Privacy Policy

Effective Date: April 14, 2026 · Last Updated: April 14, 2026

This Privacy Policy ("Policy") describes how Zoryxon LLC, an Ohio limited liability company with its principal place of business at 6545 Market Ave N, Canton, OH 44721 ("Zoryxon," "Company," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with the Zoryxon platform, websites, applications, application programming interfaces, smart contracts, software development kits, and related services (collectively, the "Services" or "Platform"). This Policy should be read together with our Terms of Service, Acceptable Use Policy, Cookie Policy, Data Processing Addendum, and Subprocessor List.

Zoryxon is built on a non-custodial, privacy-first architecture. We collect the minimum data necessary to operate the Services. Your intellectual property is encrypted client-side before it leaves your device, and Zoryxon does not see, process, or store your unencrypted content at any time.

1. Introduction and Scope

Zoryxon provides trust infrastructure for the digital economy, including cryptographic proofs of existence, origin, lineage, integrity, and provenance for intellectual property and digital assets. This Policy applies to all users of the Services, including creators, licensees, developers, institutional customers, and visitors to our websites, and governs our collection and processing of information in connection with the Services.

1.1 Controller

For purposes of the European Union General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), and the Swiss Federal Act on Data Protection, Zoryxon LLC is the data controller of personal data collected through the Services unless expressly stated otherwise (for example, in an institutional Education arrangement where an educational institution acts as controller and Zoryxon acts as processor).

1.2 Acceptance

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, you must not access or use the Services.

2. Information We Collect

We collect information in the following categories, each of which is further described below.

2.1 Information You Provide to Us

Account Registration Information. Email address, display name, and (optionally) avatar, bio, and website URL. Profile fields beyond email are optional.
Wallet Addresses. Your public blockchain address when you authenticate via Sign-In with Ethereum (SIWE) or connect a wallet. We collect public wallet addresses only; we never request, collect, transmit, or store private keys, seed phrases, or any secret key material.
Vault Content Metadata. Titles, descriptions, tags, and decentralized storage identifiers associated with your encrypted content. We store only references to encrypted ciphertext and cannot access the underlying plaintext.
Marketplace Listings. Listing titles, descriptions, pricing, license terms, and related marketplace data you submit.
Support and Business Communications. Information you provide when you contact us, respond to surveys, or otherwise correspond with us, including email content, attachments, and metadata necessary to respond.
Payment Information. Fiat subscription and invoice payments are processed by Stripe, Inc. Zoryxon does not receive or store full payment card numbers, CVV codes, or bank account numbers. We receive a payment token, billing country, last four digits of the instrument, and transaction result from Stripe for reconciliation and fraud-prevention purposes.

2.2 Information Collected Automatically

Device and Connection Data. IP address, browser type and version, operating system, device identifiers, language settings, and time zone.
Usage Analytics. Pages visited, features used, buttons clicked, referral source, session duration, and error reports. Analytics data is aggregated and, where feasible, pseudonymized.
Cookies and Similar Technologies. Essential authentication cookies, session tokens, and limited preference cookies, as described in our Cookie Policy.
Log Data. Server logs including request timestamps, endpoint accessed, HTTP status, latency metrics, and security-relevant events.

2.3 Blockchain Data

When you interact with Zoryxon smart contracts on Arbitrum One, Ethereum, or Hedera, the following data is written to a public, permissionless blockchain and is inherently public: your public wallet address, transaction hashes, content hashes (SHA-256 digests), timestamps, license records, ownership transfers, and other smart-contract state changes. Zoryxon does not control blockchain infrastructure and cannot alter, censor, or delete confirmed on-chain data.

2.4 Information from Third Parties

Payment Processors. Stripe provides transaction metadata, tokenized payment references, and fraud-signal indicators associated with your payment.
Blockchain Networks and RPC Providers. Arbitrum, Ethereum, and Hedera nodes (accessed via Alchemy and comparable providers) return publicly available on-chain data in response to queries initiated by the Services.
Sanctions Screening. The Chainalysis Sanctions Oracle returns a pass/fail indicator for each wallet address screened against U.S. Department of the Treasury Office of Foreign Assets Control ("OFAC") lists.
Identity Verification Providers. To the extent we integrate with identity verification partners for enterprise or institutional features, we may receive the minimum verification outcome (for example, a verified/unverified indicator) and non-biometric attestation metadata from such partners. Raw identity documents and biometric data are not transmitted to or stored by Zoryxon.
Zora AI Assistant Data. When you interact with Zora, our AI-powered chat assistant, conversation transcripts, voluntarily provided contact information, and conversation history may be stored. Zora is powered by Anthropic, PBC. Conversations are retained for service-quality monitoring and, where you have provided contact information, for follow-up.

3. Information We Do Not Collect

Zoryxon's non-custodial architecture is designed to minimize data collection. We do not collect, store, process, or have access to:

Private Keys or Seed Phrases. Your wallet credentials never leave your device or browser extension. Zoryxon has no mechanism to access, view, or recover private keys or seed phrases at any time.
Unencrypted Content. All files are encrypted client-side with AES-256-GCM authenticated encryption before upload. Our servers receive only encrypted ciphertext and have no means of decrypting it.
Biometric Data of Any Kind. Our Humanity Verification system uses attestation-based methods exclusively. We do not collect, capture, or store biometric identifiers, biometric scores, face geometry, fingerprints, voiceprints, retina scans, iris scans, hand geometry, or any other biometric data at any tier of verification.
Government-Issued Identification. We do not require or collect social security numbers, driver's license numbers, passport numbers, or similar government-issued identification for standard Platform use.
Full Payment Card Information. On-chain payments are conducted in cryptocurrency. Fiat subscription payments are processed by Stripe, Inc. Zoryxon never receives, processes, or stores full credit card, debit card, or bank account information.

4. How We Use Information

We use the information we collect for the following purposes:

Provide and Operate the Services. Authenticate users, process transactions, manage vaults, execute smart-contract interactions, and deliver the core functionality of the Platform.
Improve the Services. Understand usage patterns, diagnose issues, develop new features, and improve user experience using aggregated or pseudonymized data.
Process Transactions and Payments. Facilitate subscriptions, marketplace purchases, and on-chain/off-chain settlement through Stripe and supported blockchain networks.
Service and Security Communications. Send transactional messages (transaction confirmations, security alerts, administrative notices, and policy updates).
Enforce Our Terms. Investigate and respond to suspected violations of the Terms of Service, Acceptable Use Policy, or applicable law.
Legal and Regulatory Compliance. Comply with legal obligations including OFAC sanctions screening, tax and financial recordkeeping, responses to lawful process, and cooperation with competent authorities.
Fraud Prevention and Security. Detect, investigate, and prevent fraud, abuse, unauthorized access, and threats to the Services, users, or the public.
Marketing Communications (Consent-Based). With your consent where required, send product updates, educational content, and announcements. You may withdraw consent at any time through the preferences controls in the Platform or by contacting privacy@zoryxon.com.

We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising.

5. Legal Bases for Processing (GDPR)

Where the GDPR or UK GDPR applies, we process personal data on one or more of the following legal bases:

Contractual Necessity (Art. 6(1)(b)). To provide the Services you have requested, including account creation, authentication, transaction processing, marketplace participation, and support.
Legitimate Interests (Art. 6(1)(f)). To secure the Services, prevent fraud, operate analytics, develop new features, enforce our Terms, and communicate with users about material changes. We conduct balancing assessments to ensure these interests are not overridden by your rights.
Legal Obligation (Art. 6(1)(c)). To comply with tax, accounting, sanctions, anti-money-laundering, and other legal obligations applicable to Zoryxon.
Consent (Art. 6(1)(a)). Where required by law, for marketing communications, non-essential cookies, and optional features. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7. Blockchain Data

You acknowledge that interactions with public blockchains are inherently public and permanent:

All on-chain interactions, including transaction hashes, public wallet addresses, content hashes, license records, ownership transfers, and other smart-contract state, are publicly visible and cannot be deleted or modified after confirmation.
Content hashes stored on-chain are cryptographic fingerprints (SHA-256) that do not reveal the underlying content. They establish that specific content existed at a specific time without disclosing what that content is.
On-chain data settles on Arbitrum One (a Layer 2 rollup) with final settlement on Ethereum Layer 1. Agent trust data is anchored on Hedera. All are public, permissionless networks.
Zoryxon cannot delete, modify, or censor confirmed on-chain data. This is a fundamental property of blockchain technology, not a policy choice.

8. Data Encryption

Zoryxon employs a client-side encryption architecture to ensure that your intellectual property remains private and under your exclusive control:

Algorithm. AES-256-GCM (Advanced Encryption Standard, 256-bit key with Galois/Counter Mode), a NIST-approved authenticated encryption standard providing confidentiality and integrity verification.
Key Generation. Encryption keys are generated locally on your device using cryptographically secure random number generation. Keys never leave your device and are never transmitted to Zoryxon.
Content Hash. A SHA-256 hash of your original content is computed client-side before encryption. The hash is submitted to the blockchain as proof of existence without revealing content.
Non-Custodial Keys. Zoryxon has no mechanism to access your encryption keys. We do not escrow, back up, or store your keys in any form. If you lose your keys, your encrypted content cannot be recovered by anyone, including Zoryxon. This is by design.

9. International Data Transfers

Zoryxon is headquartered in Canton, Ohio, United States, and the Services are primarily hosted and operated in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions in which Zoryxon or its service providers operate.

9.1 EEA, UK, and Swiss Transfers

For transfers of personal data originating in the European Economic Area, the United Kingdom, or Switzerland, Zoryxon relies on the Standard Contractual Clauses approved by the European Commission (including the UK International Data Transfer Addendum and the Swiss supplement, as applicable), the EU-U.S. Data Privacy Framework where applicable, and other lawful transfer mechanisms. The Standard Contractual Clauses are incorporated into our Data Processing Addendum.

9.2 Blockchain Globally Distributed

Public blockchain networks are globally distributed and operated by independent node operators across many jurisdictions. When you cause data to be written to a public blockchain, that data is replicated worldwide by operation of the network and is not subject to geographic transfer restrictions imposed on Zoryxon.

10. Data Retention

We retain personal information only for as long as is necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. Retention periods differ depending on the category of data.

10.1 Off-Chain Retention Schedule

Account Data. Retained for the duration of your account plus thirty (30) days following account deletion, after which off-chain personal data is permanently deleted from active systems.
Transaction and Financial Records. Retained as required by applicable tax, accounting, and financial-regulation laws (generally up to seven (7) years).
Zora AI Conversation Logs. Retained up to twelve (12) months for service-quality purposes, then deleted.
Lead Capture Data. Retained until the user requests deletion or twenty-four (24) months from collection, whichever comes first.
Analytics Data. Aggregated or pseudonymized analytics retained up to twelve (12) months.
Compliance Records. Sanctions-screening outcomes and compliance audit entries are retained for the period required by applicable law, generally not less than five (5) years.
Encrypted Content in Decentralized Storage. Retained while your account is active. Upon account deletion, encrypted content is removed from active storage operated or contracted by Zoryxon. Copies may persist on distributed networks due to the nature of peer-to-peer storage.

10.2 On-Chain Records

Blockchain-anchored hashes, attestations, and proof records are permanent and immutable. These records consist of cryptographic derivations (for example, SHA-256 digests and ML-DSA-65 signature hashes) that, standing alone, do not reveal underlying personal data. We distinguish sharply between off-chain personal data (which is subject to the retention schedule above and to deletion rights) and on-chain cryptographic derivations (which are, by design, permanent and cannot be erased).

11. Your Rights

Depending on your jurisdiction and the circumstances of processing, you may have the rights described below. Additional region-specific rights are addressed in Sections 12 through 17.

11.1 GDPR / UK GDPR Rights

Access. Obtain confirmation of whether we process your personal data and, if so, a copy of that data.
Rectification. Request correction of inaccurate or incomplete personal data.
Erasure. Request deletion of off-chain personal data, subject to limitations including on-chain data immutability. Blockchain-anchored cryptographic derivations cannot be technically erased; we will, however, erase off-chain linkages where feasible.
Portability. Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller where technically feasible.
Restriction. Request that we restrict processing of your personal data in certain circumstances.
Objection. Object to processing based on legitimate interests, including profiling.
Withdraw Consent. Withdraw any consent you have provided, without affecting the lawfulness of prior processing.

11.2 CCPA / CPRA Rights

Know. Request the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes, and the categories of recipients.
Delete. Request deletion of personal information, subject to statutory exceptions and the immutability of blockchain data.
Opt Out of Sale/Sharing. Zoryxon does not sell personal information and does not share personal information for cross-context behavioral advertising.
Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.
Correct. Request correction of inaccurate personal information we maintain about you.
Limit Use of Sensitive Personal Information. Zoryxon does not use sensitive personal information for purposes beyond those permitted by the CPRA without further notice and, where required, opt-in consent.

11.3 How to Exercise Your Rights

To exercise any right described in this Policy, submit a request to privacy@zoryxon.com. We will verify your identity using information associated with your account (for example, control of a registered email address or signing a challenge with a registered wallet). We will respond to CCPA/CPRA requests within forty-five (45) days (extendable by an additional forty-five (45) days where permitted) and in any event consistent with the CCPA's response requirements. We will respond to GDPR/UK GDPR requests without undue delay and within one (1) month of receipt, extendable by up to two (2) further months for complex requests with notice to you.

11.4 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority (for EEA residents), the UK Information Commissioner's Office (for UK residents), the Swiss Federal Data Protection and Information Commissioner (for Swiss residents), or the attorney general of your state of residence in the United States, if you believe our processing of your personal data violates applicable law. We encourage you to contact us first so we can attempt to resolve your concern directly.

13. CCPA/CPRA Compliance (California Residents)

For residents of the State of California, the following provisions apply under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA").

13.1 Categories of Personal Information Collected

Identifiers (wallet address, email address, display name).
Internet or other electronic network activity information (usage analytics, feature interaction, log data).
Commercial information (transaction history, marketplace activity, billing records).
Geolocation information (country-level only, inferred from IP).
Inferences drawn from the foregoing (aggregated preferences and usage profiles).

13.2 Sources and Recipients

We collect the above categories directly from you, automatically through your use of the Services, and from third parties described in Section 2.4. We disclose the above categories only to service providers and subprocessors described in Section 6.1 and as otherwise described in Section 6.

13.3 No Sale or Sharing of Personal Information

Zoryxon does not sell personal information and does not share personal information for cross-context behavioral advertising within the meaning of the CCPA.

13.4 Rights

California residents may exercise the rights described in Section 11.2 by submitting a request to privacy@zoryxon.com. Authorized agents may submit requests on your behalf upon presentation of documentation authorizing the agent to act.

14. BIPA Compliance (Illinois Residents)

For users in the State of Illinois, the following provisions apply in compliance with the Illinois Biometric Information Privacy Act, 740 ILCS 14/ ("BIPA").

No Biometric Data Collection. Zoryxon does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information as defined under BIPA, including but not limited to fingerprints, retina scans, iris scans, voiceprints, face geometry, hand geometry, or any other biometric identifier.
Humanity Verification Design. Our four-tier Humanity Verification system is specifically designed for BIPA compliance: Tier 1 uses self-attestation; Tier 2 uses social vouching; Tier 3 uses behavioral analysis that stores only a boolean pass/fail result (no numeric scores derived from biometric analysis); and Tier 4 uses zero-knowledge proofs that store only a proof hash. No raw biometric data is collected, transmitted, or stored at any tier.
Database Storage. Our database stores only a humanity level (unverified, bronze, silver, gold, platinum) and a boolean verification status, never numeric scores, biometric templates, or any data derived from biometric analysis.

15. California Shine the Light

California Civil Code Section 1798.83 permits California residents who have an established business relationship with Zoryxon to request, once per calendar year, a notice identifying the categories of personal information Zoryxon shared with third parties for those third parties' direct marketing purposes during the preceding calendar year. Zoryxon does not share personal information with third parties for their direct marketing purposes. To make a Shine the Light request, contact privacy@zoryxon.com with the subject line "California Shine the Light Request."

16. Nevada Privacy Rights

Under Nevada Revised Statutes Chapter 603A, as amended by Nevada Senate Bill 220 (2019), Nevada residents have the right to submit a verified request directing a covered operator not to make any sale of certain categories of personally identifiable information collected about them. Zoryxon does not sell covered information as defined by Nevada law. If you are a Nevada resident and wish to submit a verified request, contact privacy@zoryxon.com.

17. Do Not Track Signals

Some browsers transmit "Do Not Track" ("DNT") signals to websites. Because industry standards for responding to DNT signals have not been finalized, the Services do not currently respond differently to DNT signals. Zoryxon does not engage in cross-site tracking or targeted advertising irrespective of DNT signals. If a recognized standard for DNT signals is adopted, we will update this Policy accordingly.

18. Education Data

When providing services to educational institutions through the Education vertical, the following data-protection provisions apply.

Zoryxon contracts with educational institutions, not with individual students. All institutional relationships are governed by a written data processing agreement between Zoryxon and the institution.
When processing student education records on behalf of an educational institution, Zoryxon acts as a "school official" under the Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g ("FERPA"), with a legitimate educational interest, as defined by the institution's annual notification.
Student data is processed solely for the educational purpose specified in the institutional agreement and is never used for marketing, advertising, profiling, or any purpose unrelated to that agreement.
Student identity is cryptographically separated from blockchain data. On-chain hashes contain no personally identifiable information. The mapping between student identity and blockchain records is maintained only within the institution's secure environment.
Zoryxon does not create direct individual accounts for students under 18. Students under 18 access the Platform exclusively through institutional Education accounts administered by their school.
Institutional administrators maintain full control over student data access, including the ability to request deletion, export, or modification of student data.

19. Children's Privacy

The Services are not intended for, and are not directed to, individuals under the age of 18 for direct account creation. We do not knowingly collect personal information from children under the age of 13 in violation of the Children's Online Privacy Protection Act, 15 U.S.C. Sections 6501-6506 ("COPPA").

Students under 18 may access the Platform exclusively through institutional Education accounts administered by their school. They may not create individual accounts.
In institutional Education contexts, the school or educational institution is responsible for obtaining any required parental consent under COPPA and FERPA.
If we learn that we have collected personal information directly from a child under 13 outside of an institutional Education context, we will delete that information promptly.

If you believe a child under 13 has provided us with personal information outside of an institutional Education context, contact legal@zoryxon.com.

20. Cookies and Tracking Technologies

Zoryxon uses essential cookies for authentication and session management and limited preference cookies for functionality. We do not use advertising cookies, third-party marketing cookies, or engage in cross-site tracking. For complete detail regarding cookie categories, purposes, duration, and user controls, refer to our Cookie Policy.

21. Third-Party Links and Services

The Services may contain links to third-party websites, applications, wallets, decentralized applications, and services that are not operated or controlled by Zoryxon. Third-party services are governed by their own terms and privacy policies. Zoryxon is not responsible for the privacy practices, content, or security of third-party services, and inclusion of a link does not constitute endorsement. We encourage you to review the privacy notices of any third party before providing them with personal information.

The following categories of third-party services are integrated with the Services: public blockchain networks (Arbitrum, Ethereum, Hedera) and RPC providers (Alchemy); hosting and infrastructure providers (Vercel, Railway, Neon, Cloudflare); payment processor (Stripe); AI provider for the Zora assistant (Anthropic); transactional email delivery (SendGrid); sanctions screening (Chainalysis); and email infrastructure (Google Workspace). A current list is maintained at /subprocessors.

22. Data Breach Notification

In the event of a personal data breach, Zoryxon will notify affected users and relevant regulatory authorities within the timeframes required by applicable law. Notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Zoryxon maintains written incident-response procedures designed to detect, contain, and remediate data breaches promptly.

23. Security Measures

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Those safeguards include:

Non-Custodial Architecture. By design, Zoryxon never holds your private keys, unencrypted content, or user funds, eliminating the most critical attack vectors associated with centralized platforms.
Client-Side Encryption. AES-256-GCM authenticated encryption ensures that even in the event of a server compromise your content remains encrypted and inaccessible without locally held keys.
Transport Encryption. All traffic between user devices and Zoryxon systems is secured with TLS 1.3.
Post-Quantum Cryptography. ML-DSA-65 (NIST FIPS 204, formerly CRYSTALS-Dilithium) is integrated for future-proofed digital signatures, guarding against anticipated cryptanalytic advances.
Role-Based Access Controls. Internal access to systems is governed by least-privilege role-based access control with periodic review.
Audit Logging. Administrative and compliance-relevant events are recorded in a tamper-evident append-only audit log.
Smart Contract Security. Smart contracts are implemented using audited OpenZeppelin libraries with role-based access control, reentrancy protection, pausability, and UUPS-upgradeable patterns.
OFAC Sanctions Screening. Wallet addresses are screened against OFAC sanctions lists via the Chainalysis Sanctions Oracle.

For detailed technical and organizational security measures applicable to processor engagements, refer to our Data Processing Addendum.

24. SMS/Text Messaging

If you consent to receive SMS or text messages from Zoryxon, the following terms apply. Zoryxon may send text messages related to Platform services, account support, and business communications. Message frequency varies. Message and data rates may apply.

You may opt out of SMS messages at any time by replying STOP to any message. After opting out you will receive a confirmation message and no further SMS messages will be sent. For help, reply HELP to any message, or contact support@zoryxon.com.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with any third parties.

By providing your phone number and opting in to SMS communications, you consent to receive text messages from Zoryxon at the number provided. Your consent is not a condition of any purchase or use of the Services.

25. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated through the Platform interface and, where feasible, by email to users who have provided an email address. We will provide at least thirty (30) days' advance notice before material changes take effect and will update the "Last Updated" date at the top of this Policy. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. If you do not agree with the changes, you must discontinue use of the Services before the effective date.

26. Severability

If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the invalidity, illegality, or unenforceability of that provision shall not affect the remaining provisions, which shall remain in full force and effect to the maximum extent permitted by law. The parties shall endeavor in good faith to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision.

27. Governing Law

This Policy and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) are governed by and construed in accordance with the laws of the State of Ohio, United States, without regard to its conflicts of law principles. Subject to mandatory consumer-protection laws of your jurisdiction that cannot be contracted around, the state and federal courts located in Stark County, Ohio, shall have exclusive jurisdiction over any dispute arising out of or relating to this Policy. This choice of law and forum does not deprive EEA, UK, or Swiss data subjects of mandatory protections under the GDPR, UK GDPR, or Swiss Federal Act on Data Protection, nor does it limit the jurisdiction of supervisory authorities under those regimes.

28. Contact Information

For questions or concerns regarding this Policy or our data practices, or to exercise any right described in this Policy, please contact us.

Zoryxon LLC

6545 Market Ave N

Canton, OH 44721

United States

Privacy inquiries and data-subject requests: privacy@zoryxon.com

Security disclosures: security@zoryxon.com

Legal notices: legal@zoryxon.com

General inquiries: info@zoryxon.com