Privacy Policy

Effective date: May 15, 2026 · Last updated: May 15, 2026

DataCert.ai ("Service") is operated by Verity One Ltd. DBA DataCert.ai ("Company", "we", "us"). This policy describes what data we collect, why, and how we protect it.

1. What we collect

Data type	Purpose	Retention
Email address	Account creation, login, billing, support	Until account deletion
XRPL wallet address	Wallet ownership verification, domain binding	Until account deletion
Domain name	Domain-wallet binding verification	Until account deletion
IP address	Security audit log, rate limiting, fraud prevention	90 days
Browser user agent	Security audit log	90 days
Payment information	Subscription billing (processed by Stripe)	Managed by Stripe

2. What we never collect

Wallet seed phrases or private keys — never requested, never transmitted, never stored.
Wallet balances or transaction history — we do not query or store your on-chain financial activity.
Biometric data of any kind.

3. How wallet verification works

Wallet verification uses a cryptographic SignIn pseudo-transaction via Xaman or GemWallet. This proves you control the wallet without moving any funds or exposing any secrets. The only data we receive is your public XRPL address, which is already publicly visible on the ledger.

4. On-chain data

When you complete domain-wallet binding, the association is recorded on the XRP Ledger via AccountSet Domain and/or xrp-ledger.toml. The XRP Ledger is a public, immutable, decentralized ledger. Data published on-chain cannot be modified or deleted by us or anyone else. You consent to this permanent public record when completing verification.

5. Third-party services

Stripe — payment processing. Stripe's privacy policy applies to payment data. We do not store credit card numbers.
Xaman (XUMM) — wallet authentication. Xaman's privacy policy applies to data processed through their app and SDK.
GemWallet — wallet authentication via browser extension. GemWallet's privacy policy applies.
XRP Ledger — public blockchain. All on-chain data is publicly accessible.

6. Security

We protect your data with:

HTTPS encryption for all connections.
JWT tokens signed with server-side secrets, issued by datacert.ai.
Rate limiting on authentication endpoints (10 sign-in requests per 15 minutes).
Single-use payload UUIDs with 5-minute expiry.
Comprehensive audit logging of all verification events.
Helmet security headers and CORS restrictions.

7. Cookies

We use essential session cookies for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users.

8. Your rights

You may:

Request a copy of your stored data by emailing michelle@datacert.ai.
Request deletion of your account and off-chain data. Note: on-chain data (XRPL AccountSet, published TOML records) cannot be deleted as it exists on a public decentralized ledger.
Update your email or account details via the dashboard.
Cancel your subscription at any time through the Stripe Customer Portal.

9. Data transfers

Your data may be processed in the United States where our servers are located. By using the Service, you consent to this transfer.

10. Children

The Service is not intended for anyone under 18 years of age. We do not knowingly collect data from minors.

11. Changes

We may update this policy from time to time. Material changes will be communicated via the email address on your account. The "last updated" date at the top reflects the most recent revision.

12. Contact

For privacy questions or data requests, contact michelle@datacert.ai.