Privacy Policy

This Privacy Policy explains how The Monster Lab Inc. ("ONPROOF", "we", "us") collects, uses, and protects personal information when you use the website at onproof.io, our APIs, and any related services (collectively, the "Service").

By using the Service you agree to this Policy. If you do not agree, please do not use the Service. This Policy is supplemented by the Terms of Service.

We collect the minimum data needed to operate the Service and fulfil legal obligations.

• Account data — email address, hashed password, chosen nickname, and authentication metadata (OAuth provider IDs when you sign in with Google).
• Service data — Watchlist entries, Alerts read state, notification channel preferences (Telegram / Facebook identifiers if you opt in), campaign participations, and any content you submit through Contact Us.
• Billing data — when applicable, payment processor tokens and invoice records. Card numbers are stored only by our payment processor, never by us.
• Technical data — IP address, user agent, referrer, and request timestamps, logged for security and anti-abuse purposes.
• Cookies & similar — see §5.

We do not collect connected wallet addresses, holdings, or balances. Token-rating data is based only on publicly verifiable on-chain and off-chain signals about the tokens themselves.

• To create and operate your account.
• To deliver core features: ratings, alerts on watched tokens, daily digest, campaign participation.
• To process subscription billing and prevent fraud.
• To respond to inquiries you send via Contact Us.
• To improve methodology coverage and data quality (aggregated and de-identified usage signals only).
• To meet legal, regulatory, and tax obligations.

We do not sell personal information, and we do not use it to train third-party AI models.

We share personal information only in the following cases:

• Service providers — auth (Supabase), hosting (Cloudflare), payments (Stripe), email and messaging (Telegram / Meta where you opt in). Each is bound by a written data-processing agreement.
• Legal requirements — when required by law, court order, or to protect the rights, property, or safety of ONPROOF or others.
• Business transfers — if we are acquired, merged, or reorganised, account data may transfer to the successor under terms no less protective than this Policy.

We use first-party cookies for authentication, session state, collapse / dark-mode preferences, and i18n locale. We do not use third-party advertising or cross-site tracking cookies. Analytics, if enabled, is privacy-preserving and aggregated.

Account data is retained while your account is active. When you request deletion (see §7) we enter a 30-day grace period during which you can cancel by logging in. After the grace period, account data, Watchlist, Alerts, and notification channels are permanently deleted, except where retention is required by law (e.g. tax records for billing transactions, typically 5–7 years).

Depending on your jurisdiction, you may have the right to:

• Access and download a copy of the personal data we hold.
• Correct inaccurate or outdated personal data.
• Delete your account and associated data (via Settings → Danger Zone).
• Object to or restrict certain processing.
• Withdraw consent for optional channels (Telegram, Facebook Messenger, marketing emails) at any time.
• Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at privacy@onproof.io or via the Contact Us form. We respond within 30 days.

We use industry-standard safeguards: TLS for all data in transit, encryption at rest for sensitive fields, principle-of-least-privilege access controls, regular security reviews, and Supabase Row Level Security on every user table. Passwords are hashed (bcrypt or stronger) and never stored in plaintext. No system is perfectly secure — please report suspected vulnerabilities to security@onproof.io.

Our servers are located in South Korea and the United States. If you access the Service from outside these regions, your data will be transferred internationally. Where applicable (e.g., EEA / UK residents), we rely on Standard Contractual Clauses or equivalent safeguards.

The Service is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@onproof.io and we will delete it.

We may update this Policy from time to time. Material changes will be announced through Notice and, where required by law, by email at least 30 days before they take effect. The effective date at the top of this page reflects the most recent revision.

Questions about this Privacy Policy can be sent to privacy@onproof.io, through the Contact Us form, or by post to:

The Monster Lab Inc.
Privacy Officer
Seoul, Republic of Korea