1. Who We Are
Quack AI operates the Q402 gasless payment relay protocol at q402.quackai.ai. This policy describes what data we collect, how we use it, and your rights regarding that data.
2. What We Collect
A. Account Data
- Blockchain wallet address (your public key — not a secret)
- API key (hashed reference, stored in Vercel KV)
- Subscription plan, payment TX hash, activation date
B. Transaction Data
- Relayed transaction hashes, chain, token, amount, timestamp
- Gas cost per relay (native token amount)
- Sender and recipient wallet addresses (public blockchain data)
C. Inquiry / Contact Data
- App name, website, email, Telegram handle (if submitted via inquiry form)
- Project description and expected usage volume
D. Technical Data
- IP address (for rate limiting — not stored long-term)
- Vercel edge function logs (retained per Vercel's standard policy)
- Webhook URL and configuration (stored in Vercel KV)
3. What We Do NOT Collect
- Private keys — we never ask for, store, or have access to any private keys
- Passwords — authentication is signature-based (EIP-191), no passwords exist
- Personal identity information (name, ID, address) — not required
- Browser cookies for tracking — we use no third-party analytics cookies
4. How We Use Your Data
- Service delivery — validate API keys, enforce quotas, process relay requests
- Billing — verify on-chain subscription payments and activate accounts
- Support — respond to inquiry form submissions
- Security — rate limiting, abuse detection, replay attack prevention
- Transparency — provide you with your own transaction history via the dashboard
We do not sell, rent, or share your data with third parties for marketing purposes.
5. Data Storage
All structured data (subscriptions, API keys, transaction history, webhook config) is stored in Vercel KV (Redis), hosted on Vercel's infrastructure. Vercel's data centers are located in the US and EU regions.
Inquiry form submissions may be forwarded to a Telegram channel operated by Quack AI for internal review. No third-party CRM or marketing tools receive this data.
6. Data Retention
- Subscription and API key records: retained while active + 90 days after expiry
- Transaction history: retained in monthly KV keys, up to 10,000 entries per month
- Inquiry data: retained until actioned or deleted upon request
- Rate limit counters: expire automatically (60s – 600s window per endpoint)
7. Blockchain Data
Wallet addresses, transaction hashes, and token amounts submitted to the relay are recorded on public blockchains. This data is immutable and outside Q402's control. By using the relay service, you acknowledge that on-chain transaction data is permanently and publicly visible.
8. Webhook Data
If you register a webhook, Q402 will send relay event payloads (including transaction details) to your specified URL. You are responsible for the security and handling of webhook data on your server. Q402 signs all webhook payloads with HMAC-SHA256; verify the signature before processing.
9. Your Rights
You may request at any time:
- Access — a copy of data we hold associated with your wallet address
- Deletion — removal of your subscription record, API keys, and inquiry data
- Correction — update your inquiry contact details
Note: on-chain transaction data cannot be deleted. API key deletion will immediately terminate service access.
To exercise these rights, contact business@quackai.ai with your wallet address.
10. Third-Party Services
- Vercel — hosting and KV storage (Vercel Privacy Policy)
- Public RPC providers — on-chain data reads (Avalanche, BSC, Ethereum, X Layer, Stable public endpoints)
- CoinGecko — token price data for Gas Tank USD display (no user data sent)
- Telegram — internal inquiry notifications only
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via dashboard notice or email (if provided). Continued use of the service after changes take effect constitutes acceptance.