Synfin Privacy Policy
This policy explains what Cayvox Labs ("we", "us") collects when you use the Synfin services: the Synfin API, the partner portal at portal.synfin.xyz, and the synfin.xyz websites (the "Service"), and what we do with it. We built the Service to need very little personal data, and this policy describes only what actually exists.
1. What we collect
Account data (portal). Your email address, the timestamp and version of your Terms acceptance, and an audit trail of account events (sign-in, key creation, key revocation). Login is passwordless: we email you a one-time sign-in link. We store only cryptographic hashes of sign-in tokens and session identifiers, never the values themselves.
API key data. A key identifier, a label you choose, creation and revocation timestamps, and the hash of the key secret. We cannot recover a key secret after it is shown to you once.
Usage data. Per-key daily request counters and rate-limit counters (including counts of rejected requests). These are aggregate numbers used for operating the Service, showing you your own usage, and enforcing published limits. Counters expire automatically (currently after 90 days).
Technical data. Our infrastructure provider (Cloudflare) processes IP addresses and request metadata to route traffic, resist abuse, and enforce per-IP rate limits on public endpoints. We do not build marketing profiles and we do not use advertising trackers on the Service.
What we do NOT collect. We hold no passwords, no private keys, no wallet seed material, and no custody of funds. We do not require or store government identity documents at signup.
2. On-ledger data
Trades route to third-party venues and settle on the Canton Network. Ledger records (parties, settlements, fee transfers) are governed by the network's own privacy model and the venues' terms; they are not under our control, and this policy does not apply to them. Fee amounts owed to you settle directly to the party you configure; your own ledger is the source of truth for them.
3. What we use data for
To operate the Service: authenticating you, minting and revoking keys, metering and rate limiting, showing you your usage, applying the fee schema recorded for your keys, maintaining security audit trails, and communicating with you about the Service (sign-in links, and operational or legal notices). We do not sell personal data. We do not send marketing email without your separate consent.
4. Who processes data for us
We use a small set of sub-processors, each only for what the Service needs: Cloudflare (hosting, storage, networking, abuse protection) and Resend (delivery of sign-in and operational emails). Sign-in emails necessarily contain your email address and the one-time link. We will update this list if it changes.
5. Retention
Account records and audit trails are kept for the life of the account and a short period after deletion for security and legal purposes. Usage counters expire automatically (currently 90 days). Sign-in tokens expire within minutes and their hashes are consumed on use. Revoked key records are retained as part of the audit trail.
6. Your choices and rights
You can revoke keys and sign out of sessions in the portal at any time. You can ask us to delete your account by writing to info@cayvox.com from your account email; deletion revokes your keys and removes your account records, subject to the short retention above. Depending on your jurisdiction, you may have additional rights (access, correction, portability, complaint to a supervisory authority); write to us and we will respond in good faith.
7. Security
Least-privilege storage separation between account data and key data, hashed bearer secrets, hardened session cookies, no admin HTTP surface, and error responses that are never cached. No system is perfectly secure; if we learn of a breach affecting your data we will notify you without undue delay.
8. International transfers and children
The Service is operated using global infrastructure; data may be processed outside your country. The Service is for business use and not directed at children.
9. Contact and changes
Controller: Cayvox Labs · contact: info@cayvox.com. [Registered address and imprint details: TO BE ADDED before general availability.] We may update this policy; material changes will be announced with a new version identifier and, where appropriate, by email.