Privacy Policy

Stuff Protocol ("we," "us," or "our") operates the stuffprotocol.net website and the Stuff Protocol application on Base L2. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our protocol and related services.

We designed Stuff Protocol with privacy at its foundation. Your personal possessions deserve the same care in digital form as they do in your hands.

1. Information We Collect

Information you provide directly

When you interact with Stuff Protocol, we may collect information you choose to share with us:

• Account identifiers such as your display name and email address
• Wallet addresses you connect via Sign-In with Ethereum (SIWE)
• Descriptions, photographs, and metadata of items you register through the chat agent
• Beneficiary designations and allocation preferences you configure
• Messages you send through the AI chat interface

Information collected automatically

When you access the protocol, certain technical information is collected to maintain service quality and security:

• Device type, browser version, and operating system
• IP address and approximate geographic location
• Pages visited, features used, and interaction timestamps
• Referral source and session duration

On-chain data

Stuff Protocol creates verifiable attestations on the Base L2 network through the Ethereum Attestation Service (EAS). On-chain data is public by design and includes attestation schemas, timestamps, and associated wallet addresses. We do not control and cannot delete data written to the blockchain.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and improve the protocol — to value your items using AI, create on-chain attestations, manage allocations, and maintain trusted relationships
• Communicate with you — to send transaction confirmations, security alerts, and protocol updates you've opted into
• Ensure security — to detect unauthorized access, protect against fraud, and maintain the integrity of the protocol
• Comply with legal obligations — to meet applicable regulatory requirements
• Develop new features — to understand how the protocol is used and improve the experience for all participants

3. AI-Powered Valuation

Stuff Protocol uses artificial intelligence to assist with item valuation. When you describe an item through the chat interface, your descriptions and any uploaded images are processed by our AI agent to generate market-informed valuations.

We do not use your item data to train AI models. Valuation data is associated with your account and is not shared with third parties for their marketing or advertising purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the services you've requested, including item registration, valuation, and attestation
• Legitimate interest — processing for security, fraud prevention, and service improvement, balanced against your privacy rights
• Consent — processing based on your explicit opt-in, such as marketing communications, which you can withdraw at any time
• Legal obligation — processing required to comply with applicable laws and regulations

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data, subject to legal retention requirements and the immutability of on-chain records
• Portability — receive your data in a structured, machine-readable format
• Restriction — request that we limit how we process your data
• Objection — object to processing based on legitimate interests
• Withdraw consent — withdraw previously given consent at any time

To exercise any of these rights, contact us at privacy@stuffprotocol.net. We will respond within 30 days (or within any shorter period required by applicable law).

California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. We do not sell your personal information.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following limited circumstances:

• Service providers — trusted partners who assist with hosting, analytics, and AI processing, bound by data processing agreements
• On-chain participants — attestation data that you choose to publish to the Base L2 network becomes publicly visible
• Legal requirements — when required by law, regulation, or valid legal process
• Safety — to protect the rights, safety, or property of our users, the protocol, or the public
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users

7. International Data Transfers

Your information may be processed in countries outside your jurisdiction, including the United States. When we transfer data internationally, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives an equivalent level of protection.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. Off-chain data associated with your account will be deleted within 90 days of account closure, except where retention is legally required.

On-chain attestation data is permanent and cannot be deleted due to the immutable nature of blockchain technology. This is inherent to the design of decentralized protocols and EAS.

9. Security

We implement industry-standard technical and organizational measures to protect your information, including encryption in transit and at rest, access controls, and regular security assessments. Our key custody model separates protocol-level, operational, and deployment keys to minimize risk.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authority as required by applicable law.

10. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings.

11. Children's Privacy

Stuff Protocol is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the protocol interface and, where required, via email to registered users. Your continued use of the protocol after changes take effect constitutes acceptance of the revised policy.

Contact

For questions or concerns about this Privacy Policy, or to exercise your data protection rights:

Stuff Protocol
Email: privacy@stuffprotocol.net

If you are in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.