Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For all privacy-related enquiries, data subject requests, or concerns about how we process your personal data, contact us at the email address above.

2. Information We Collect

When you create an account, we collect your email address and display name. When you use Trailbit's analysis tools, we process the Bitcoin transaction hashes and addresses you submit for analysis. We also collect standard usage analytics to improve the platform.

• Account data: Email address (required), display name (optional)
• Authentication: Password (hashed; never stored in plaintext)
• Analysis data: Transaction hashes and addresses you submit for tracing and analysis
• Usage data: Pages visited, features used, performance metrics (via Vercel Analytics)
• Datasets: Saved datasets, analysis results, and exported reports
• AI API key: Optional — only stored if you provide your own key (BYOK model)

3. Required vs. Optional Data

The following table clarifies which data is required to use the platform and which is optional:

Transaction hashes and Bitcoin addresses are publicly available blockchain data. They do not constitute personal data under GDPR in isolation.

4. Legal Basis for Processing

We process your personal data only where we have a lawful basis under GDPR Article 6. The table below maps each processing activity to its legal basis:

Where we rely on legitimate interest, we have balanced that interest against your rights and concluded that our interest does not override your fundamental rights and freedoms.

5. How We Use Your Data

• To provide transaction tracing, risk analysis, and analytical reporting services
• To save your datasets, traces, and analysis results to your account
• To send transactional notifications (e.g., analysis completion alerts)
• To process payments and manage your subscription
• To monitor platform stability and diagnose errors
• To improve platform performance and user experience

6. Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase with Row-Level Security (RLS) enabled — meaning your datasets and analysis results are accessible only to your account. All data is encrypted in transit via HTTPS.

User authentication is handled by Supabase Auth. Payment information is processed and stored exclusively by Stripe — we never see or store your card details.

7. Recipients and Data Sharing

We do not sell personal data to third parties. We share data only with the following categories of recipients to the extent necessary to operate the platform:

• Supabase — Database hosting, authentication, and real-time services. Acts as a data processor on our behalf.
• Vercel — Application hosting and web analytics. Acts as a data processor on our behalf.
• Stripe — Payment processing and subscription management. Independently responsible for payment data.
• Sentry — Error monitoring and performance tracking. Receives anonymised diagnostic data including stack traces.
• Anthropic (AI features) — Only when you provide your own API key (BYOK). Data submitted to AI features is sent directly to Anthropic under your own API key; we do not retain or process that data.
• Public blockchain APIs — Bitcoin transaction data is retrieved from public sources (e.g., Blockchair, Mempool.space). No personal data is transmitted to these services beyond the public transaction hashes and addresses you analyse.

8. International Data Transfers

Some of our service providers operate outside the European Economic Area (EEA). We ensure that all such transfers are covered by appropriate safeguards:

You may request a copy of the applicable transfer mechanisms by contacting us at contact@trailbit.io.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right to access (Article 15) — Obtain confirmation of whether we process your data and request a copy of it.
• Right to rectification (Article 16) — Request correction of inaccurate or incomplete personal data.
• Right to erasure / “right to be forgotten” (Article 17) — Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restriction of processing (Article 18) — Request that we limit how we use your data in certain circumstances.
• Right to data portability (Article 20) — Receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to object (Article 21) — Object to processing based on legitimate interest, including profiling.
• Right to withdraw consent (Article 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email contact@trailbit.io. We will respond within 30 days.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes, and the categories of third parties with whom we share it.
• Right to Delete — You may request deletion of your personal information, subject to certain legal exceptions.
• Right to Correct — You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising purposes.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@trailbit.io. We will respond to verifiable consumer requests within 45 days.

12. Withdrawing Consent

Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by:

• Emailing contact@trailbit.io to request specific processing activities be stopped
• Deleting your account through your profile settings, which removes all account data

13. Automated Decision-Making and Profiling

Trailbit uses automated heuristic analysis to generate risk scores and pattern classifications for Bitcoin addresses and transactions. We disclose the following:

• Risk scores are generated by probabilistic heuristics, not deterministic facts. They are indicators that require human review before any compliance or regulatory action is taken.
• AI-assisted features use your own API key; all outputs are advisory only and do not constitute automated decisions with legal or similarly significant effects.
• No fully automated decisions are made that produce legal effects or similarly significant effects on individuals without human review.
• Human review — You may request human review of any automated assessment by contacting contact@trailbit.io.

14. Blockchain Data Notice

Trailbit analyses publicly available blockchain data only. We do not store, transmit, or have access to private keys. All analysis results are derived from information that is already part of the public Bitcoin blockchain record.

Transaction hashes and addresses you submit are used solely for analysis purposes and are not shared with third parties beyond what is necessary to retrieve blockchain data from public APIs.

15. Law Enforcement Access Applications

When law enforcement agencies apply for platform access, we collect: agency name, country, contact name, role, official email address, agency website, and intended use case. This data is processed under legitimate interest (Article 6(1)(f)) for the purpose of verifying agency identity and managing access. Application data is retained for up to 12 months and deleted after the review process is complete or the application period expires.

16. Cookies & Analytics

We use a theme preference cookie to remember your display settings. Vercel Analytics collects anonymised usage data to help us improve the platform. We do not use advertising cookies or third-party tracking pixels.

17. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the supervisory authority in Cyprus:

We encourage you to contact us first at contact@trailbit.io so we have the opportunity to address your concern directly.

18. Changes to This Policy

We will notify users of material changes to this policy via email. Continued use of the platform after changes take effect constitutes acceptance of the updated policy. For material changes to how we process your personal data, we will notify you and seek fresh consent where required by applicable law.