Privacy Policy

1. Introduction

This Privacy Policy describes how Hourly Harvest ("we", "us", "our") collects, uses, stores, and protects information in connection with your use of the Hourly Harvest platform, website, and associated API services (collectively, the "Platform"). By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

Hourly Harvest is designed with privacy as a first-class principle. We operate a non-custodial, blockchain-native staking platform where user interactions are primarily identified by cryptographic wallet addresses rather than traditional personal identifiers. We do not collect, request, or store your legal name, email address, phone number, date of birth, or government-issued identification of any kind.

2. Information We Process

We process the following categories of data in connection with operating the Platform:

2.1 Blockchain-Derived Data

• Public Wallet Address: Your Solana base58 public key is used as your account identifier across all Platform functions, including access verification, staking records, referral associations, and reward distribution.
• .skr Domain Name: Where applicable, we resolve your AllDomains .skr TLD record to associate a human-readable username with your wallet address. This data is publicly available on the Solana blockchain.
• Seeker Genesis Token (SGT) Ownership: We query the Solana blockchain to verify whether your connected wallet holds a valid Seeker Genesis Token. This check is performed server-side and is used exclusively for access control purposes.
• Transaction Signatures: When you lock tokens or receive a stake return, the on-chain transaction signature is stored to prevent duplicate processing and to provide an auditable record of activity.

2.2 Platform Activity Data

• Staking Records: When you create a staking lock, we store the associated wallet address, staked amount, duration, multiplier, total expected reward, hourly reward rate, unlock date, and creation timestamp.
• Hourly Claim Records: Each hourly claim slot within a staking lock is individually tracked, including the claim window (open and expiry times), claim status (Pending, Claimable, Claimed, Forfeited), and on-chain transaction signature where applicable.
• Vault Entries: Claimed hourly rewards are accumulated in a per-wallet vault prior to on-chain withdrawal. We store the amount, asset type, source claim ID, and claimed status.
• Referral Activity: Where you participate in the referral programme, we store your referral code, the code used to register your account, your total referral earnings, claimed amounts, and the wallet addresses of users you have referred.

2.3 Security and Operational Data

• IP Addresses: Your IP address may be captured for rate limiting, fraud detection, and security audit purposes. IP addresses are associated with wallet addresses only where a potential security incident is detected.
• Security Audit Logs: Where suspicious activity, repeated failed authentication attempts, or policy violations are detected, we log the IP address, wallet address (if known), the nature of the flagged behaviour, and a severity classification.
• Blacklist Records: Where a wallet address or IP address is determined to have engaged in fraudulent, abusive, or prohibited conduct, that identifier may be added to a blacklist. The reason for blacklisting is recorded.
• Support Tickets: If you submit a support request, we store the ticket contents, your wallet address, any name or email you voluntarily provide, and all subsequent message exchanges between you and support staff.
• Notifications: We maintain an in-Platform notification log for events such as referral activations and system messages. These records are associated with your wallet address.

3. How We Use Your Information

We use the data described above strictly for the following purposes:

• Service Delivery: To verify SGT access eligibility, process staking locks, track hourly claim windows, distribute vault rewards on-chain, manage referral profiles, and calculate referral earnings.
• Security and Fraud Prevention: To detect and prevent replay attacks, duplicate transactions, unauthorised access, bot activity, and attempts to manipulate the reward system.
• Platform Integrity: To enforce API rate limits, maintain blacklists of abusive actors, and uphold the fairness of the staking and claiming mechanics for all participants.
• Support: To respond to support tickets and resolve disputes or technical issues raised by users.
• Compliance: Where required by applicable law, to cooperate with legitimate law enforcement requests or regulatory inquiries.

We do not use your data for advertising, profiling, or marketing. We do not sell, license, rent, or share your data with third parties for commercial purposes under any circumstances.

4. Data Storage and Retention

Platform data is stored in a managed PostgreSQL database hosted on Railway. All data is stored in the European Union or United States, depending on the hosting configuration at the time of your use.

• Staking and Claim Records: Retained indefinitely as they represent an immutable historical record of on-chain activity for auditing and dispute resolution purposes.
• Security Logs: Retained for a minimum of 90 days, or longer if an active security investigation is ongoing.
• Support Tickets: Retained for a minimum of 12 months following ticket closure.
• IP Address Logs: Retained in security audit records for a minimum of 30 days.

Given the pseudonymous nature of blockchain-based identifiers, we are unable to delete or anonymise staking records that are also recorded on-chain, as those records exist independently of our Platform.

5. Data Security

We implement the following security measures to protect data processed by the Platform:

• Cryptographic Request Authentication: All state-changing API requests (locking tokens, claiming rewards, withdrawing from the vault) require a valid cryptographic signature from the connected wallet. This proves that the request originated from the wallet's owner and has not been tampered with in transit.
• Nonce-Based Replay Prevention: Signed messages include a nonce that is consumed upon use, preventing replay attacks where a previously valid signature could be resubmitted.
• API Rate Limiting: All public-facing API endpoints are protected by a sliding-window rate limiter keyed by IP address. Exceeding the rate limit returns an HTTP 429 response.
• Server-Side Enforcement: All reward calculations, access controls, and eligibility checks are computed server-side. Client-provided values are treated as untrusted input and independently verified against on-chain data.
• Environment Isolation: Sensitive credentials, including the treasury wallet private key and database connection string, are stored as environment variables and never exposed to the client-side bundle.
• Input Validation: All wallet addresses are validated as valid Solana public keys before any database query or on-chain operation is performed. Invalid inputs are rejected immediately.

No system is completely immune to attack. While we take reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for securing access to your own wallet.

6. Third-Party Services

The Platform integrates with the following third-party services in the course of normal operation:

• Helius RPC: Used as the Solana RPC provider for all on-chain queries, transaction submissions, and Token-2022 account lookups. Helius may log RPC requests in accordance with their own privacy policy.
• AllDomains: Used to resolve .skr domain names for the referral system. Domain resolution queries include your wallet address.
• Railway: Used to host the PostgreSQL database. Railway processes data in accordance with their own privacy and security policies.
• Solana Blockchain: All staking locks, reward transfers, and stake returns are executed as permanent, public on-chain transactions. This data is visible to anyone with access to a Solana block explorer and is not within our control to remove.

We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third party whose services you use in connection with the Platform.

7. Your Rights

Depending on your jurisdiction, you may have certain rights regarding personal data we hold about you. Given the pseudonymous nature of the Platform, most data is associated with a wallet address rather than a natural person. However, where applicable:

• Right of Access: You may request a summary of the data associated with your wallet address that we hold in our off-chain database.
• Right to Erasure: Where technically and legally permissible, you may request deletion of off-chain records associated with your wallet address. Note that on-chain data (transaction records on the Solana blockchain) cannot be deleted by any party.
• Right to Portability: You may request an export of your staking history, claim records, and referral data in a structured format.
• Right to Object: You may object to processing of your data in connection with security logging by ceasing use of the Platform.

To exercise any of the above rights, submit a support ticket through the Platform's support system. We will verify your identity by requesting a signed message from the wallet address associated with the request before acting on any data subject request.

8. Children's Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect or process data from minors. If you believe a minor has used the Platform, please contact us through the support system and we will take appropriate action.

9. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. Material changes will be reflected by an updated "Last Updated" date at the top of this page. Your continued use of the Platform following any such update constitutes your acceptance of the revised Privacy Policy. We recommend reviewing this page periodically.

10. Contact

For privacy-related inquiries, data subject requests, or questions about this policy, please submit a support ticket through the Platform or contact us at support@hourlyharvest.xyz. We aim to respond to all legitimate privacy inquiries within 14 days.