Last updated: 2026-05-21. This document has not been reviewed by counsel; it is published in good faith and may be revised. Material changes will be notified per §11.
Privacy Policy
Preamble
Volar ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights in relation to it. The Service is operated from Romania, and we are subject to the EU General Data Protection Regulation (GDPR). Where applicable, this policy also addresses rights under the California Consumer Privacy Act (CCPA).
If you have questions, contact us at [email protected].
1. What We Collect
1.1 Account Information
- Email address — required to create an account, for transactional communications, and for account recovery.
- Password — stored only as an Argon2id hash. We never store or transmit your plaintext password.
1.2 Payment Information
Payments are processed by Stripe. We do not receive or store your card number, CVV, or bank account details. We receive and store: - Your Stripe Customer ID (a token Stripe assigns to your payment profile). - Your current subscription status and Tier.
1.3 API Usage Data
When you make requests to the Volar API, our systems log:
- HTTP method and path (e.g., GET /v1/chains/BTC)
- Timestamp
- Your internal User ID
- Source IP address
These logs are retained for 90 days and are used for rate-limit enforcement, abuse detection, and debugging. We do not currently log full request/response bodies.
1.4 Technical / Server Logs
Nginx and application server logs contain IP addresses, HTTP status codes, and response times. These are retained for approximately 30 days and are used for security monitoring and performance diagnostics.
2. Why We Collect It
| Data | Purpose |
|---|---|
| Email + password hash | Account creation, authentication, transactional emails |
| Stripe customer ID + subscription status | Billing, access control, dunning |
| API usage logs | Rate limiting, abuse detection, debugging |
| Server logs | Security monitoring, infrastructure diagnostics |
3. Legal Basis (GDPR)
We rely on the following lawful bases for processing your personal data:
- Contract performance (Art. 6(1)(b)) — processing your email, password hash, and billing data is necessary to provide the Service you have contracted for.
- Legitimate interests (Art. 6(1)(f)) — API usage logs and server logs are retained to protect the integrity of the Service, detect abuse, and ensure fair usage. Our legitimate interest does not override your rights; you can object (see Section 7).
- Legal obligation (Art. 6(1)(c)) — we may retain billing records as required by Romanian and EU tax/accounting law.
4. Who We Share Data With
We share your data only with the following sub-processors:
| Provider | Role | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, Stripe Customer ID |
| Resend | Transactional email delivery | Email address, message content of transactional emails (e.g., verification links, invoices) |
| Cloudflare | DDoS protection, DNS, TLS termination | IP address, HTTP request metadata |
| Hetzner | Server hosting (Germany, EU) | All data stored on the Service, encrypted at rest |
We do not share your data with: - Advertising networks or data brokers - Third-party analytics platforms (e.g., Google Analytics, Mixpanel) - Any party for marketing purposes without your explicit consent
5. International Data Transfers
Hetzner hosts our servers in Germany and is therefore within the European Economic Area (EEA) — no special transfer mechanism is required.
Stripe, Resend, and Cloudflare are US-based companies. Data transferred to them is covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission, ensuring an adequate level of protection. Copies of the applicable SCCs are available from each provider's privacy documentation.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data (email, tier, stripe ID) | Duration of subscription + 30 days after account closure |
| API keys (hashed) | Retained until revoked or account closed, then deleted within 30 days |
| API usage logs | 90 days rolling |
| Server/nginx logs | ~30 days rolling |
| Database backups | 30 days |
| Deleted accounts | Permanent deletion after 30-day grace period |
After the applicable retention period, data is deleted from live systems. Encrypted backups containing that data are purged on their normal rotation cycle (max 30 days after deletion from live systems).
7. Your Rights
Under the GDPR (and, where applicable, the CCPA), you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your personal data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests (Section 3).
- Restriction — request that we restrict processing while a dispute is resolved.
How to Exercise Your Rights
- Self-serve: Use the
/account/data-exportendpoint to download a JSON export of your account data, or/account/deleteto delete your account. - By email: Contact [email protected]. We will respond within 30 days (as required by GDPR Art. 12).
CCPA users (California residents) may additionally submit a "Do Not Sell My Personal Information" request, though we do not sell personal information to third parties.
8. Cookies
We use only strictly necessary cookies:
- session_user_id — a signed, HttpOnly session cookie used to authenticate you to the dashboard. Expires after 7 days of inactivity.
- csrf_session — a short-lived HttpOnly cookie used for CSRF protection. Expires after 1 hour.
We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party cookie consent banner is required under the EU ePrivacy Directive for strictly-necessary cookies.
9. Security
We take the following measures to protect your data:
- Passwords are hashed using Argon2id (memory-hard, resistant to GPU cracking).
- API keys are stored as SHA-256 hashes — plaintext keys are shown once at creation and never stored.
- All data in transit is protected by TLS 1.2+ (enforced by Cloudflare).
- Server storage is encrypted at rest (Hetzner disk encryption).
- We perform regular dependency updates and vulnerability scans.
Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly to [email protected] before public disclosure.
10. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email at least 30 days before material changes take effect. The "Last updated" date at the top of this document reflects the most recent revision.
12. Contact
For privacy-related enquiries or to exercise your rights:
- Email: [email protected]
- Response time: within 30 days as required by GDPR