Privacy Policy

01

Who we are

TrueBasis is an independent on-chain verification tool offered on a free tier (open access, no account required). When this policy refers to "TrueBasis," "we," "us," or "our," it means the operators of the service accessible at truebasis.us.

TrueBasis is not a financial institution, tax advisor, or legal service. It is a data verification and structural analysis tool.

02

What data we collect

We collect only what is necessary to run your audit. This includes:

• Wallet addresses — EVM, Bitcoin, or Solana addresses you submit for audit. These are used to query publicly available blockchain data. We do not collect private keys, seed phrases, or any authentication credentials.
• IP address — seen at the Cloudflare (edge) layer for proxying, rate limiting, and abuse prevention; the application may also record client IP to enforce free-tier limits (e.g. audits per rolling window).
• Uploaded files — exchange CSVs, tax software exports, and owned-addresses files you optionally provide. These are processed in memory during your audit job and are not permanently stored.
• Audit job metadata — job ID, submission time, selected chains, year range, status, transaction count, duration, and any error messages. Stored in our database to support job tracking and founder-level operational monitoring.

03

How we use your data

Data collected is used exclusively to operate the TrueBasis service:

• Fetching on-chain transaction history from public blockchain explorers and RPC endpoints
• Classifying transaction structure and generating audit output files
• Enforcing free-tier rate limits and fair-use caps
• Diagnosing errors and improving system reliability
• Monitoring job queue health and infrastructure performance

We do not use your data for advertising, profiling, or sale to third parties. We do not train machine learning models on your submitted data.

04

Data storage and retention

Different data types are handled differently:

• Wallet address cache — wallet addresses are stored as HMAC hashes (non-reversible) in our database to track scan progress (last scanned block) and speed up repeat audits. Raw plaintext wallet addresses are never written to disk.
• Audit job records — stored in Supabase Postgres. Includes job metadata but never the full transaction dataset or uploaded file contents.
• Output ZIP archives — generated on our backend server and held for a maximum of one hour after job completion, then permanently deleted. You must download your ZIP within this window.
• Uploaded files — processed in memory during the audit job. Not written to persistent storage.

05

Third-party services

TrueBasis relies on the following third-party APIs to fetch blockchain data. When you submit a wallet address, we query these services on your behalf. Each has its own privacy policy.

• Etherscan — primary data source for Ethereum and most EVM chains. Wallet addresses are transmitted to Etherscan's API as part of query parameters. etherscan.io
• Blockscout — secondary data source for EVM chains not covered by Etherscan. blockscout.com
• Routescan — used for Metis Andromeda data. routescan.io
• Helius — primary data source for Solana. Solana wallet addresses are transmitted to Helius's API as part of query parameters. helius.dev
• mempool.space — primary data source for Bitcoin. Bitcoin addresses are transmitted to mempool.space's API as part of query parameters. mempool.space
• Cloudflare — proxy, CDN, and IP-based rate limiting layer. Processes all inbound requests. cloudflare.com
• Render — backend hosting provider. Your audit jobs run on Render infrastructure. render.com
• Supabase — database provider for job history storage. supabase.com

Note: Wallet addresses submitted to TrueBasis are public blockchain identifiers. They are not personally identifiable information in isolation. We recommend against submitting addresses linked to your legal identity if you have anonymity concerns.

06

Cookies and tracking

TrueBasis does not use advertising cookies, tracking pixels, or analytics services that profile individual users. We do not use Google Analytics or similar tools.

Cloudflare may set security-related cookies as part of its bot management and DDoS protection infrastructure. These are functional and not used for advertising.

07

Your rights

Because TrueBasis processes minimal personal data and does not require account creation, most traditional data subject rights are satisfied by default. Specifically:

• Access — we do not maintain user profiles. Audit job metadata is not tied to a named account.
• Deletion — output ZIPs are automatically deleted after one hour. Wallet address caches can be cleared on request. Job metadata records can be removed on request.
• Portability — your audit output files are the primary data product; you receive them directly as a ZIP download.
• Objection — contact us and we will address your concern directly.

To exercise any of these rights, contact us at the address in Section 10.

08

Security

We take reasonable measures to protect data in transit and at rest:

• All traffic is served over HTTPS via Cloudflare
• Backend endpoints are protected by a shared secret header enforced at the Cloudflare Worker layer
• EVM wallet addresses are stored as HMAC hashes — the original address cannot be recovered from the stored value. Bitcoin and Solana addresses are handled the same way.

No system is perfectly secure. TrueBasis is an early-stage product. We recommend not submitting addresses linked to significant holdings if you have security concerns.

09

Changes to this policy

We may update this policy as the product evolves. If changes are material, we will update the "Last updated" date at the top of this page. Continued use of TrueBasis after a policy update constitutes acceptance of the revised policy.

11

Anonymous usage statistics (optional)

When you run an audit, you may optionally check the "Share anonymous usage statistics" checkbox. This is entirely voluntary. If you do not check the box, no usage data is collected or transmitted.

What is collected when you opt in

If you opt in, the following anonymous aggregate counts are submitted to TrueBasis after your audit completes:

• Count of each structural classification result (e.g. SWAP: 45, BORROW: 12)
• Count of each risk level (HIGH / MEDIUM / LOW / NONE)
• Count of mismatch types if you uploaded a tax software CSV (e.g. category_mismatch: 23, missing_in_vendor: 5)
• Count of which structural classes had mismatches (e.g. SWAP: 12) — no transaction hashes or counterparty data
• Count of session roles if session detection ran (OPEN / CLOSE / ORPHAN)
• Chain family distribution (e.g. evm: 140, bitcoin: 10)
• A time bucket indicating the quarter the audit was run (e.g. "2025-Q2") — no precise timestamp

What is never collected

• Wallet addresses or any part of an address
• Transaction hashes
• Tax software data, vendor category labels, or vendor dates
• Classification explanations or any free text
• Job IDs or session IDs
• IP addresses or device identifiers
• Any personally identifiable information

How the data is used

Aggregate statistics are used solely to understand which transaction types are most common, where classification accuracy may be weakest, and how to improve the TrueBasis classification engine. Data is never sold, shared with third parties, or used for advertising.

Verification

When you opt in, a copy of the exact payload submitted is included in your audit ZIP as truebasis_anonymous_stats.json, and a summary of what was collected is appended to truebasis_audit_pack.md. You can verify that no identifying data is present before downloading.

10

Questions about this policy or requests regarding your data can be directed to the TrueBasis team at support@truebasis.us. We are a small operation and aim to respond within a few business days.