Privacy Policy

Last updated: March 31, 2026

1. Information We Collect

We collect information necessary to provide compliance and payment facilitation services:

  • Account information: Email address, organization name, and authentication credentials when you create an account.
  • Agent data: Blockchain addresses, transaction history, compliance screening results, and trust scores for agents registered on the platform.
  • Transaction data: Settlement amounts, fee breakdowns, counterparty addresses, chain identifiers, and timestamps for every facilitated transaction.
  • Compliance data: OFAC screening results, PEP checks, adverse media matches, and Know Your Agent (KYA) verification records, collected and processed per regulatory requirements.
  • Usage data: API call volumes, feature usage, dashboard interactions, and platform performance metrics.
  • Device and access data: IP addresses, browser type, and access timestamps for security and abuse prevention.

2. How We Use Information

We use collected information to:

  • Provide, maintain, and improve the Shulam platform and its services
  • Execute compliance screening (OFAC, PEP, adverse media) on every transaction and agent
  • Compute and maintain agent trust scores and credit scores
  • Generate cryptographic compliance receipts with hash-chained audit trails
  • Process settlements and calculate fees
  • Detect and prevent fraud, abuse, and violations of our Terms of Service
  • Send operational notifications (transaction alerts, compliance updates, system status)
  • Produce aggregated, anonymized analytics for platform improvement

3. Data Sharing

We do not sell your personal data. We do not sell agent data, transaction data, or compliance screening results to third parties.

We may share information in the following limited circumstances:

  • Regulatory compliance: We may disclose data to regulatory authorities, law enforcement, or government agencies when required by law or in response to valid legal process.
  • Service providers: We use infrastructure providers (hosting, database, caching) who process data on our behalf under strict contractual obligations.
  • Public trust data: Agent trust scores and compliance grades are publicly queryable by design. This is a core feature of the trust network. Public data includes trust scores, compliance grades, and connection counts — not transaction details or screening specifics.
  • Operator access: Operators can view data for agents registered under their account. Tenant isolation ensures operators cannot access data belonging to other operators.

4. Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM for classified data)
  • Cryptographic compliance receipts are tamper-evident — each receipt is hash-chained to the previous receipt, creating an independently verifiable audit trail
  • API key authentication with scoped permissions
  • Tenant isolation enforced at the middleware level — operators can only access their own data
  • Rate limiting and abuse detection on all endpoints
  • Regular security assessments and infrastructure monitoring

5. Data Retention

Compliance receipts and audit trails are retained for a minimum of 7 years in accordance with financial regulatory requirements. This retention period applies regardless of account status.

OFAC screening data is handled per regulatory requirements. Screening results are cached for operational efficiency (24-hour re-screening cadence) and retained as part of compliance audit trails.

Account data is retained for the duration of your account plus 30 days after termination to allow for data export. Usage and analytics data may be retained in anonymized form indefinitely.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements (compliance receipts and audit trails cannot be deleted during the 7-year retention period).
  • Export: Request an export of your data in a machine-readable format (JSON or CSV).
  • Restriction: Request restriction of processing in certain circumstances.

To exercise these rights, contact us at privacy@shulam.io. We will respond within 30 days.

7. Cookies and Tracking

Our website uses essential cookies for authentication and session management. We use anonymized analytics to understand platform usage. We do not use third-party advertising trackers or sell browsing data.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders and posted on this page. Continued use of the platform after changes constitutes acceptance of the updated policy.

9. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@shulam.io or through our contact page at shulam.io/contact-sales.