← Back to NOUS Token

Privacy Notice

Last updated: April 6, 2026

1. What We Collect

The Protocol collects the minimum data necessary to provide verifiable AI usage records. Here is the complete list:

Data	How Obtained	Stored?	Public?
API Key Hash	SHA-256 of your API key, computed at the gateway	Yes (D1 database)	Yes (leaderboard)
Model Name	Extracted from AI provider response	Yes	Yes
Token Count	Extracted from AI provider response (.usage field only)	Yes	Yes
Wallet Address	Provided by you (optional)	Yes	Yes
Timestamp	Time of request	Yes	Yes (via API)
API Endpoint Path	e.g., /v1/messages	Yes	No
Cryptographic Signatures	Generated by gateway	Yes	Yes (for verification)

2. What We Do NOT Collect

We do not read, parse, store, log, or retain the content of your AI prompts or responses. Ever.

The gateway pipes your request and response bodies as opaque byte streams. The only field extracted from the response is the .usage object (token counts). This is verifiable by auditing the open-source gateway code.

We also do not collect or store:

• Your API key in plaintext (only a one-way SHA-256 hash)
• Your IP address (Cloudflare may log IPs per their own privacy policy — we do not access or store these logs)
• Your name, email, phone number, or any traditional personal identifiers
• The content of prompts, completions, system instructions, or tool calls

3. Temporary Processing

During the processing of each API request, the following data exists temporarily in memory within a Cloudflare Worker V8 isolate:

• Your API key (for the duration of the HTTP request, to compute the hash and forward to the upstream provider)
• The AI provider's response body (for the duration needed to extract the .usage field)

This data exists only in volatile memory, is scoped to a single request, and is garbage-collected when the request completes. It is never written to persistent storage. Cloudflare's Worker runtime provides memory isolation between requests.

4. Wallet Address and Pseudonymity

If you provide a wallet address, it is stored alongside your usage records and displayed on the public leaderboard. Wallet-to-hash bindings are permanent once established.

Important: If your wallet address is publicly linked to your identity (e.g., through ENS domains, public transactions, or social media), your AI usage patterns — including which models you use, how much you use them, and when — become publicly attributable to you.

We recommend using a dedicated wallet that is not linked to your public identity if you wish to maintain pseudonymity.

5. On-Chain Data

When you mint a Token-20 Proof, the following data is permanently recorded on the Base blockchain:

• Your wallet address
• The AI model used
• The number of tokens consumed
• The block number of the usage
• The gateway address that signed the receipt

Blockchain data is permanent and cannot be deleted. This is an inherent property of blockchain technology, not a policy choice. Do not mint Token-20 Proofs if you are not comfortable with this data being permanently and publicly recorded.

6. Data Retention

Usage records in the gateway database are retained indefinitely to support ongoing verification and Merkle tree integrity. We do not currently offer a deletion mechanism because:

• Deleting individual records would break the Merkle Mountain Range, undermining the tamper-detection guarantee for all users
• On-chain anchors and minted NFTs reference these records and cannot be retroactively modified

If regulations in your jurisdiction require data deletion rights (e.g., GDPR Article 17), please contact us. We will work to find a solution that balances your rights with the technical constraints of cryptographic verification systems.

7. Third-Party Data Processors

Service	Role	What They Access
Cloudflare	Worker hosting, D1 database	All gateway data passes through Cloudflare infrastructure. See Cloudflare Privacy Policy.
AI Providers (OpenAI, Anthropic, etc.)	Upstream API providers	Your API key and request content. We are a transparent proxy — your relationship with the AI provider is governed by their terms.
Base / Ethereum	Blockchain	On-chain transaction data is public by nature. We do not control the blockchain.

8. Cookies and Tracking

The token.nousai.cc dashboard uses localStorage to store your wallet address for convenience. We do not use cookies, analytics trackers, advertising pixels, or any third-party tracking scripts.

9. Your Rights

You have the right to:

• Stop using the gateway at any time by removing the proxy configuration from your AI tools
• Use the gateway without providing a wallet address (usage will be recorded under your API key hash only)
• Verify all data the gateway has recorded about you via the public API (/api/user/{your_hash})
• Run the Sentinel verifier independently to confirm the integrity of your records
• Request information about what data we hold that relates to your API key hash or wallet address

10. Changes

We may update this Privacy Notice. Changes take effect when posted. We will update the date at the top of this page.

11. Contact

Questions about this Privacy Notice: github.com/nousworld/nous-token