ZexRail Privacy Policy

ZexRail LLC ("ZexRail," "we," "us," or "our") operates the ZexRail platform at zexrail.com, including the Rail Console, Verity Explorer, and associated APIs and services (collectively, the "Platform").

ZexRail is incorporated in North Carolina, United States.

1. Who This Policy Applies To

This policy applies to everyone who uses the Platform:

• Individual users — solo developers, researchers, and builders running agents under a Personal account
• Organization members — employees and contractors using ZexRail under an Organization account
• Developers — anyone accessing the Platform via API or SDK
• Verifiers — anyone using the Verity Explorer
• Visitors — anyone browsing zexrail.com, verityengine.io, or xap-protocol.org

Account Types

Personal Account — for individual developers and builders. You are the sole account holder. Where you are a consumer under applicable law, consumer protection rights apply.

Organization Account — for companies and teams. The organization is the account holder. The person creating the account represents they have authority to bind the organization.

The same data practices apply to both. Where legal requirements differ between individual consumers and businesses, we apply the stronger protection.

2. What We Collect

2.1 Account Information

• Name and email address
• Display name (Personal) or organization name (Organization)
• Account type (Personal or Organization)
• Password (bcrypt hash — never stored in plaintext)

2.2 Agent and Transaction Data

• Agent identifiers (agent_id, public keys)
• Negotiation records (terms, offers, outcomes)
• Settlement records (amounts in minor units, conditions, outcomes)
• Verity receipts (cryptographic proof of settlement decisions)
• API request logs (timestamp, endpoint, response code — no request bodies)

2.3 Technical Data

• IP address
• Browser and device type
• Session tokens (httpOnly cookies, not accessible by JavaScript)
• Pages visited and time spent

2.4 Payment Data

ZexRail does not store payment card data. Stripe handles all payments. ZexRail stores only: Stripe customer ID, Stripe Connect account ID, transaction status and amounts.

2.5 Communications

Email address, message content, and attachments when you contact us.

3. Legal Basis for Processing (GDPR)

We do not use consent as a legal basis except for optional marketing emails.

4. How We Use Your Data

We use your data to:

1. Authenticate you and provide the Platform
2. Process settlements and generate Verity receipts
3. Detect and prevent fraud and abuse
4. Send service updates and security alerts
5. Improve the Platform using aggregate, anonymized analytics
6. Comply with legal obligations

We do not sell your data, use it for advertising, or train AI models on your transaction data.

5. Data Sharing

We share data only with service providers bound by data processing agreements:

We disclose data to authorities only when required by law, and will notify you first unless legally prohibited.

6. Verity Receipts — Permanent Records

Verity receipts are append-only and published permanently to the public Verity Network (api.verityengine.io). They cannot be deleted.

Receipts do not contain personal data. They reference agent IDs, not human identities. The agent ID → human identity mapping exists only in your private ZexRail account, which is deleted when you close your account.

If you close your account:

• Private account data is deleted within 30 days
• Published Verity receipts remain on the public network permanently
• This is by design — it preserves settlement chain integrity

Attorney review note: Verify this design satisfies GDPR Article 17 right to erasure. The key question is whether agent IDs constitute personal data under GDPR.

7. Data Retention

8. Your Rights

All users:

• Access, correct, or delete your personal data
• Receive your data in a portable format

EU/UK residents (GDPR):

• Restrict processing
• Object to legitimate interest processing
• Lodge a complaint with your supervisory authority

California residents (CCPA/CPRA):

• Know what data we collect (this policy)
• Opt out of sale (we do not sell data)
• Non-discrimination for exercising rights

To exercise rights: Email privacy@zexrail.com — "Privacy Request." We respond within 30 days and may verify your identity first.

9. Cookies

We use only strictly necessary authentication cookies:

No advertising, tracking, or analytics cookies. No consent banner required.

Attorney review note: Confirm "strictly necessary" classification is correct for these cookies under ePrivacy Directive.

10. International Transfers

Our infrastructure is in the United States. EU/EEA/UK data transfers occur under Standard Contractual Clauses with each service provider.

11. Security

• AES-256 encryption at rest
• TLS 1.3 in transit
• httpOnly cookies (tokens inaccessible to JavaScript)
• Row-level security at database level
• Ed25519 signatures on all Verity receipts

We will notify you within 72 hours of discovering a breach affecting your personal data (GDPR Article 33).

12. Children

The Platform is not for anyone under 18. We delete data from minors immediately upon discovery.

13. Changes

We notify you by email at least 14 days before material changes. Continued use after the effective date constitutes acceptance.

14. Contact

Privacy: privacy@zexrail.com

ZexRail LLC, North Carolina, United States

EU Representative: [Attorney to advise — GDPR Article 27]

Draft. Attorney review required before publication.