Privacy Policy

Version 1 — Last updated: April 2026

1. Data Controller

At the time of this Policy, Vibestarter does not yet have an incorporated operating entity. The data controller is an individual founder resident in Luxembourg, acting as promoter for a Luxembourg operating entity to be formed. Upon formation, the controller role will pass to that entity; you will be notified of any material change to the identity of the controller.

For all data-subject-rights requests and privacy questions, contact: privacy@vibestarter.xyz.

2. What Data We Process

We process the following categories of personal data:

  • Wallet addresses (primary identifier) and the on-chain activity associated with them on the Base network.
  • X (Twitter) handle, numeric ID, and signature-proof of ownership where you link an X account.
  • GitHub username, commit count, organisation memberships, and repository URL for founder applications.
  • Ethos reputation score cached from the public Ethos API.
  • Farcaster FID where you link a Farcaster account.
  • Contribution amounts, transaction hashes, and tokens allocated for raises you participate in.
  • Founder application content: project name, tagline, description, website URL, repository URL, funding range, AI tool used.
  • Legal acceptance records: wallet, agreement ID + version + hash, wallet signature, hashed IP, user-agent string.
  • Sanctions screening audit log: wallet, screening outcome (clear / sanctioned / skipped / error), source, oracle address, chain ID.
  • Starter Card data: composite score, level (1–5), referral code, quest completion state.
  • Session and authentication data via Privy (our authentication provider).
  • Request metadata captured by Vercel edge infrastructure (including IP address, user agent) for security and abuse prevention. IPs are not linked to user profiles in our database; where we store them for legal-acceptance audit purposes, they are hashed.

We do not collect: email addresses (except for the privacy contact above, which receives mail but does not feed into platform accounts), legal names, dates of birth, government ID documents, home addresses, or phone numbers.

3. Lawful Bases

  • Performance of a contract (GDPR Art. 6(1)(b)): wallet-level platform operations, legal-acceptance signatures, founder application processing.
  • Legitimate interests (Art. 6(1)(f)): security, abuse and Sybil prevention, sanctions screening, audit logging, reputation enrichment via Ethos.
  • Legal obligation (Art. 6(1)(c)): sanctions screening where required by applicable law; record-keeping for legal-acceptance events.
  • Consent (Art. 6(1)(a)): where we rely on your OAuth consent to fetch X or GitHub data.

4. Sub-processors

We use the following sub-processors to deliver the platform:

  • Vercel, Inc. — hosting, edge runtime, CDN (United States).
  • Supabase, Inc. — managed PostgreSQL database (region may vary).
  • Privy — wallet authentication and session management.
  • Ethos — reputation scoring API (public data).
  • X (Twitter) — OAuth identity provider.
  • GitHub, Inc. — OAuth identity provider (founder applications).
  • Chainalysis — on-chain sanctions oracle (read-only contract call; no personal data transmitted off-chain).
  • DexScreener — on-chain price and liquidity data (no personal data transmitted).
  • RPC providers — PublicNode, Tenderly, or equivalent for Base RPC calls.
  • Base network — all on-chain activity is public and processed by the Base L2 and its node operators.

Where sub-processors are located outside the EU, transfers rely on the applicable vendor's Standard Contractual Clauses, adequacy decisions, or other appropriate safeguards under GDPR Chapter V.

5. On-chain Data and the Right to Erasure

Data written to the Base blockchain — wallet addresses, transaction hashes, token balances, contribution amounts — is immutable and cannot be erased by the operator or any other party. This is a property of public blockchains. Where you exercise your right to erasure, we will erase identifiable off-chain data (such as X / GitHub handles linked to your wallet in our database) to the extent we can do so without breaking audit or legal obligations. The on-chain record will remain.

6. Retention

  • Legal acceptance records, sanctions screening logs, and moderation audit logs: 5 years (AML / audit baseline).
  • Founder application content: retained while the applicant's status is active; 1 year after rejection or withdrawal, unless required longer for audit purposes.
  • Enrichment caches (Ethos, GitHub, X): refreshed periodically; older snapshots retained up to 12 months.
  • Session data: durations set by Privy; see their policy.
  • On-chain data: not applicable (immutable).

7. Your Rights (GDPR)

Where GDPR applies to processing of your personal data, you have the right to:

  • Request access to your data (Art. 15).
  • Request rectification of inaccurate data (Art. 16).
  • Request erasure (Art. 17) — subject to the blockchain-immutability limitation described in §5.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent, where processing is based on consent, at any time.
  • Lodge a complaint with the Luxembourg data-protection authority (CNPD) or the supervisory authority in your member state.

To exercise these rights, email privacy@vibestarter.xyz. We respond within 30 days.

8. Cookies and Tracking

The platform uses only strictly-necessary storage (session cookies for authentication, CSRF tokens, UI preferences). We do not set marketing or analytics cookies, and we do not deploy third-party trackers (no Google Analytics, no Meta Pixel, no advertising-network trackers). No cookie-consent banner is required because no non-essential cookies are set.

9. Security

We take commercially reasonable measures to protect personal data, including transport-layer encryption (TLS), access controls on the database, minimisation of the data we collect, hashing of IPs, signed legal acceptances as evidence of authenticity, and separation of platform / operator / protocol-admin wallet roles. No system is perfectly secure; we cannot guarantee absolute security of data in transit or at rest.

10. Children

The platform is not directed at children under 18. We do not knowingly process personal data of children.

11. Automated Decision-making

Sanctions screening returns a binary match result from the Chainalysis oracle and a positive match automatically blocks platform actions. This is the only automated decision that produces legal effects on you. You have the right to challenge such a decision and obtain human review by contacting privacy@vibestarter.xyz.

12. Changes

We may update this Policy. Material changes will be versioned. Your continued use after a published update constitutes acceptance, subject to your right to object or withdraw consent.

← Back to home