Soulidity
Effective 2026-04-29

Privacy Policy

What we collect, why we collect it, and where it lives.

1. Scope

This policy applies to the Soulidity web marketplace, community, Desktop client, and related APIs. On-chain state on the Sui blockchain is publicly visible and is not controlled by this policy.

2. Data We Collect

  • Identity — Sui wallet address, wallet login challenge records, Telegram user ID and name where applicable, desktop access tokens, and agent API keys, collected when you authenticate.
  • On-chain mirrors — Soul, grant, collection, and transaction metadata sourced from the Sui blockchain and mirrored to our database.
  • Community content — posts, comments, votes, bookmarks, and reports you submit.
  • Operational logs — request logs, error traces, and rate-limit counters used to operate and secure the Service.
  • Product analytics — page views, client-side errors, performance metrics, and product event telemetry (e.g. wallet login, Soul publish, Telegram bot interaction). When you are signed in, events are tied to your member ID and may include your Sui wallet address, Telegram user ID, or Telegram chat ID so we can debug per-account issues. Click and navigation autocapture runs with text and element-attribute masking enabled and with personal-data URL parameters masked, so only structural metadata (element type, CSS classes, page paths) is recorded. Session replay is enabled with input masking (`maskAllInputs`) and text masking by default; only elements explicitly marked `data-ph-allow` are recorded as plaintext in replay. Sensitive fields (passwords, secrets, tokens, mnemonics, private keys, Seal session keys, Walrus blob bodies, email) are scrubbed before ingestion on both client and server.
  • Device telemetry — the Desktop client may send session validation pings and error reports tied to your linked account. No keystrokes or screen content are collected.

3. Soul Content Storage

Encrypted Soul bundles (memory, skills, assets) are stored on Walrus, a decentralized blob store. Decryption keys are gated by Seal policy tied to on-chain ownership and active grants. We do not read or index the plaintext contents of your Soul bundles.

4. How We Use Data

  • Authenticate you and enforce on-chain ownership or grant scopes.
  • Display marketplace listings, Soul metadata, and community posts.
  • Debug issues, monitor abuse, and improve the Service.
  • Send critical service notifications (e.g., grant changes, listing events).

We do not sell your personal data. We do not use it for third-party advertising.

5. Third-Party Services

  • Supabase — managed PostgreSQL hosting.
  • Sui — on-chain state and RPC.
  • Walrus — encrypted content storage.
  • Seal — access-control and key distribution.
  • Telegram — community bot surfaces.
  • Vercel — web hosting and, if enabled, analytics.
  • PostHog— product analytics, session replay (with input/text masking), feature flags, and error monitoring. Receives the event categories listed in “Product analytics” above, including signed-in member, wallet, and Telegram identifiers.

Each provider handles data under its own policy; on-chain data is, by design, public.

6. Cookies & Local Storage

We use essential cookies and browser storage to keep you signed in, replay pending actions after login, and remember preferences. We do not use third-party advertising cookies.

7. Retention

We retain off-chain identity records for as long as your account is active and for a reasonable period thereafter to support dispute resolution, fraud prevention, and legal obligations. On-chain data is permanent and cannot be deleted by us.

8. Your Rights

Depending on your jurisdiction (e.g., GDPR, CCPA), you may request access, correction, or deletion of off-chain personal data, and may object to certain processing. Contact us via the official community channel to exercise these rights. Note that on-chain data (your Sui address, transactions, grants) cannot be erased.

9. Security

We apply industry-standard safeguards (TLS, HSTS, strict security headers, per-service API keys, rate limiting). No internet service is perfectly secure; report suspected vulnerabilities responsibly.

10. Children

Soulidity is not directed at children under 13 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes will be announced in-app or via the community channel.

12. Contact

Privacy questions may be directed to the Soulidity team via the official community channel or the contact listed on the repository README.