Privacy Policy

1. Introduction

At Inodra, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Sui blockchain indexing API services.

We are committed to transparency and giving you control over your data. This policy complies with the Swiss Federal Act on Data Protection (FADP), the European Union's General Data Protection Regulation (GDPR), and other applicable privacy laws.

By using Inodra's services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller

Inodra, located in Geneva, Switzerland, is the data controller responsible for your personal information. As we expand operations, your data may be processed by Inodra (Switzerland) or affiliated entities (such as Inodra Inc., Delaware, USA).

For privacy-related inquiries, please contact us at:
Email: [email protected]
Location: Geneva, Switzerland

3. Information We Collect

3.1 Information You Provide

When you create an account and use our services, we collect:

• Account Information: Name, email address, password (encrypted)
• Organization Details: Organization name, team member information
• Payment Information: Billing address, payment method details (processed securely through Stripe; we do not store full credit card numbers)
• Communication Data: Support messages, feedback, and any other information you choose to provide

3.2 Information Automatically Collected

When you use our API services, we automatically collect:

• API Usage Data: API endpoints accessed, request timestamps, response times, HTTP methods, compute units consumed, error rates
• Technical Information: IP addresses, user agent strings, API key identifiers (not the keys themselves)
• Performance Metrics: Latency measurements, throughput statistics, error logs (anonymized)
• Webhook Configuration: Webhook URLs, event types, delivery status (stored encrypted)

3.3 Cookies

We use only essential cookies required for our service to function:

• Session Cookies: Required to keep you logged in and maintain your authenticated session
• Security Cookies: CSRF protection tokens to prevent cross-site request forgery attacks

These cookies are strictly necessary for the service to operate. We do not use analytics, advertising, or tracking cookies.

3.4 Information We Do NOT Collect

We want to be clear about what we don't collect:

• Private keys or seed phrases: Never. We cannot access your blockchain wallets.
• Blockchain transaction content: We index public blockchain data but don't analyze or store your specific transaction payloads.
• Sensitive personal data: We don't intentionally collect racial origin, political opinions, religious beliefs, health data, or biometric information.

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery

• Providing API access to indexed Sui blockchain data
• Processing and delivering webhook notifications
• Monitoring API usage and enforcing tier limits (CUs, RPS)
• Generating usage analytics and reports for your account
• Maintaining service reliability and uptime

4.2 Account Management

• Creating and managing your account
• Authenticating access and preventing fraud
• Processing payments and managing subscriptions
• Communicating about your account and services

4.3 Communication

• Transactional emails: Account notifications, quota warnings, payment receipts, security alerts (cannot be unsubscribed)
• Service updates: Planned maintenance, service disruptions, API changes
• Product updates: New features, improvements (can be unsubscribed)
• Support: Responding to your inquiries and providing assistance

4.4 Service Improvement

• Analyzing usage patterns to optimize performance (anonymized)
• Identifying and fixing bugs and errors
• Developing new features and services
• Conducting research and analytics (using aggregated, de-identified data)

4.5 Security and Compliance

• Detecting and preventing fraud, abuse, and security threats
• Investigating suspicious activity
• Complying with legal obligations
• Enforcing our Terms of Service

5. Legal Basis for Processing (GDPR)

For users in the European Union and Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services under our Terms of Service
• Legitimate Interests: Improving our services, preventing fraud, ensuring security (balanced against your rights)
• Legal Obligation: Complying with applicable laws and regulations
• Consent: Where you have provided explicit consent (e.g., marketing communications)

6. How We Share Your Information

We do not sell your personal information. Ever.

We may share your information in the following limited circumstances:

6.1 Service Providers

We work with trusted third-party service providers who help us deliver our services:

• Stripe: Payment processing (see Stripe's Privacy Policy)
• GCP: Hosting and infrastructure (see GCP's Privacy Policy)
• Hetzner: Hosting and infrastructure (see Hetzner's Privacy Policy)
• Upstash Redis: Rate limiting and caching (no personal data stored)
• Database Hosting: Encrypted data storage

All service providers are contractually required to maintain confidentiality and use data only for providing services to Inodra.

6.2 Team Members

If you invite team members to your organization, they will have access to:

• Organization usage statistics and API keys
• Webhook configurations and delivery logs
• Billing information (if granted explicit access)

6.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations or court orders
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Protect users or the public from harm or illegal activity
• Respond to lawful government requests

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6.5 Aggregated Data

We may share aggregated, anonymized, or de-identified data that cannot be used to identify you (e.g., "80% of API calls use the transactions endpoint"). This data is not considered personal information.

7. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal information:

7.1 Access and Portability

You have the right to access your personal data and receive a copy in a portable, machine-readable format. You can export most data directly from your dashboard.

7.2 Rectification

You have the right to correct inaccurate or incomplete personal information. You can update most information in your account settings.

7.3 Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances. To delete your account, email [email protected] with "Delete My Account" in the subject line.

Note: We may retain certain information as required by law or for legitimate business purposes (e.g., billing records, security logs) for up to 90 days after deletion.

7.4 Restriction of Processing

You have the right to request that we limit how we use your data in certain circumstances.

7.5 Object to Processing

You have the right to object to processing based on legitimate interests or for marketing purposes. You can unsubscribe from marketing emails using the link in any email or by contacting us.

7.6 Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

7.7 Lodge a Complaint

If you're in the EU or Switzerland, you have the right to lodge a complaint with your local data protection authority. Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

7.8 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may request verification of your identity before processing requests.

8. Data Security

We implement industry-standard security measures to protect your information:

8.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• API Key Protection: API keys are hashed and never stored in plain text after creation
• Database Security: Access-controlled, encrypted databases with regular backups
• Webhook Security: HTTPS-only webhooks with signature verification

8.2 Organizational Safeguards

• Limited access to personal data on a need-to-know basis
• Regular security audits and vulnerability assessments
• Employee training on data protection and security
• Incident response procedures

8.3 Limitations

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

You are responsible for:

• Maintaining the confidentiality of your account password
• Keeping your API keys secure
• Securing your webhook endpoints
• Notifying us immediately of any suspected security breach

8.4 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours via email and dashboard notification
• Describe the nature and scope of the breach
• Explain what data was affected
• Detail the steps we are taking to address the breach
• Provide recommendations for protecting your information

9. Data Retention

We retain your information only as long as necessary for the purposes described in this Privacy Policy:

9.1 Retention Periods

• Account Data: Retained while your account is active, plus 90 days after deletion for billing reconciliation and fraud prevention
• API Usage Logs: 90 days for security and billing purposes
• Payment Records: Retained for 7 years as required by tax and accounting laws
• Support Communications: Retained for 2 years for quality assurance and legal protection
• Anonymized Analytics: May be retained indefinitely (cannot identify individuals)

9.2 Deletion Process

After the retention period expires, we securely delete or anonymize your information. Backups containing your data are deleted within 90 days of account closure.

10. International Data Transfers

Inodra is based in Switzerland and may use service providers located in various countries, including the United States.

10.1 GDPR Compliance

For transfers of personal data from the European Economic Area (EEA) or Switzerland to countries that do not provide adequate data protection, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• Service Provider Agreements: Requiring GDPR-equivalent protections
• Data Processing Addendums: With all third-party processors

10.2 Swiss FADP Compliance

We comply with the Swiss Federal Act on Data Protection when transferring data from Switzerland. Your data receives the same level of protection regardless of where it is processed.

11. Analytics

We use self-hosted Plausible Analytics to understand how visitors use our website. Plausible is a privacy-friendly analytics tool designed to comply with GDPR without requiring cookie consent.

11.1 What Plausible Collects

Plausible collects only aggregate, anonymized data:

• Page views and referrer URLs
• Country (from IP, which is not stored)
• Device type and screen size
• Browser and operating system

11.2 What Plausible Does NOT Do

• No cookies: Plausible does not use cookies or any persistent identifiers
• No personal data: IP addresses are not stored or logged
• No cross-site tracking: Your browsing activity is not tracked across websites
• No fingerprinting: No device fingerprinting or unique identifiers

11.3 Self-Hosted

Our Plausible instance is self-hosted on our own infrastructure. All analytics data stays on our servers and is never shared with third parties.

11.4 No Consent Required

Because Plausible does not use cookies, does not collect personal data, and is self-hosted, no consent is required under GDPR, PECR, or similar privacy regulations. If you prefer not to be counted in our analytics, you can use browser extensions that block tracking scripts.

12. Cookies

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies only for essential functionality.

12.2 Cookies We Use

We use only strictly necessary cookies that are essential for our service to function:

• Session Cookie: Maintains your authenticated session after you log in. This cookie is deleted when you log out or after 7 days of inactivity.
• CSRF Token: A security cookie that protects against cross-site request forgery attacks.

These cookies are set by Inodra (first-party) and are not shared with any third parties. They do not track your activity across other websites.

12.3 What We Do NOT Use

We do not use any non-essential cookies, including:

• Analytics or tracking cookies
• Third-party advertising cookies
• Cross-site tracking
• Social media pixels or trackers
• Marketing or retargeting cookies

12.4 Cookie Consent

Because we only use strictly necessary cookies that are essential for the service to function, we do not require cookie consent under GDPR and similar regulations. These cookies are exempt from consent requirements as they are necessary to provide the service you have requested.

13. Children's Privacy

Our services are not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If we discover that we have collected data from a child under 13, we will delete that information immediately. If you believe we have collected information from a child, please contact us at [email protected].

14. Blockchain Data and Public Information

Important: Sui blockchain data is inherently public and permanent.

13.1 Public Nature of Blockchain

All transactions, smart contract interactions, and on-chain events are publicly visible on the Sui network. Inodra indexes this public data to make it more accessible via our API.

13.2 What We Index

We index publicly available blockchain data including:

• Transactions and their metadata
• Smart contract events and objects
• Validator information and checkpoints
• Coin balances and movements
• Package deployments and upgrades

13.3 Your Responsibility

You are responsible for the privacy of your blockchain activities. We cannot delete or modify blockchain data as it exists on the decentralized Sui network.

We never collect or have access to:

• Your private keys or seed phrases
• Wallet passwords or credentials
• Off-chain personal information not publicly posted

15. Third-Party Links and Services

Our Services may contain links to third-party websites or services that we do not control. This Privacy Policy does not apply to third-party services.

We encourage you to review the privacy policies of any third-party services before providing them with your personal information. We are not responsible for the privacy practices of third parties.

16. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

16.1 Right to Know

You have the right to request information about the personal information we collect, use, disclose, and sell (we do not sell your information).

16.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

16.3 Right to Opt-Out

We do not sell personal information. If our practices change, we will update this policy and provide an opt-out mechanism.

16.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact us at [email protected].

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

17.1 Notification of Changes

We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending an email to your registered email address
• Displaying a prominent notice in your dashboard

17.2 Your Acceptance

Continued use of our Services after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and delete your account.

17.3 Material Changes

For material changes that affect your rights, we will provide at least 30 days' notice before the changes take effect (except where required by law to implement changes immediately).

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For privacy-specific inquiries, please include "Privacy Request" in your email subject line. We will respond within 30 days.