Privacy Policy

Effective date: 2025-01-01

This Privacy Policy explains how Open Store Foundation ("we", "us", "our") processes information in connection with the Open Store protocol and related interfaces, including the Dev Console (website), API backend, Node validator software, and Store applications (collectively, the "Services"). The protocol operates on public blockchain networks (together, the "Networks").

By using the Services, you understand that publishing to the Networks is public and generally immutable. Information written to the Networks can be accessed by anyone and may be copied, indexed, and stored by third parties beyond our control.

Scope and roles

We act as the controller for data processed by our Dev Console and API we operate.
We operate and/or publish reference Node validator software. Independent operators who run nodes or host Store applications may process data under their own policies.
For on-chain and Greenfield content, we do not control the Networks and cannot modify or delete data recorded there.

Information we process

Public, on-chain/on-Greenfield data you publish

When you interact with the protocol and choose to publish, the following categories of data may be written to the Networks and become public by design:

Publisher data: wallet addresses; on-chain or Greenfield publisher profiles and metadata you provide; signatures; transaction hashes and events.
Application data: application identifiers, categories, descriptions, screenshots, and other metadata you choose to publish.
Application files: packaged binaries and versioned artifacts stored on Greenfield or referenced by content addresses; integrity hashes.

This data is accessible to anyone, may be permanently stored by the Networks or third-party indexers, and cannot be feasibly altered or erased by us.

Off-chain operational caches and indexes

To make the protocol usable, our Dev Console, API backend, validator nodes, and Store applications maintain local caches and indexes that mirror public data from the Networks. These may include:

Indexed copies of public publisher and application metadata.
Content-addressed references and integrity information for application files.
Derived data for search, discovery, and validation results.

These caches are representations of already public data and are refreshed or purged in the ordinary course of operations.

Website and API telemetry

When you access the Dev Console or API we operate, we may process limited telemetry for operations and security:

Request metadata such as IP address, user agent, referrer, timestamps, and request/response identifiers.
Diagnostic logs and error traces necessary to operate the Services and defend against abuse.

We do not sell this information. Telemetry is retained only as long as needed for the purposes below, typically not longer than 30 days unless required for security investigations or legal obligations.

Optional contact and support information

If you choose to provide contact details (for example, for publisher verification or support), we will process the information you submit (such as name, email address, organization, and related materials) for the purpose you provided it.

Purposes of processing and legal bases

We process information to:

Provide, maintain, and improve the Services, including indexing and surfacing public on-chain/Greenfield content.
Verify publisher status and validate applications for integrity and policy compliance.
Secure the Services, prevent fraud and abuse, and enforce applicable terms.
Communicate with you when you request support or provide feedback.
Comply with legal obligations.

Where applicable law requires a legal basis, we rely on: performance of a contract or steps at your request; our legitimate interests in operating and securing the Services; your consent where required; and compliance with legal obligations.

Disclosures and recipients

Public Networks: Any information you publish on the Networks is public by design and accessible to anyone.
Service providers: We may use infrastructure, security, analytics, storage, or communications providers to operate the Services. Providers receive only the information necessary to perform their services and are subject to appropriate safeguards.
Community operators: Independent validators and hosts of Store applications may mirror and re-distribute public data under their own policies.
Legal and safety: We may disclose information to comply with law, regulatory requests, or to protect rights, safety, and the integrity of the Services.

International transfers

Because the Networks are globally distributed and our providers may operate internationally, your information (including telemetry and any contact details you provide) may be processed in countries that may have different data protection laws than your country. We implement appropriate safeguards where required.

Retention

Public on-chain/Greenfield data: We cannot control retention or deletion on the Networks. Content published there may be permanent.
Caches and indexes: We retain mirrored public data only as long as useful for operations and then refresh or purge it routinely.
Telemetry and logs: Typically retained up to 30 days, unless longer retention is necessary for security, operations, or legal reasons.
Contact/support records: Retained as long as needed to address your request and meet legal obligations.

Your choices and rights

Because the protocol is public-by-design, certain rights (like erasure) cannot be fulfilled for data recorded to the Networks. Depending on your location, you may have rights to request access, correction, portability, restriction, or objection regarding information we control off-chain (such as telemetry or contact information). You can also:

Avoid publishing personal information in on-chain metadata or application files.
Use distinct wallet addresses or pseudonyms to reduce linkability.
Request we refresh or purge our caches and indexes. While we cannot remove content from the Networks, we will update or clear our mirrors where feasible.
Opt out of non-essential communications by using provided controls in messages we send.

To exercise rights regarding data we control, contact us using the details below. We may need to verify your request, including via proof of wallet control when relevant.

Security

We implement administrative, technical, and organizational measures designed to protect information we control. However, we cannot guarantee the security of information stored on public Networks or controlled by independent third parties.

Third-party services and operators

Store applications, validators, RPC nodes, wallets, and community mirrors may be operated by third parties under their own terms and privacy policies. We are not responsible for their practices. Review those policies before using their services.

Children’s privacy

The Services are not directed to children and are intended for use by individuals of legal age to enter into binding agreements in their jurisdiction.

Changes to this policy

We may update this Privacy Policy from time to time. Changes apply when posted. If we make material changes, we will provide additional notice where required.

Contact

Open Store Foundation Email: [email protected] Postal: Please contact us via email to request a mailing address for privacy matters

Privacy Policy ​

Scope and roles ​

Information we process ​

Public, on-chain/on-Greenfield data you publish ​

Off-chain operational caches and indexes ​

Website and API telemetry ​

Optional contact and support information ​

Purposes of processing and legal bases ​

Disclosures and recipients ​

International transfers ​

Retention ​

Your choices and rights ​

Security ​

Third-party services and operators ​

Children’s privacy ​

Changes to this policy ​

Contact ​