GNOM Privacy Policy

Version: 0.1 Date: 2026-05-06 Status: launch draft - requires qualified legal review before publication

This document is a product/legal-review draft. It is not legal or regulatory advice. The placeholders below must be reviewed and completed by qualified counsel before public launch.

1. Who this policy covers

This Privacy Policy explains how [LEGAL_ENTITY_NAME], a [LEGAL_ENTITY_TYPE] organized in [LEGAL_ENTITY_JURISDICTION] ("GNOM", "we", "us", or "our"), collects, uses, shares, and protects information when you use the GNOM websites, application, APIs, smart-contract interfaces, documentation, project creation tools, funding flows, token claim flows, and related services (collectively, the "Services").

This policy should be read together with the GNOM Terms of Service.

2. Current data-flow summary

GNOM is wallet-first. At launch, the core account identifier is a public wallet address, not a username/password account.

Current stack assumptions reflected in this draft:

wallet authentication uses Sign-In with Ethereum (SIWE);
the frontend stores the JWT access token in browser localStorage;
the backend stores user, project, stage, task, comment, investment, activation-contribution, notification, reputation, and admin-action records in PostgreSQL;
analytics uses self-hosted Umami at analytics.gnom.one, configured as cookieless aggregate analytics;
frontend error tracking uses a self-hosted Bugsink instance at errors.gnom.one through the Sentry protocol;
logs and observability run on GNOM-controlled infrastructure using Traefik, Prometheus, Loki, Grafana, and related services;
AI features use Groq through an OpenAI-compatible SDK when GROQ_API_KEY is configured; otherwise mock responses are used.

If launch configuration changes, this policy must be updated before publication.

3. Information we collect

Wallet and authentication data

We may collect:

wallet address;
SIWE nonce;
SIWE message and signature during verification;
JWT access token and token metadata;
chain ID, connected-wallet state, and related wallet interaction metadata.

Private keys, seed phrases, and wallet recovery phrases are never requested by GNOM and should never be shared with us.

Platform account and activity data

We may collect:

user ID, wallet address, role, reputation, creation time, and update time;
projects you create, including title, description, tier, domain, complexity, status, activation state, activation target, contribution totals, logo, and project specification data;
stages, tasks, task dependencies, bounties, deliverables, task results, task status, and reward amounts;
investments, activation contributions, refund status, transaction hashes, token estimates, and related funding records;
comments, notifications, reputation events, admin actions, moderation actions, and support or dispute records;
public blockchain data needed to display balances, transactions, claims, stages, vaults, token contracts, or project contracts.

Some of this information may be publicly visible in the Services, on public blockchains, or through block explorers.

User-generated and AI-assisted content

We may collect project ideas, prompts, draft specifications, chat messages, generated project text, generated code, task descriptions, AI reviews, comments, task submissions, and other content you submit or generate through the Services.

When AI features are enabled, relevant prompts and context may be sent to Groq for model inference. Do not submit secrets, private keys, seed phrases, confidential business information, or personal data that you do not want processed by an AI provider.

Uploaded files

The current backend supports project logo uploads. Uploaded files may include file metadata, file contents, storage paths or URLs, upload time, project association, and related moderation or security-review metadata.

Technical, device, and log data

We may collect:

IP address, user agent, request path, timestamps, status codes, referrer, and network metadata;
device, browser, operating-system, language, viewport, and performance metadata;
API errors, application errors, stack traces, release version, environment, and debug breadcrumbs;
rate-limit, abuse-prevention, security, and infrastructure logs.

Telemetry is scrubbed according to docs/architecture/pii-policy.md: authorization headers, cookies, SIWE signatures, nonces, private-key-like fields, request bodies, and sensitive values are blocked or redacted; wallet addresses are masked or dropped in analytics/error contexts where possible.

Analytics data

GNOM uses self-hosted Umami for funnel analytics. Umami is configured without cookies. It records aggregate page views and product events such as app open, wallet connect, sign-in, project creation, activation, project view, and investment flow events.

Analytics event payloads are scrubbed before sending:

wallet, address, transaction hash, and email fields are dropped;
auth, token, password, signature, nonce, SIWE message, and private fields are dropped;
address-shaped strings are masked;
amounts are bucketed instead of sent as raw values where instrumented that way.

Cookies and browser storage

At launch, GNOM's app authentication token is stored in browser localStorage, not in an authentication cookie.

The Services may use:

localStorage for JWT authentication state and simple UI preferences such as create-mode state;
wallet-provider storage controlled by the wallet or wallet SDK;
Umami's cookieless script for aggregate analytics when configured;
optional UI cookies from third-party UI components only if those components are actually used in a launched surface;
infrastructure cookies or headers from reverse proxies, error tools, analytics tools, or authentication-protected internal dashboards.

If GNOM later adds non-essential cookies, advertising pixels, session replay, cross-site tracking, or cookie-based analytics, the cookie/disclosure UX must be updated before use.

4. How we use information

We use information to:

provide, operate, secure, maintain, and improve the Services;
authenticate wallets and maintain sessions;
create, display, fund, moderate, and administer projects, stages, tasks, comments, bounties, contributions, claims, refunds, and notifications;
calculate reputation, access rights, task status, funding status, reward previews, and token claim information;
provide AI-assisted project generation, specification rewriting, code generation, task generation, review, and recommendation features;
detect, prevent, investigate, and respond to fraud, spam, abuse, sybil activity, security incidents, wallet compromise reports, sanctions risk, policy violations, and illegal activity;
debug errors, monitor reliability, measure launch funnels, and understand aggregate product usage;
comply with legal obligations, enforce terms, respond to legal process, and protect rights, safety, and platform integrity;
communicate service, security, legal, operational, or support messages.

5. Legal bases and regional rights

Depending on your location, our legal bases may include:

performing a contract with you;
operating and securing the Services based on legitimate interests;
complying with legal obligations;
protecting users, GNOM, and the public;
your consent where required.

Users in certain regions may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data, and to withdraw consent where processing is based on consent.

Blockchain data may be public, immutable, and outside GNOM's unilateral control. We may be unable to delete or change data already written to a public blockchain, copied by third parties, indexed by block explorers, or included in decentralized systems.

To exercise privacy rights, contact [PRIVACY_CONTACT_EMAIL]. We may need to verify your request, including by asking you to prove control of a wallet address.

6. When we share information

We may share information with:

hosting, deployment, database, backup, observability, and infrastructure providers;
self-hosted operational tools controlled by GNOM, including Bugsink, Umami, Loki, Prometheus, Grafana, and Traefik;
AI providers, currently Groq when AI features are enabled;
wallet providers, wallet-connect infrastructure, RPC providers, block explorers, indexers, bridges, decentralized exchanges, and blockchain networks you choose to interact with;
security, anti-abuse, legal, accounting, tax, compliance, audit, and professional advisors;
law enforcement, regulators, courts, counterparties, or other parties where required by law, legal process, safety needs, or rights protection;
other users or the public when you submit public projects, comments, tasks, funding activity, claims, transaction hashes, wallet addresses, or on-chain interactions.

We do not sell personal information in the ordinary meaning of selling a user list for money. Counsel must review whether any analytics, wallet, referral, ad-tech, or third-party integration creates "sale", "sharing", or targeted-advertising obligations under applicable privacy laws.

7. Public blockchain and public platform data

Wallet addresses, transaction hashes, token transfers, contract interactions, balances, claims, funding contributions, and other blockchain activity may be visible on Gnosis Chain and through public block explorers. GNOM cannot control public blockchain records, third-party indexing, analytics, scraping, or re-publication.

Project pages, comments, task submissions, accepted deliverables, reputation, public wallet references, and public funding status may be visible to other users and visitors.

Do not submit information to the Services or public blockchains if you expect it to remain private.

8. Security and retention

GNOM uses technical and organizational measures intended to protect information, including access controls, secret management, transport security, telemetry scrubbing, backup routines, monitoring, and limited access to internal dashboards.

No system is perfectly secure. Wallet compromise, phishing, malicious browser extensions, RPC failures, smart-contract bugs, third-party outages, or user device compromise may affect your privacy and funds.

Retention periods depend on the data type and operational need:

authentication nonces are short-lived;
JWTs expire according to backend configuration;
server logs and telemetry are retained according to deployment configuration, with Loki currently documented as 14 days;
Bugsink/error retention and Umami analytics retention follow their configured self-hosted defaults unless changed;
project, user, contribution, investment, reputation, notification, admin, and moderation records may be retained for as long as needed to operate the Services, preserve auditability, resolve disputes, enforce terms, comply with law, or maintain public project history;
blockchain records may persist indefinitely.

Counsel and operations must confirm final retention periods before publication.

9. International transfers

GNOM infrastructure, service providers, users, wallets, blockchains, and public nodes may be located in different countries. Your information may be processed outside your country of residence.

Before launch, counsel must confirm the correct transfer mechanism, disclosures, and processor terms for [LEGAL_ENTITY_JURISDICTION], target markets, hosting providers, Groq, and any other processors.

10. Children

The Services are not intended for children under 18, or the age of majority in the user's jurisdiction if higher. We do not knowingly collect personal information from children.

If you believe a child has provided personal information to GNOM, contact [PRIVACY_CONTACT_EMAIL].

11. Your choices

You can:

disconnect your wallet through your wallet provider;
remove GNOM's JWT from browser localStorage by logging out or clearing site data;
use browser controls to clear site storage;
choose not to submit optional project, comment, prompt, task, or profile information;
request access, correction, deletion, restriction, or portability where applicable;
object to certain processing where applicable;
contact us about privacy or security concerns.

Clearing local storage may log you out. It will not remove public blockchain records or content already published publicly.

12. Changes to this policy

We may update this Privacy Policy as the Services, data flows, providers, legal requirements, or launch configuration change.

The updated policy will show a new effective date. If changes are material, GNOM will provide additional notice where required by law or appropriate for the change.

13. Contact

Privacy requests and questions should be sent to:

[LEGAL_ENTITY_NAME]
[LEGAL_ENTITY_ADDRESS]
[PRIVACY_CONTACT_EMAIL]

14. Legal review placeholders

Counsel and operations must review and complete the following before publication:

Placeholder / topic	Required decision
`[LEGAL_ENTITY_NAME]`	Final operator / issuer / service provider name
`[LEGAL_ENTITY_TYPE]`	Company, foundation, DAO wrapper, sole proprietor, or other structure
`[LEGAL_ENTITY_JURISDICTION]`	Formation jurisdiction
`[LEGAL_ENTITY_ADDRESS]`	Notice address
`[PRIVACY_CONTACT_EMAIL]`	Public privacy/contact email
Controller / processor roles	Whether GNOM is controller, processor, joint controller, or mixed role for each flow
Target markets	Whether EU/UK, California, other US states, Russia, or other jurisdictions are intentionally served
GDPR representative / DPO	Whether an EU/UK representative or DPO is required
CCPA/CPRA status	Whether thresholds apply and whether "sale", "sharing", or sensitive personal information disclosures are required
Cookie/ePrivacy position	Whether any launched cookies or SDK storage require consent or opt-out UI
Processor list	Final launch list for hosting, Groq, wallet SDKs, RPC, Blockscout, Bugsink, Umami, backups, email/support, and other vendors
Data processing agreements	Required DPAs, SCCs, transfer terms, and subprocessors
Retention schedule	Final retention periods by data category
User rights workflow	Verification method, SLA, appeal process, and deletion limits for wallet/public-chain data
Sensitive data	Whether any flow processes special-category, financial, KYC, sanctions, or consumer-credit data
Incident response	Breach-notification thresholds, contacts, and timelines

15. Reference notes used for drafting

This draft was prepared with attention to public guidance that privacy notices should accurately describe data practices, that security promises must match real controls, that personal data can include pseudonymous identifiers where re-identification is possible, and that regional privacy rights may apply depending on users and processing.

Reference materials checked on 2026-05-06:

FTC, Privacy and Security business guidance: https://www.ftc.gov/business-guidance/privacy-security
FTC, Start with Security: A Guide for Business: https://www.ftc.gov/business-guidance/resources/start-security-guide-business
European Commission, Data protection: https://commission.europa.eu/law/law-topic/data-protection_en
European Commission, Information for individuals: https://commission.europa.eu/law/law-topic/data-protection/information-individuals_en
California Attorney General, California Consumer Privacy Act: https://oag.ca.gov/privacy/ccpa