Privacy Policy

On-Chain-Unlock — Last updated: May 2026

1. Data Controller

On-Chain-Unlock
Granada, Spain
[email protected]

2. What Data We Collect

We collect the minimum data necessary to operate the license management service.

Data	Purpose	Legal Basis	Retention
Wallet address	Customer identification, dashboard authentication, and license management	Contract performance	Until license revocation or deletion request
Device serial numbers	License assignment and validation	Contract performance	Until license revocation or deletion request
Order identifiers	Purchase tracking and support	Contract performance / Legal obligation	5 years (tax obligations)
Hashed IP addresses	Abuse and anomaly detection — one-way hash with server-side salt, not reversible to the original IP	Legitimate interest	48 hours (volatile, resets on server restart)

3. What We Do Not Collect

We do not collect name, surname, email address, physical address, demographic data, or browsing behaviour. We do not use tracking or profiling cookies. Session cookies are used exclusively to maintain an authenticated dashboard session and contain no personal data.

4. Cryptographic Operations

The On-Chain-Unlock server operates in two distinct modes depending on the context:

Device authentication relay: the server acts as a pure relay between the signing wallet and the access control device. It forwards the signed payload without inspecting, processing, or storing its content. No cryptographic material is retained.
Dashboard authentication: the server verifies a cryptographic signature locally to confirm the customer's wallet identity. The signature is used solely to establish the session and is never stored or retained after the session is created.

Private keys and seed phrases are never transmitted to or received by On-Chain-Unlock servers under any circumstances.

5. Payment Data

All payments are processed by Paddle as Merchant of Record. Payment card data, billing addresses, and VAT information are handled exclusively by Paddle and never transmitted to or stored on our servers. Paddle's privacy policy applies to all payment processing: paddle.com/legal/privacy.

6. On-Device Data

Physical access logs (who entered, when, with which role) are stored locally on the integrator's device. This data is under the control of the device owner and is not transmitted to On-Chain-Unlock servers. The integrator is solely responsible for compliance with applicable data protection regulations regarding local access logs.

7. Blockchain Data

NFT ownership verification is performed by querying the public Enjin Matrixchain RPC. This is a read-only operation against publicly available blockchain data — no personal data is transmitted to Enjin. Wallet addresses are already public on-chain by the nature of blockchain infrastructure. On-Chain-Unlock does not control blockchain data and cannot modify or delete it.

8. Data Sharing

We do not sell, rent, or share personal data with third parties for commercial purposes. Data is shared only with:

Paddle — payment processing (Merchant of Record)
Cloudflare — network infrastructure and DDoS protection

9. Your Rights

Under GDPR you have the right to access, rectify, erase, restrict, or port your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Note that erasure of blockchain data is not technically possible as it is inherent to public blockchain infrastructure.

10. Changes to This Policy

We may update this Privacy Policy at any time. We will notify registered customers via the License Dashboard. Continued use of the service after the effective date constitutes acceptance.

11. Contact

On-Chain-Unlock
[email protected]