TrueStake
· LEGAL · PRIVACY

Privacy Policy

How TrueStake collects, uses, and protects your data. We read public on-chain data, identify you by email only, and never touch KYC documents, exchange keys, or your private keys.

Effective 2026-07-01 · Last updated 2026-07-01

Preliminary version — pending final legal review. We've published this early so you can see exactly how TrueStake handles your data while we complete a final review with legal counsel. The substance below reflects our real, current practices; some wording may be refined in the final version. Questions or corrections: support@truestake.io.

Who we are

TrueStake ("TrueStake," "we," "us") provides an audit-defensible record of Ethereum staking economics — a read-only analytics and tax-reporting tool. This policy explains what data we hold, why, how it is protected, and the choices you have.

TrueStake is operated by its founder and can be reached at support@truestake.io.

The principle: we collect the minimum

Data we never collect cannot be breached, subpoenaed, leaked, or sold. Data minimization is a security decision that shapes every feature we build. TrueStake derives your reward history from public on-chain data — we do not need, and therefore do not collect, the categories listed under "What we never collect" below.

What we collect

| Data | Purpose | Notes | |---|---|---| | Email address | Authentication (email + passkey) and, when necessary, incident or account notification. | Your primary identifier. We do not collect your legal name. | | Validator public keys and withdrawal addresses | To look up your on-chain reward history. | Public on-chain data, but treated as personal data and encrypted at rest. | | Fee-recipient addresses | To attribute execution-layer and MEV rewards to your validators. | Treated as personal data and encrypted at rest. | | Staking reward data | The core product — a reconciled, timestamped record of your rewards. | Derived from public on-chain sources. | | Stripe customer ID | To manage your subscription. | A reference token, not payment data. Card data is held by Stripe, not TrueStake. | | First-party product events | Aggregate product analytics (page views, feature usage). | Tied to a session identifier, not resold. See "Analytics." |

Validator public keys, withdrawal addresses, and fee recipients are public on the Ethereum blockchain. We nonetheless treat them as personal data because they can, in combination, identify you — and we encrypt them at rest accordingly.

What we never collect

These are permanent product non-goals, not deferred features:

  • Government ID, passport, SSN, or date of birth. No KYC — ever.
  • Exchange API keys or account credentials. We never connect to exchange accounts.
  • Validator or withdrawal private keys. The keys that control your stake never leave your possession. Keys never leave the chain.
  • ETH or other assets in custody. TrueStake cannot move funds and holds no crypto assets.
  • Your legal name or billing address. We identify you by email only; billing address, if any, is held by Stripe.
  • Payment card data. Stripe handles billing end-to-end.
  • IP address or location in our application database. IP addresses appear only transiently in infrastructure access logs under our vendors' retention policies; we do not copy them into our application database or use them for analytics.

The complete, canonical list — with rationale — is our public data-minimization standard.

How we use your data

We use the data above only to:

  1. Deliver the product — derive, reconcile, and display your staking-reward record and generate your tax report exports.
  2. Authenticate you — email + passkey sign-in via our auth provider.
  3. Operate and secure the service — incident response, abuse prevention, and account notifications.
  4. Bill you (when paid plans are active) — subscription management via Stripe.

We do not sell, license, or share your data with data brokers or advertisers, and we do not use your reward data, tax figures, or any customer data to train machine-learning models.

Sub-processors

We rely on a small set of vendors to process data on our behalf. The current roster, and which vendors touch personal data versus only public on-chain data, is maintained in our public Sub-Processor Disclosure. In summary:

  • Supabase — database, authentication, and encrypted storage of personal data.
  • Vercel — application hosting; transient access logs.
  • Stripe — payment processing (holds billing data we do not).
  • Sentry — error monitoring.
  • Resend — transactional email delivery.
  • Cloudflare — network and edge infrastructure.

Data retention

We retain your account data for as long as your account is active. Your derived reward record is retained so your historical tax reports remain reproducible. You may request deletion at any time (see "Your choices"). Infrastructure access logs are retained under our vendors' own retention policies, which we do not control.

Security

Personal data — including validator public keys, withdrawal addresses, and fee recipients — is encrypted at rest. We enforce row-level security so each user can access only their own data. TrueStake itself holds no SOC 2, ISO 27001, or PCI certification; our vendors' own certifications cover their infrastructure, not our application layer. Report a vulnerability via our security policy.

Your choices

  • Access and export. Your reward record and tax exports are available to you in-product (XLSX/CSV).
  • Deletion. Email support@truestake.io to request deletion of your account and associated personal data.
  • Correction. Contact us to correct account data.

If you reside in a jurisdiction that grants specific data rights (for example, California or the EU/UK), contact us and we will honor the rights available to you under applicable law. We will expand this section with jurisdiction-specific detail as our launch footprint is finalized.

Analytics

We collect first-party product-usage events (e.g., page views, feature usage) tied to a session identifier to understand and improve the product. We do not use third-party advertising trackers, and we do not copy IP addresses or precise location into our analytics.

Children

TrueStake is not directed to, and does not knowingly collect data from, anyone under 18.

Changes to this policy

We will post any changes here and update the "Effective" date. Material changes will be communicated to account holders by email.

Contact

Questions about this policy or your data: support@truestake.io.

Citations