Privacy Policy

Last updated: 2025-09-09

Overview

This Privacy Policy describes how Sanaol (“Sanaol”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards information when you use our websites, APIs, mobile or desktop software, and related services (collectively, the “Service”). By using the Service, you agree to this policy. If you do not agree, please do not use the Service.

This policy is intended to comply with applicable laws including the Philippine Data Privacy Act (DPA), the EU/UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), as applicable.

Key Definitions

Personal Data: any information that identifies or can reasonably be linked to an individual.
Processor / Sub-processor: third parties we contract to process data on our behalf.
On-chain data: publicly recorded transactions and addresses on supported blockchains.
Usage Data: technical information about how you interact with the Service (e.g., logs, diagnostics).

Data We Collect

1) Account & Profile

Identifiers: name, email, username/handle.
Credentials: password hash (never plaintext), 2FA/OTP seed(s) if you enable them.
Organization details (if applicable): agency/LGU name, role, permissions.

2) Service & Transactional

Support interactions, preferences, saved settings.
Records of actions you take in the app (e.g., submissions, exports).

3) Usage & Device

Log data (IP address, timestamps, pages viewed, referrer).
Device/Browser info (type, OS, version), locale, language, crash reports.
Cookies, localStorage, and similar technologies (see “Cookies & Tracking”).

4) On-Chain

Public wallet addresses you add or connect.
Transaction metadata we index: hashes, amounts, program IDs, slot/height, timestamps.
Mappings/labels you voluntarily assign (e.g., naming a public address for your own reference).

5) From Third Parties (as permitted)

Auth providers (e.g., OAuth) — basic profile/identifier info.
Analytics/service providers — aggregated or pseudonymous usage signals.
Open data sources — public datasets for transparency/verification use cases.

Lawful Bases (GDPR/UK GDPR)

Contract: to provide and operate the Service you request.
Legitimate interests: to secure, improve, and measure the Service, combat abuse, and prevent fraud.
Consent: for optional features (e.g., certain cookies/analytics, marketing communications).
Legal obligation: to comply with applicable laws or valid requests.

How We Use Data

Provide, maintain, and personalize the Service.
Authenticate users, authorize access, and enforce policies.
Monitor reliability and performance; detect, prevent, and investigate abuse or security incidents.
Develop new features; analyze usage and trends.
Communicate with you about updates, support, security, and administrative topics.
Comply with legal requirements and respond to lawful requests.

Cookies & Tracking

We use strictly necessary cookies to log you in and keep your session secure. With your consent (where required), we may also use preference, performance, and analytics cookies. You can manage cookie settings in your browser and, if available, in our in-product cookie controls.

Analytics & Metrics

We may collect aggregate metrics (e.g., page views, feature adoption) and pseudonymous usage data to understand how the Service is used. Where required, analytics operate on the basis of your consent and can be disabled.

On-Chain Transparency & Limitations

Blockchain transactions (including addresses and amounts) are publicly accessible and generally immutable once confirmed. If you publish data on-chain, removal or modification may not be possible. Our indexers and explorer UI present on-chain records and associated metadata for transparency. Take care not to embed personal data into transaction memos or program fields unless you intend for that information to be public and permanent.

AI & Automated Decision-Making

We may use automated systems for fraud/spam detection, abuse prevention, and to surface relevant content (e.g., search). We do not use automated decision-making that produces legal or similarly significant effects without human review. Where AI-assisted features exist, they are designed to respect your privacy; training on your personal data is not performed without an appropriate legal basis (usually your explicit instruction or consent).

Security

Encryption in transit (HTTPS/TLS); encryption at rest where supported by our infrastructure.
Hashed passwords using industry-standard algorithms; optional multi-factor authentication.
Access controls, least-privilege practices, audit logging for sensitive operations.
Secure development lifecycle, vulnerability management, and regular dependency updates.

Incident response: if we become aware of a breach affecting your data, we will investigate promptly and notify you and/or regulators as required by law.

Data Retention

Account data: retained while your account is active and for a reasonable period after closure for audit, security, and legal obligations.
Logs & telemetry: typically short- to medium-term retention for security and reliability (subject to legal requirements).
On-chain data: persists indefinitely on the blockchain; our indexes may cache/replicate public data.
We anonymize or delete data when it is no longer needed for the purposes outlined in this Policy.

International Transfers

We may process data in countries outside your own. Where required, we implement appropriate safeguards (e.g., Standard Contractual Clauses) to protect personal data transferred internationally.

Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or export your personal data; to object to or restrict certain processing; and to withdraw consent where processing is based on consent.

Access/Portability: receive a copy of your data in a portable format.
Rectification: correct inaccurate or incomplete data.
Erasure: request deletion where legally permissible.
Restriction/Objection: limit or object to certain processing.
Consent withdrawal: opt out of consent-based processing (e.g., certain analytics/marketing).
Appeals (where applicable): contest a decision on your request.

To exercise rights, email privacy@sanaol.net. We may need to verify your identity. Authorized agents (CCPA) may submit requests with appropriate authorization. We will respond within the timeframes required by law.

Do Not Track

Many browsers offer a “Do Not Track” (DNT) setting. Because there is no industry consensus on how to respond to DNT signals, our Service may not respond to them. You can control certain tracking via cookie settings and device permissions.

Third-Party Links & Services

The Service may link to third-party sites or integrate third-party services (e.g., wallets, data providers). We are not responsible for their privacy practices. Review their policies before providing personal data.

Service Providers / Sub-processors

We use third-party providers for hosting, storage, analytics, email delivery, security monitoring, and on-chain data indexing. A current list can be requested at privacy@sanaol.net. We will update this policy or our public list when material changes occur.

Children

The Service is not directed to children under 13 (or the age defined by local law). If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date. For material changes, we may provide additional notice (e.g., in-app banner or email).

Contact Us

Questions or requests? Email privacy@sanaol.net or support@sanaol.net.

If you have unresolved concerns, you may have the right to contact your local data protection authority.