Back

Privacy Policy

Last updated: May 24, 2026

1. Scope

This policy covers data handled by Enso when you visit ensohq.xyz, place an order, or call the API at api.ensohq.xyz. It does not cover the upstream provider, whose own policies apply once a request leaves our proxy.

2. What we collect

  • Email address. Entered at checkout, used to deliver keys and respond to support requests.
  • On-chain payment data. The wallet address that paid, the transaction hash, the amount, the network, and the package selected. This data is public on the relevant blockchain regardless of our actions.
  • API request metadata. When you call api.ensohq.xyz, we log timestamp, IP address, key identifier (hashed), endpoint, response status, and bytes transferred. We do not log request or response bodies.
  • Standard web logs. IP, user agent, and referer for pages onensohq.xyz, kept for abuse prevention.

3. What we do not collect

  • We do not log prompts, completions, or any model input/output that passes through the proxy.
  • We do not run third-party analytics, ad pixels, or fingerprinting scripts.
  • We do not ask for your name, phone number, address, or government ID.

4. Third parties

  • Resend. Email delivery for order receipts. Receives your email address and the key payload.
  • Vercel. Frontend hosting. Receives standard request metadata.
  • RPC providers (Alchemy, publicnode.com). Used to watch the payment wallet. They see queries to public addresses, not user data.
  • Upstream API provider. Receives every request you make throughapi.ensohq.xyz. Their own policies govern that data.

5. Retention

  • Email and order records: kept indefinitely for refund or replacement claims, unless you request deletion (see Section 7).
  • API request metadata: 30 days.
  • Web logs: 14 days.

6. Security

Data in transit is encrypted with TLS. The shop database lives on a private server. Keys are moved from inventory to a dispensed table on sale, then transmitted once and never re-displayed. No security is perfect. Do not assume any system is unbreachable, and store delivered keys securely on your side.

7. Your rights

You may request deletion of your email and order records at any time by writing to the contact address. On-chain payment data cannot be deleted by us, as it is public ledger data outside our control.

8. Children

The Service is not directed to anyone under 18 and we do not knowingly collect data from children.

9. Changes

Updates appear here with a new “Last updated” date. Material changes will be reflected on the home page or in your next order receipt.

10. Contact

Privacy questions or deletion requests: contact us.