [email protected]