← Back to Home
Last Updated: December 2024
Privacy Policy
This Privacy Policy describes how Scholtz & Company, j.s.a. ("we," "us," or "our") collects, uses, and protects your personal information when you use the Biatec MCP Server self-custody service.
1. Information We Collect
1.1 Personal Information
We collect the following personal information:
- Google Account Information: Email address, name, and profile information obtained through Google OAuth
- Device Information: Device identifiers, session IDs, and pairing information
- Usage Data: API calls, timestamps, and service usage statistics
- Security Information: Access logs, authentication events, and security monitoring data
1.2 Self-Custody Algorand Account Data
We facilitate self-custody storage of encrypted Algorand account information in your personal Google Drive:
- Encrypted Private Keys: Stored encrypted in your personal Google Drive using email-specific encryption
- Account Addresses: Public Algorand addresses for transaction and portfolio tracking purposes
- Transaction Data: Temporary transaction information processed on our servers only during authorized signing
- Email-Bound Encryption: Private keys are cryptographically bound to your specific email address
- Non-Transferable Data: Encrypted account data cannot be moved between different Google Drive accounts
Important Self-Custody Notice: Your private keys remain encrypted in your Google Drive at all times. Our servers only process these encrypted keys temporarily during transaction signing operations that you explicitly authorize. We cannot access your unencrypted private keys under any circumstances.
1.3 Automatically Collected Information
- IP addresses and network information
- Browser and device characteristics
- Access times and referring websites
- Service performance and error logs
2. How We Use Your Information
We use your personal information for the following purposes:
2.1 Self-Custody Service Provision
- Facilitate secure access to your self-custody Algorand accounts stored in your Google Drive
- Enable device pairing and cross-device synchronization for self-custody account access
- Process encrypted private keys on our servers only during authorized transaction signing
- Provide MCP server functionality for AI-powered blockchain operations
- Ensure email-specific encryption binding for enhanced security
2.2 Security and Safety
- Implement Cross-Account Protection features
- Monitor for suspicious activity and fraud prevention
- Maintain system security and integrity
- Comply with legal and regulatory requirements
2.3 Service Improvement
- Analyze usage patterns to improve our services
- Troubleshoot technical issues
- Develop new features and capabilities
3. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data based on:
- Consent: When you explicitly agree to our data processing
- Contract Performance: To provide the services you've requested
- Legitimate Interests: For security monitoring and service improvement
- Legal Obligation: To comply with applicable laws and regulations
4. Data Sharing and Disclosure
4.1 Third-Party Services
We share data with the following third parties:
- Google: For authentication and Google Drive storage services
- Algorand Network: For blockchain transaction processing
- Redis/Hosting Services: For temporary data caching
4.2 Legal Requirements
We may disclose your information when required by law, court order, or to:
- Comply with legal processes and government requests
- Protect our rights and property
- Ensure user safety and prevent fraud
- Investigate security incidents
5. Data Retention
We retain your personal information for the following periods:
- Account Data: Until you delete your account or request data deletion
- Session Data: 24 hours after device unpairing
- Security Logs: 30 days for monitoring purposes
- Usage Analytics: 12 months in aggregated form
6. Your Rights Under GDPR
As a data subject, you have the following rights:
6.1 Access and Portability
- Request access to your personal data
- Receive a copy of your data in a portable format
6.2 Correction and Deletion
- Correct inaccurate personal information
- Request deletion of your personal data ("right to be forgotten")
6.3 Processing Limitations
- Restrict processing of your personal data
- Object to processing based on legitimate interests
6.4 Consent Management
- Withdraw consent at any time
- Opt-out of non-essential data processing
7. Self-Custody Data Security
We implement comprehensive security measures specifically designed for self-custody services:
- Self-Custody Architecture: Your private keys are never stored unencrypted on our servers
- Google Drive Storage: Encrypted private keys are stored exclusively in your personal Google Drive
- Email-Specific Encryption: AES-256 encryption with keys derived from your specific email address
- Temporary Processing: Encrypted keys are processed on our servers only during authorized transaction signing
- Non-Transferable Design: Cryptographic binding prevents keys from being used with different email addresses
- Access Controls: Strict authentication and authorization systems for key processing
- Monitoring: Continuous security monitoring and threat detection for processing operations
- Compliance: Regular security audits and compliance assessments for self-custody operations
Self-Custody Security Guarantee: Your Algorand private keys remain under your exclusive control in your Google Drive. Our security architecture ensures that even our systems cannot access your unencrypted private keys, providing true