1. Overview and Data Controller
This Privacy Policy describes how Fluxa Ventures LLC ("Fluxa Ventures," "we," "us," or "our"), a Washington limited liability company, collects, uses, stores, and discloses personal data in connection with the Oris platform accessible at useoris.xyz and useoris.xyz.
Fluxa Ventures LLC is the data controller for personal data processed in connection with developer accounts, API access, and compliance operations. For the purposes of EU General Data Protection Regulation (GDPR) processing, Fluxa Ventures LLC is the controller of personal data submitted by EU-resident users.
If you have questions about this policy or wish to exercise your data rights, contact us at privacy@useoris.xyz or our Data Protection Officer at dpo@fluxa.ventures.
2. Data We Collect
2.1 Account and Registration Data
When you create a developer account on Oris, we collect: full name, email address, company name, country of residence or incorporation, and billing information (processed by our payment processor; we do not store full payment card numbers).
2.2 Agent and Transaction Data
The Oris platform processes data about the AI agents you register and the transactions they initiate. This includes: agent identifiers, wallet addresses, transaction amounts, counterparty wallet addresses, transaction timestamps, blockchain network identifiers, and transaction hashes. This data is used to provide the Services and to fulfill our compliance obligations.
2.3 KYA Verification Data
As part of the Know Your Agent (KYA) process, we collect information about the agents you register, including the scope of authority, developer authorization records, and any documentation submitted in connection with KYA Level 2 or Level 3 verification. Where KYA processes require collecting personal data about individuals associated with your organization, we collect only the minimum data necessary to complete verification.
2.4 Compliance and AML Screening Data
To meet our legal obligations under applicable AML and sanctions laws, we process transaction data through the Veris Engine, which includes screening wallet addresses and associated entities against global sanctions lists and risk databases maintained by third-party compliance data providers. This processing is a legal obligation and cannot be opted out of.
2.5 Usage and Technical Data
When you use the Oris platform or API, we collect technical data including: IP addresses, API request logs, response times, error codes, user agent strings, session identifiers, and feature usage patterns. This data is used to operate, maintain, and improve the Services.
2.6 Communications Data
If you contact our support team, we collect records of those communications including email content, support ticket data, and any attachments you provide.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Oris platform and API | Account data, agent data, transaction data | Contract |
| AML and sanctions screening | Wallet addresses, transaction data, KYA data | Legal obligation |
| Billing and fee collection | Account data, transaction volume data | Contract |
| Fraud prevention and security | Usage data, IP addresses, behavioral signals | Legitimate interests |
| Compliance reporting (SAR, regulatory filings) | Transaction data, compliance screening results | Legal obligation |
| Platform improvement and model training | Aggregated, anonymized usage and transaction data | Legitimate interests |
| Customer support | Communications data, account data | Contract / legitimate interests |
| Legal and regulatory compliance | All categories as required by applicable law | Legal obligation |
4. Legal Bases for Processing (GDPR)
For users subject to the EU General Data Protection Regulation, Fluxa Ventures LLC processes personal data on the following legal bases:
- Contract (Article 6(1)(b)): Processing necessary to perform the contract we have with you, including account management, API access, and billing.
- Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable law, including AML legislation, sanctions regulations, financial record-keeping requirements, and mandatory regulatory reporting.
- Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, platform security, product improvement using anonymized data, and customer support, where our interests are not overridden by your fundamental rights and freedoms.
- Consent (Article 6(1)(a)): For optional communications such as product newsletters or marketing emails, where we rely on your express consent, which you may withdraw at any time.
5. Data Sharing and Disclosure
We do not sell your personal data. We share your data only in the following circumstances:
5.1 Compliance Data Providers
We share wallet address and transaction data with third-party blockchain analytics and compliance data providers, including providers such as Chainalysis, Elliptic, or TRM Labs, for the purpose of AML screening, sanctions checking, and risk scoring. These providers act as data processors under agreements that comply with applicable data protection law.
5.2 Cloud Infrastructure
The Oris platform operates on cloud infrastructure. Your data is processed on servers operated by our infrastructure providers in compliance with applicable data protection requirements.
5.3 Payment Processing
Billing data is processed by our payment processor (Stripe Inc.) under its own privacy policy. We do not store full payment card numbers.
5.4 Legal and Regulatory Disclosure
We may disclose your data to government authorities, regulatory bodies, or law enforcement where required by applicable law, court order, or regulatory direction. This includes the filing of Suspicious Activity Reports (SARs) under applicable AML regulations. We are not always permitted to notify you of such disclosures.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of substantially all of Fluxa Ventures LLC's assets, your data may be transferred to the successor entity, subject to the same protections described in this policy.
6. International Data Transfers
Fluxa Ventures LLC is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home jurisdiction.
Where we transfer personal data from the EEA to the United States or other third countries, we rely on appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms as applicable. You may request a copy of the applicable transfer safeguards by contacting dpo@fluxa.ventures.
7. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Key retention periods:
- Account data: Retained for the duration of your account and for five (5) years following account closure, to comply with financial record-keeping requirements.
- Transaction and compliance data: Retained for a minimum of five (5) years following the transaction date, or longer where required by applicable AML or financial regulation.
- API logs: Retained for ninety (90) days for security and debugging purposes; aggregate metrics are retained indefinitely.
- Support communications: Retained for three (3) years following resolution of the support interaction.
We will delete or anonymize personal data when retention is no longer required, subject to any applicable legal holds.
8. Your Rights (EEA and UK Users)
If you are located in the EEA or United Kingdom, you have the following rights under the GDPR or UK GDPR:
- Access: You may request a copy of the personal data we hold about you.
- Rectification: You may request correction of inaccurate personal data.
- Erasure: You may request deletion of your personal data, subject to our legal obligations and legitimate interests. We cannot erase data we are required to retain by law, including AML compliance records.
- Restriction: You may request that we restrict processing of your personal data in certain circumstances.
- Portability: You may request a machine-readable copy of personal data you have provided to us.
- Objection: You may object to processing based on legitimate interests. You may not object to processing required by law.
- Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise these rights, contact privacy@useoris.xyz. We will respond within thirty (30) days. You also have the right to lodge a complaint with your local supervisory authority if you believe we have processed your data unlawfully.
9. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:
- Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
- Delete: You have the right to request deletion of your personal information, subject to certain exceptions including legal compliance obligations.
- Opt-Out of Sale: Fluxa Ventures LLC does not sell personal information. No opt-out is required.
- Non-Discrimination: We will not discriminate against you for exercising your California privacy rights.
- Correct: You have the right to request correction of inaccurate personal information.
- Limit Use of Sensitive Personal Information: We process sensitive personal information only as necessary to provide the Services and to fulfill legal obligations.
To exercise California privacy rights, contact privacy@useoris.xyz or write to us at the address in Section 14.
10. Security
Fluxa Ventures LLC implements technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration, and destruction. These measures include: TLS encryption for data in transit; encryption at rest for sensitive data; access controls and audit logging; regular security assessments; and incident response procedures.
No security measure is infallible. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by applicable law.
11. Children's Privacy
The Oris platform is intended exclusively for users aged eighteen (18) and above. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under the age of eighteen, we will take prompt steps to delete that data. If you believe a child has provided us with personal data, contact privacy@useoris.xyz.
12. Cookies
We use cookies and similar technologies on the Oris website and developer portal. Please review our Cookie Policy for full details on what cookies we use and how you can manage your preferences.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will provide notice of material changes by email or by posting a notice on the platform. We will always indicate the effective date at the top of this policy. Your continued use of the Services after the effective date of the updated policy constitutes acceptance.
14. Contact and DPO
For privacy inquiries, data subject rights requests, or to contact our Data Protection Officer:
Data Protection Officer
Fluxa Ventures LLC
dpo@fluxa.ventures
privacy@useoris.xyz
useoris.xyz