Privacy Policy

This Privacy Policy describes how 402.md ("we," "us," or "our") collects, uses, stores, and shares information when you use our platform, website, APIs, SDKs, and related services (the "Services").

We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Services, including developers (vendors), AI agents, and marketplace visitors.

Account information: When you register, we collect your name, email address, and authentication data from your OAuth provider (Google or GitHub). We do not store your OAuth passwords.

Wallet information: If you configure USDC settlements, we store the wallet address you provide. We do not have access to your wallet's private keys.

Transaction data: We record transaction details including amounts, timestamps, skill identifiers, endpoint paths, transaction hashes, and settlement records. This data is necessary to operate the payment infrastructure.

Skill and endpoint data: Information you provide when publishing skills, including names, descriptions, pricing, SKILL.md content, and endpoint configurations.

Usage data: We automatically collect information about how you interact with the Services, including pages visited, features used, IP address, browser type, device information, and referral sources.

Cookies and tracking: We use cookies and similar technologies as described in our Cookie Policy.

We use the information we collect to:

• Operate and maintain the Platform, including payment processing, escrow management, and settlement
• Verify your identity and authenticate access to the dashboard
• Display your skills in the public marketplace for discovery
• Provide analytics and transaction history in your dashboard
• Communicate with you about your account, transactions, and service updates
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and respond to lawful requests
• Improve and develop new features for the Services

We process your data based on: (a) the necessity to perform our contract with you; (b) our legitimate interests in operating and improving the Services; (c) your consent, where applicable; and (d) compliance with legal obligations.

We do not sell your personal information. We share data only in the following circumstances:

Public marketplace: Your skill names, descriptions, pricing, ratings, and SKILL.md content are publicly visible in the marketplace. Your personal account details (email, wallet address) are not publicly displayed.

Blockchain transactions: USDC transactions on the Base L2 network are recorded on a public blockchain. Transaction hashes and wallet addresses involved in settlements are publicly visible on-chain.

Service providers: We may share data with trusted third-party service providers who assist us in operating the Platform (hosting, analytics, email delivery). These providers are contractually required to protect your data.

Legal requirements: We may disclose information when required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy.

We retain your personal data for as long as your account is active or as needed to provide the Services. Specifically:

• Account data: Retained until you request account deletion
• Transaction records: Retained for 7 years for financial compliance and audit purposes
• Usage analytics: Aggregated and anonymized after 24 months
• Skill data: Removed from the marketplace within 30 days of deletion; transaction records referencing the skill are retained

After account deletion, we may retain certain data as required by law or for legitimate business purposes (e.g., fraud prevention, financial auditing).

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS 1.3)
• Encryption of sensitive data at rest
• Hashing of API keys (raw keys are not stored after creation)
• JWT-based authentication with secure token handling
• Regular security assessments and monitoring
• Access controls limiting employee access to user data

While we strive to protect your data, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials and API keys.

Depending on your location, you may have the following rights regarding your personal data:

GDPR rights (EEA residents):

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests

CCPA rights (California residents):

• Right to know what personal information we collect and how it is used
• Right to request deletion of personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@402.md. We will respond within 30 days (or within the timeframe required by applicable law).

Your data may be processed in countries outside your own. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms. Blockchain transaction data is inherently global and publicly accessible on the Base L2 network.

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child under 18, we will promptly delete it. If you believe a child has provided us with personal information, contact us at privacy@402.md.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through a prominent notice on the Platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

For privacy-related questions or to exercise your data rights, contact us at:

• Privacy inquiries: privacy@402.md
• General legal: legal@402.md