Privacy Policy

1. WHAT INFORMATION WE COLLECT

Information You Provide Directly

When you create an account, use our Services, or communicate with us, we may collect the following categories of personal information:

• Account and Identity Information: Your name, email address, username, and password (stored in hashed form) when you register for an account.
• Blockchain and Cryptocurrency Data: Public wallet addresses, public keys, transaction hashes, exchange account identifiers, and other on-chain or exchange-sourced data you connect or upload to our Services. This data is publicly available on blockchain networks; we process it on your behalf to generate tax reports and portfolio analytics.
• Financial and Tax Information: Transaction records, trade histories, staking rewards, DeFi protocol interactions, cost-basis data, and gain/loss calculations derived from your connected accounts and wallets. You may also upload CSV files exported from exchanges.
• Payment Information: When you subscribe to a paid plan, our payment processor (Stripe) collects your credit or debit card number, billing address, and related billing information directly. We do not store full card numbers on our servers. We retain your subscription tier, billing history, and Stripe customer identifier.
• Communications: Messages, support requests, feedback, and other content you send to us directly via email or support channels.

Information We Collect Automatically

When you access or use our Services, we automatically collect certain technical and usage information, including:

• Log and Device Data: IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, time spent on pages, and other diagnostic data.
• Usage Data: Features accessed, reports generated, wallets connected, filters applied, export actions, and other interactions with the Services.
• Session Information: Authentication tokens and session data managed through our authentication provider (Clerk) to keep you securely logged in.
• Cookies and Similar Technologies: See Section 5 for details on our use of cookies and tracking technologies.

Information from Third Parties

We may receive information about you from third-party services you authorize or connect to our platform, including:

• Cryptocurrency Exchanges: When you connect an exchange account via API key or OAuth, we receive trade history, balances, and transaction records from that exchange (e.g., Coinbase, Uphold, and others).
• Blockchain Networks: We query public blockchain APIs (e.g., Helius for Solana, Blockfrost for Cardano, public XRP Ledger nodes) to retrieve on-chain transaction data associated with wallet addresses you provide.
• Authentication Providers: If you sign in using a social or identity provider (e.g., Google, GitHub) through Clerk, we receive your name, email address, and profile photo as provided by that service.
• Price Data Providers: We use CoinGecko, CoinMarketCap, and similar services to retrieve historical and real-time asset prices for tax calculation purposes. This does not involve sharing your personal data with those providers.

2. HOW WE COLLECT YOUR INFORMATION

We collect information through the following means:

• Directly from you when you create an account, enter wallet addresses, upload CSV files, connect exchange APIs, complete forms, or contact support.
• Automatically through cookies, web beacons, server logs, and similar technologies as you navigate and interact with our Services.
• From third-party services you authorize to share data with us, including cryptocurrency exchanges and blockchain network APIs.
• From public blockchain networks, where transaction data associated with wallet addresses you provide is publicly accessible.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

• To provide and operate the Services: Processing your cryptocurrency transaction data, calculating cost basis, generating tax reports (Form 8949, Schedule D, TurboTax .txf exports), and delivering portfolio analytics.
• To manage your account: Creating and maintaining your user account, authenticating your identity, processing subscription payments, and managing your subscription tier.
• To communicate with you: Sending transactional emails (account confirmations, password resets, payment receipts), product updates, and, where you have opted in, promotional communications. We use Resend to deliver email communications.
• To improve the Services: Analyzing usage patterns, diagnosing technical issues, conducting research, and developing new features. We use aggregated and de-identified data for these purposes where possible.
• To ensure security and prevent fraud: Monitoring for unauthorized access, detecting and preventing abuse, enforcing our Terms of Service, and complying with applicable law.
• To comply with legal obligations: Responding to lawful requests from government authorities, complying with applicable tax and financial recordkeeping requirements, and enforcing our agreements.
• To fulfill your requests: Responding to your support inquiries, processing data export requests, and carrying out any other purpose described to you at the time of collection.

We do not sell your personal data. We do not use your cryptocurrency transaction data or tax information for advertising purposes.

4. WHEN WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may share your information only in the following circumstances:

• Service Providers (Processors): We share information with trusted third-party vendors who perform services on our behalf and who are contractually obligated to protect your data. These include:
  • Clerk (clerk.com) — Authentication and user identity management
  • Stripe (stripe.com) — Payment processing and subscription billing
  • Resend (resend.com) — Transactional email delivery
  • Railway (railway.app) — Cloud infrastructure and hosting
  • PostgreSQL database provider — Secure, encrypted data storage
• Legal Compliance: We may disclose your information if required to do so by law, court order, or governmental or regulatory authority, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of our users or others.
• Business Transfers: If ChainTally LLC is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
• With Your Consent: We may share your information for any other purpose with your explicit consent.
• Aggregated or De-identified Data: We may share aggregated or de-identified information (which cannot reasonably be used to identify you) with business partners, researchers, or for public reporting purposes.

All third-party service providers listed above are required to use your information only to perform services on our behalf and are prohibited from using your information for their own marketing or commercial purposes.

5. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to operate and improve our Services.

Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Services to function. These include session and authentication cookies set by Clerk to keep you logged in and to protect your account. You cannot opt out of these without affecting core functionality.
• Functional Cookies: Used to remember your preferences (e.g., selected tax method, display settings) and provide a personalized experience.
• Analytics Cookies: Used to understand how users interact with our Services (e.g., pages visited, features used, error rates). Data collected is aggregated and used to improve the Services.

Your Cookie Choices

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete cookies already stored. Please note that disabling cookies may affect the functionality of our Services, including your ability to stay logged in. Consult your browser's help documentation for instructions on managing cookies.

We do not currently respond to "Do Not Track" (DNT) signals because no uniform standard for DNT has been adopted. We will revisit this policy if a standard is established.

6. HOW LONG WE KEEP YOUR INFORMATION

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing the Services, maintaining your account, complying with legal obligations, resolving disputes, and enforcing our agreements.

• Account data is retained for the duration of your account and for a reasonable period after account deletion to allow for account recovery, dispute resolution, or compliance with legal obligations.
• Transaction and tax data you upload or sync may be retained for up to seven (7) years after the relevant tax year to support audit-defensible records, unless you request deletion sooner (subject to legal retention requirements).
• Payment records are retained as required by applicable financial recordkeeping laws, typically for a minimum of seven (7) years.
• Log and usage data is typically retained for up to ninety (90) days for security and diagnostic purposes.

When we no longer need your information, we will securely delete or anonymize it. If deletion is not immediately possible (e.g., because data is stored in backup archives), we will securely isolate and protect the data until deletion is possible.

7. HOW WE PROTECT YOUR INFORMATION

We implement appropriate technical and organizational measures designed to protect your personal information against unauthorized access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of sensitive data at rest, including passwords stored as salted hashes.
• Role-based access controls limiting employee access to personal data to those with a legitimate business need.
• Use of SOC 2-compliant infrastructure providers (Railway for hosting; Stripe for payments; Clerk for authentication).
• Regular security reviews and vulnerability assessments.
• API keys you provide for exchange connections are encrypted at rest and are never displayed in plaintext after initial entry.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and any applicable authorities as required by law.

8. YOUR PRIVACY RIGHTS

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access: The right to request a copy of the personal information we hold about you.
• Correction: The right to request that we correct inaccurate or incomplete personal information.
• Deletion: The right to request that we delete your personal information, subject to certain exceptions (e.g., legal retention requirements).
• Portability: The right to receive a copy of your personal information in a structured, machine-readable format.
• Objection / Restriction: The right to object to or request restriction of certain processing of your personal information.
• Withdraw Consent: Where processing is based on your consent, the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Opt-Out of Marketing: You may unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email or by contacting us directly. Opting out does not affect transactional emails related to your account.

To exercise any of these rights, please contact us at privacy@chaintally.io. We will respond to your request within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your applicable data protection authority if you believe we have processed your information unlawfully.

9. CHILDREN'S PRIVACY

Our Services are not directed to children under the age of 18, and we do not knowingly collect personal information from anyone under 18 years of age. If you are under 18, you are not permitted to register for or use our Services.

If we learn that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 18, please contact us at privacy@chaintally.io.

10. THIRD-PARTY SERVICES AND LINKS

Our Services may contain links to third-party websites, exchanges, blockchain explorers, or other external services. These third-party services are governed by their own privacy policies, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Services.

When you connect an exchange account (e.g., Coinbase, Uphold) to our Services via API key or OAuth, you are also subject to that exchange's terms of service and privacy policy. We request only the minimum permissions necessary to retrieve your transaction history (read-only access) and do not request trading or withdrawal permissions.

We are not responsible for the availability, accuracy, or privacy practices of any third-party exchange, blockchain network, or data provider.

11. CRYPTOCURRENCY AND BLOCKCHAIN DATA

By its nature, blockchain transaction data is publicly recorded and permanently accessible on public blockchain networks. When you provide us with a wallet address, we query publicly available blockchain data associated with that address. We do not publish, sell, or otherwise expose your wallet addresses or associated transaction data to third parties beyond what is described in Section 4.

ChainTally does not provide tax, legal, financial, or investment advice. The tax calculations, reports, and information generated through the Services are provided for informational and organizational purposes only. You are solely responsible for verifying the accuracy of all calculations, ensuring compliance with applicable tax laws, and consulting a qualified tax professional before filing any tax return. ChainTally LLC assumes no liability for tax positions taken in reliance on information generated by the Services.

You represent and warrant that you have lawful authority to access and report on any wallet addresses and exchange accounts you connect to our Services.

12. CALIFORNIA PRIVACY RIGHTS

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) may provide you with additional rights regarding our use of your personal information.

Categories of Personal Information Collected

In the past twelve (12) months, we have collected the following categories of personal information as defined under California law:

• Identifiers (name, email address, IP address, account username)
• Financial information (cryptocurrency transaction data, cost basis, gain/loss records, payment card billing information via Stripe)
• Internet or network activity (log data, usage analytics)
• Inferences drawn from the above to create a user profile for service delivery

Your California Rights

As a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell about you.
• Delete personal information we have collected about you, subject to certain exceptions.
• Correct inaccurate personal information we maintain about you.
• Opt-Out of the sale or sharing of your personal information. We do not sell your personal information.
• Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise your California privacy rights, please contact us at privacy@chaintally.io. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf; we may require written proof of authorization.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by updating the "Last updated" date at the top of this Privacy Policy and, where required by law or where we consider it appropriate, by sending you a notice via email or through the Services.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you must stop using the Services and may request deletion of your account.

14. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

For general inquiries: legal@chaintally.io