Privacy Policy

Last updated: June 25, 2026

Summary
What We Collect
What We Do Not Collect
How API Queries Work
Cryptocurrency Payments
Data Retention
Third-Party Services
Your Rights
Children's Privacy
Changes to This Policy
Contact

Summary

Onchain Diary is an on-chain risk intelligence API. You query wallet addresses and token contracts; we return risk analysis. No accounts, no tracking, no cookies.

The only data we process is what's necessary to serve your request: the address you query, your IP for rate limiting, and — for paid requests — your payment signature. We don't build user profiles.

What We Collect

We process the minimum data required to operate the API:

IP addresses — used solely for rate limiting (max 30 requests/minute per IP). Stored in cache for 60 seconds, then automatically deleted.
Query parameters — the wallet or token address you submit via the API URL (e.g., /api/v1/risk/token/0x...). Cached for performance: token results for 3 hours, address results for 1 hour, then automatically deleted.
Payment signatures — for paid API requests, an EIP-3009 cryptographic signature authorizing a USDC transfer. Verified mathematically and immediately discarded. We do not store the signature itself — only a hash of its nonce (a random identifier) for 24 hours to prevent replay attacks.

What We Do Not Collect

No accounts or logins. The API is accessed without registration.
No email addresses or personal identifiers.
No cookies or tracking pixels.
Anonymous analytics only. We use Umami, a privacy-focused analytics tool that does not use cookies and does not collect personal data. It records aggregate page views (URL path, referrer, browser type, approximate country) — no IP addresses, no user profiles, no cross-site tracking.
No browser fingerprinting.
No wallet connections. We never ask you to connect a wallet or sign messages beyond the payment itself.

How API Queries Work

When you query our API with a wallet or token address, we forward that address to one or more third-party blockchain data providers to compile the risk analysis. The address is necessary for the query — there is no way to provide risk analysis without knowing which address to analyze.

Results are cached by address in our infrastructure to improve response times for repeated queries. Cached data contains only the risk analysis output — not your identity or request metadata.

Cryptocurrency Payments

Paid API requests use the x402 payment protocol with USDC on the Base network. Here's exactly what happens:

You sign an EIP-3009 TransferWithAuthorization message authorizing a USDC transfer.
We verify the signature mathematically (confirms you own the wallet and authorized the payment).
The payment is settled on-chain — the USDC is transferred.
The signature itself is not stored. Only a hash of the nonce is kept for 24 hours to prevent the same payment from being reused.

Your wallet address is visible on the public blockchain as part of the transaction. This is inherent to how blockchains work — we cannot prevent it. We do not store or link your wallet address to any identity or usage profile beyond what's described above.

Data Retention

Data	Purpose	Retention
IP address	Rate limiting	60 seconds
Anonymous analytics	Aggregate traffic insights (Umami, no cookies)	Not individually identifiable
Cached risk results	Performance	1–3 hours (by type)
Payment nonce hash	Replay prevention	24 hours

Nothing is stored beyond these short windows. We have no long-term database of queries, users, or transactions.

Third-Party Services

To compile risk analysis, we query the following blockchain data providers. The address you submit is sent to these services as part of the analysis request:

GoPlus Security API — token and address security data (honeypot detection, holder analysis, liquidity checks). GoPlus Privacy Policy.
Etherscan API — contract verification and source code data. Etherscan Terms.
OKX DEX API — liquidity and price impact analysis. OKX Terms.

Infrastructure: The site is hosted on Cloudflare Pages with Cloudflare KV for caching. Cloudflare processes IP addresses and request metadata as part of its standard CDN operation. Cloudflare Privacy Policy.

We do not share any data with advertising networks, social media platforms, or data brokers.

Your Rights

Because we don't maintain user accounts or store personal data tied to your identity, traditional data subject requests (access, deletion, correction) are generally not applicable. The data we process is ephemeral and automatically deleted within the retention windows listed above.

If you have a specific concern about data we may have processed, contact us at the email below.

Children's Privacy

This service is not directed to children under 13. We do not knowingly collect data from children. If you believe a child has used this service, please contact us.

Changes to This Policy

We may update this policy as the service evolves. Material changes will be reflected by updating the "Last updated" date at the top. Continued use of the API after changes constitutes acceptance.

Contact

Questions about this policy? Email hi@theonchaindiary.com.