Join our DiscordPrivacy Policy
Last updated: March 16, 2026
1. Who we are
Cavos Labs (“Cavos”, “we”, “us”) operates the developer platform available at cavos.xyz and the Cavos SDK. Our registered contact for privacy matters is hello@cavos.xyz.
2. Scope — developers vs. end users
This policy applies to developers and companies (“you”) who register an account on cavos.xyz and integrate the Cavos SDK into their applications.
Cavos acts as a Data Processor under GDPR. Your application’s end users are your responsibility — you are the Data Controller for their personal data. You must obtain appropriate consent from your end users and publish your own privacy policy covering your use of Cavos.
3. Data we collect about you (the developer)
Account data
When you register: email address, full name (optional), organization name. Stored in our database (Supabase) and used to manage your access to the Cavos dashboard.
Billing data
If you subscribe to a paid plan, we store a Stripe customer ID and subscription ID. Full payment details (card numbers, etc.) are handled exclusively by Stripe and never touch our servers.
Usage analytics
We track pseudonymous wallet counts and transaction counts per application to calculate your Monthly Active Users (MAU) for billing purposes. We store:
- Wallet addresses (pseudonymous Starknet addresses) — no emails or names linked
- Transaction counts per wallet — no transaction hashes stored
- Network type (mainnet / testnet)
This data belongs to your end users’ activity but is processed by us only to compute your billing metrics.
Dashboard analytics
With your consent, we use Vercel Analytics to collect anonymous pageview data when you use the cavos.xyz dashboard. No cookies are set, no cross-site tracking occurs, and no personal data is collected. You can decline at any time via the consent banner.
4. Legal basis for processing
- Contract (Art. 6(1)(b)) — account data and billing data are necessary to provide the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — pseudonymous usage metrics (wallet counts) are necessary for billing accuracy.
- Consent (Art. 6(1)(a)) — Vercel Analytics, only if you accept the consent banner.
5. Data retention
- Account data — retained while your account is active, deleted within 30 days of account deletion.
- Billing data — retained for 7 years to comply with accounting regulations, then deleted or anonymized.
- Usage metrics (wallet/tx counts) — retained for 13 months for billing history, then aggregated and anonymized.
- Email verification tokens — automatically deleted upon expiry (typically 24 hours).
6. Sub-processors
We share data with the following sub-processors, all of whom maintain GDPR-compliant Data Processing Agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (AWS eu-west-1) |
| Google Firebase | Email/password authentication | US (with SCCs) |
| Stripe | Subscription billing | US (with SCCs) |
| Vercel | Hosting & analytics (if consented) | US (with SCCs) |
| Resend | Transactional email delivery | US (with SCCs) |
SCCs = Standard Contractual Clauses (EU mechanism for lawful data transfers to non-EU countries).
7. Your rights (GDPR Art. 15–22)
As a developer with an account on cavos.xyz, you have the following rights:
- Access (Art. 15) — request a copy of the data we hold about you.
- Rectification (Art. 16) — correct inaccurate data via your dashboard profile settings.
- Erasure (Art. 17) — delete your account and all associated data from your dashboard settings.
- Portability (Art. 20) — receive your data in a machine-readable format upon request.
- Restriction & Objection (Art. 18, 21) — contact us to restrict processing or object to legitimate-interest processing.
To exercise any right, email hello@cavos.xyz. We will respond within 30 days.
8. Cookies
- Session cookies — set by Supabase to maintain your login session on the dashboard. Strictly necessary, no consent required.
- Analytics — Vercel Analytics does not set cookies. It uses edge-computed, IP-anonymized signals. Loaded only with your explicit consent.
You can withdraw analytics consent at any time by clearing your browser’s localStorage for cavos.xyz.
9. Security
We implement technical and organizational measures to protect your data: TLS in transit, row-level security in our database, restricted access to production systems, and no storage of sensitive credentials on our servers. In the event of a data breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours as required by Art. 33 GDPR.
10. Children
Cavos is a developer platform intended for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, contact us at hello@cavos.xyz and we will delete the account promptly.
11. Changes to this policy
We may update this policy periodically. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
12. Contact & supervisory authority
Questions or complaints? Email us at hello@cavos.xyz.
You also have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.