Privacy Policy

ApeFax is a non-custodial, primarily anonymous service. We collect the minimum information needed to operate the product and we do not sell personal data. Wallet addresses are pseudonymous; we treat them as personal information when combined with other identifiers (email, phone) you provide.

You provide:

• Wallet address & SIWE signature — when you connect a wallet to authenticate.
• Email and/or phone — only if you join the launch waitlist or opt in to delivery/refund notifications. Either field alone is sufficient; both are never required.
• Notification preferences — which categories (mainnet launch, MAYC support, etc.) you want to hear about.

We collect automatically:

• Request metadata — IP address, user-agent string, referrer, and timestamps for security and abuse-prevention. IPs are stored as a salted hash, not raw.
• On-chain data — transactions, ownership history, and marketplace events for the apes you query. This data is public on Ethereum.
• Service telemetry — error logs, rate-limit counters, performance metrics. Wallet addresses appear in logs only when needed to debug a specific report; they are not used for advertising.

We do not collect: private keys, seed phrases, government IDs, date of birth, social-security numbers, real names (unless you provide one on the waitlist), or credit-card numbers. We do not run third-party advertising or behavioral-tracking scripts.

We use the information above to:

• Authenticate your wallet and tie unlocked Reports to your account.
• Deliver Reports, refunds, and launch notifications you have opted into.
• Prevent abuse, fraud, and unauthorized access (rate limiting, anomaly detection).
• Improve the scoring model and product. Improvements are based on aggregate patterns — we do not train models on data tied to a specific wallet's identifiable behavior.
• Comply with legal obligations (tax records on payments, response to lawful process).

We use a small number of cookies to keep you signed in, remember your preferences, and route owner-preview traffic during pre-launch. We do not run third-party advertising cookies. The launch-preview cookie is set only when you visit a specific owner-preview URL.

Browser local storage may be used to cache a small amount of UI state (selected collection, last-viewed ape) for performance. None of this is transmitted to third parties.

• Waitlist email/phone: until you unsubscribe or until 30 days after launch, whichever is later.
• Wallet authentication records: while the wallet is connected, plus 90 days after final disconnect (for abuse-prevention).
• Report snapshots tied to your wallet: indefinitely, because Reports are a paid asset you can return to. You may request deletion (see §7).
• Server logs: 30 days, then aggregated or purged.
• Hashed IPs: 90 days.
• Payment receipts: as long as required by tax law (currently 7 years).

We share data with the following infrastructure providers only as needed to operate the service. They process data on our behalf and do not sell it.

• Supabase — primary database; stores waitlist entries, snapshots, and account records.
• DigitalOcean — application hosting and edge logs.
• Cloudflare — DNS and edge caching.
• Resend — transactional email delivery (waitlist receipts, launch notifications).
• Twilio — transactional SMS delivery for users who opt in to phone notifications.
• Bitquery, OpenSea, Alchemy, Etherscan, Dune, Gondi — read-only data sources for on-chain history, marketplace activity, trait and trade analytics, lending data, and ETH/USD pricing.
• Wallet software (e.g. MetaMask, Rabby, Coinbase Wallet, WalletConnect) — your chosen wallet connects from your own browser to sign messages and transactions. We never receive your keys and do not send these providers your contact information.

We do not share waitlist contacts with marketing partners. We do not run ad-network pixels.

You may, at any time:

• Access the personal data we hold for your wallet or contact.
• Correct inaccurate information (e.g., update an email address).
• Delete your waitlist entry or wallet-account record. On-chain transactions cannot be deleted; we can sever the link between them and your account.
• Unsubscribe from email or SMS using the link in any message or by replying STOP to SMS.
• Export a copy of your account data in a machine-readable format.

Requests: [email protected]. We respond within 30 days.

ApeFax is operated from the United States. If you access the service from outside the U.S., your information is transferred to and processed in the U.S. We rely on standard contractual protections with our processors for cross-border transfers.

ApeFax is not intended for users under 18 and we do not knowingly collect personal information from children. If you believe a minor has provided information, contact us and we will delete it.

We use TLS for all traffic, HSTS-preload on our domain, and a strict Content Security Policy. Database access uses Row-Level Security; service-role credentials are scoped to specific server endpoints. We do not store private keys or any signing material. No system is perfectly secure; report suspected vulnerabilities to [email protected].

We may update this policy over time. Material changes will be announced on the site at least seven days before they take effect.

Privacy questions: [email protected].