Skip to main content

GDPR Compliance

usmewe is committed to protecting user privacy and complying with the General Data Protection Regulation (GDPR).

Overview

usmewe processes minimal personal data. Most protocol data is on-chain and pseudonymous.

Data We Collect

On-Chain Data (Public)

DataPurposeStorage
Wallet addressesProtocol operationBASE blockchain
Transaction historyProtocol operationBASE blockchain
Trust ScoreProtocol operationBASE blockchain
Loan recordsProtocol operationBASE blockchain
On-chain data is pseudonymous. We don’t link wallet addresses to real identities unless you provide that information.

Off-Chain Data

DataPurposeStorageRetention
Email addressNotificationsSupabaseUntil deletion
Profile nameSocial featuresSupabaseUntil deletion
Device tokensPush notificationsSupabaseUntil deletion
IP addressSecurity, abuse preventionLogs30 days
Usage analyticsProduct improvementPlausibleAnonymized

Your Rights

Under GDPR, you have the following rights:

Access

Request a copy of your personal data

Rectification

Correct inaccurate personal data

Erasure

Request deletion of your data

Portability

Export your data in a readable format

Restriction

Limit how we process your data

Objection

Object to certain processing

Exercising Your Rights

Data Export

Export your off-chain data: 
curl -X GET "https://api.usmewe.com/v1/users/me/export" \
  -H "Authorization: Bearer YOUR_TOKEN"
Response includes:
  • Profile information
  • Notification preferences
  • Activity history (off-chain)

Account Deletion

Request account deletion:
  1. Go to Settings > Privacy > Delete Account
  2. Confirm your decision
  3. We’ll process within 30 days
On-chain data (wallet transactions, Trust Score history) cannot be deleted from the blockchain. Only off-chain data linked to your account will be removed.

Data Correction

Update your information: 
curl -X PATCH "https://api.usmewe.com/v1/users/me" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"displayName": "New Name"}'
ProcessingLegal Basis
Protocol operationContract performance
Security measuresLegitimate interest
Email notificationsConsent
AnalyticsLegitimate interest
MarketingConsent

Data Protection Measures

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • End-to-end encryption for sensitive data
  • Role-based access control
  • Principle of least privilege
  • Regular access audits
  • Collect only necessary data
  • Automatic deletion after retention period
  • Anonymization where possible
  • Regular penetration testing
  • Bug bounty program
  • Continuous monitoring

International Transfers

Data may be transferred to:
RegionSafeguard
United StatesStandard Contractual Clauses
EUNo transfer needed

Data Processors

We use the following third-party processors:
ProcessorPurposeLocation
SupabaseDatabase, authUSA (EU available)
RailwayHostingUSA
PlausibleAnalyticsEU
All processors are bound by Data Processing Agreements (DPAs).

Cookies

usmewe uses minimal cookies:
CookiePurposeDurationType
sessionAuthenticationSessionEssential
preferencesUser settings1 yearFunctional
We don’t use tracking or advertising cookies.

Governance and Privacy

Governance proposals affecting user data must:
  1. Include privacy impact assessment
  2. Pass with 60% majority (higher threshold)
  3. Allow 30-day opt-out period

Data Breach Notification

In case of a data breach:
  1. We’ll notify affected users within 72 hours
  2. Report to relevant supervisory authorities
  3. Document the incident and remediation

Contact

For GDPR-related inquiries:

Updates to This Policy

We may update this policy. Significant changes will be:
  • Announced via email
  • Posted in-app
  • Subject to 30-day notice period
Last updated: January 2025

Privacy Policy

Full privacy policy