Privacy Policy

Last updated: April 21, 2026

This Privacy Policy describes how Cride ("we", "our", or "us") collects, uses, and protects information when you use the Cride identity-gated token platform (the "Service"). By using the Service you agree to the practices described in this policy.

1. Information We Collect

We collect and process the following categories of data:

Wallet address. Your public Ethereum wallet address is collected when you connect a wallet to the Service. This address is public by nature of the blockchain.
Identity verification data. When you complete KYC through our identity provider (Didit), we receive the result of your verification (approved or rejected) along with personal data submitted during that process (such as name and government-issued ID details, as required by Didit's workflow). This data is encrypted with AES-256-GCM before storage. Only an encrypted ciphertext and its SHA-256 hash are written on-chain; no plaintext personal data is ever stored on the blockchain.
Usage data. Standard web server logs (IP address, browser type, pages visited, timestamps) may be retained for operational and security purposes.

2. How We Use Your Information

To verify your identity and update your on-chain NFT status accordingly.
To process CRD token purchases and cashouts.
To communicate with you regarding support issues when you contact us.
To maintain the security and integrity of the Service.

3. Encrypted Identity Storage

Your personal identity data is encrypted before being written to our object storage provider (Storj). The encryption key is held server-side and is not published or accessible via the blockchain. Only the SHA-256 hash of the encrypted data is stored on-chain so that the smart contract can verify data integrity without exposing any personal information.

We do not sell, rent, or share your encrypted identity records with third parties except as required by law or as necessary to provide the Service (e.g. Didit, our KYC provider).

4. Third-Party Services

Didit. Identity verification is performed by Didit. Their collection and use of your information during the KYC process is governed by Didit's Privacy Policy.
Storj. Encrypted identity records are stored in Storj's decentralised object storage network. See Storj's Privacy Policy.
Ethereum / Sepolia. On-chain transactions are irreversible and publicly visible on the blockchain. We cannot delete or modify on-chain data once confirmed.

5. Data Retention

Encrypted identity records are retained for as long as your Cride NFT exists on-chain or as required by applicable law. You may contact us to request deletion of off-chain records; note that on-chain data (wallet address, NFT token metadata URI, encrypted data hash) cannot be deleted.

6. Your Rights

Depending on your jurisdiction you may have rights to access, correct, or request deletion of personal data we hold. To exercise these rights please contact us at [email protected].

7. Security

We use AES-256-GCM encryption for identity records and enforce HTTPS for all API communications. Webhook endpoints are HMAC-verified. Despite these measures, no system is completely secure and we cannot guarantee absolute security.

8. Children

The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with a revised "last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

For questions or concerns regarding this Privacy Policy, contact us at [email protected].