See my offer →
★ Privacy Policy

Privacy Policy

How 5arz collects, uses, discloses, and protects personal information. We default to collecting less. Sensitive identity, banking, and biometric data never touch our servers — they flow directly from your device to regulated, certified processors.

Effective: 2026-05-10  ·  Version: 1.0  ·  Contact: privacy@5arz.com

01Scope & who we are

This Privacy Policy (the “Policy”) explains how 5arz Foundation (Cayman Islands) and its operating subsidiary 5arz, Inc. (a Delaware C-Corp) — together, “5arz,” “we,” “us,” or “our” — collect, use, disclose, and safeguard personal information when you visit 5arz.com (the “Site”), participate in the verify flow at /verify, or otherwise interact with the 5arz protocol and services (collectively, the “Services”).

This Policy applies to personal information about visitors, applicants, and verified members of the 5arz protocol. It does not apply to information you provide directly to third-party processors through their own interfaces.

02Information we collect

▍ Core principle

We default to collecting less. Sensitive identity, banking, and biometric data — Social Security numbers, bank login credentials, full card numbers, government-issued ID documents, live selfies — never touch our servers. They flow from your device directly to certified processors (Stripe Identity, Method Financial, Plaid). We receive only verification results, tokenized references, and cryptographic attestation hashes.

2.1 Information you give us directly

  • Account basics: name, email address, phone number, country of residence — captured at sign-up via Google Sign-In or manual entry.
  • Member-supplied debt information: when you choose to enter debt details manually rather than via a connected provider.
  • Support correspondence: messages you send to info@5arz.com, security@5arz.com, or privacy@5arz.com.
  • Optional survey or research responses if you participate in voluntary research.

2.2 Information we receive from third-party processors

  • Identity verification results from Stripe Identity — a pass/fail status, last 4 of the ID document number, document type, and country. We do not store the full document or the selfie image.
  • Debt/credit metadata from Method Financial or Plaid Liabilities — creditor names, balances, APRs, account types, masked account identifiers. We do not store bank login credentials or full account numbers.
  • Payment metadata from Stripe — last 4 of card, brand, expiry, ZIP. We never see the full card number or CVV.
  • Sign-in identity from Google Identity Services — your verified email, display name, profile picture URL, and Google account identifier (sub claim).

2.3 Information collected automatically

  • Request logs at the Cloudflare edge — IP address, user-agent, request path, response code, country (derived from IP), and correlation ID. Retained 30 days at the edge.
  • Cookies and similar technologies — see Section 8.
  • Language preference stored locally in your browser via localStorage so the Site renders in your chosen language across visits.

2.4 Information generated on-chain

  • Public Base L2 addresses associated with your member account once you complete verification.
  • Attestation hashes — cryptographic commitments derived from your identity and recoverability inputs. Hashes do not reveal the underlying data.
  • Transaction history for tokens you hold under the protocol, which is public by the nature of any L2 blockchain.

03How we collect it

We collect information through four channels:

  • Direct submission — forms, sign-up, and support emails.
  • Third-party processors — Stripe Identity, Method Financial, Plaid, Google Identity Services. These processors collect data on their own interfaces under their own privacy policies (linked in Section 7).
  • Automatic technical collection — request logs at the Cloudflare edge, in-browser cookies and storage, and standard server telemetry.
  • Public blockchain data — anything you write to Base L2 is, by definition, public.

04Why we use it

  • Provide the Services: verify identity, enumerate debts, route payoffs, mint protocol tokens, support recovery flows.
  • Operate the platform: authenticate sessions, prevent fraud and abuse, maintain availability, debug issues.
  • Communicate with you: respond to support, send transactional notifications about your account, deliver legally required notices.
  • Improve and secure the Services: diagnose errors, refine UX, monitor for security incidents, train internal systems on aggregated and de-identified data.
  • Comply with law: respond to lawful requests, enforce our terms, defend rights and safety.

We do not sell or rent personal information. We do not use personal information to build advertising profiles or share it with advertisers.

05Legal bases (GDPR)

If you are located in the EU, UK, or another GDPR-aligned jurisdiction, we rely on the following legal bases under Article 6 GDPR:

PurposeLegal basis
Providing the Services you requestedContract — Art. 6(1)(b)
Identity verification & AML / KYCLegal obligation — Art. 6(1)(c)
Operating the platform; preventing fraud; securityLegitimate interests — Art. 6(1)(f)
Optional marketing or research communicationsConsent — Art. 6(1)(a)
Processing biometric data for verificationExplicit consent — Art. 9(2)(a) (performed by Stripe Identity; results only delivered to us)

06Who we share with

We share personal information only with the following categories of recipients, and only as needed:

  • Service providers and sub-processors who process data on our behalf under written agreements with confidentiality and security obligations — see Section 7.
  • Professional advisors — counsel, auditors, accountants, and tax advisors operating under professional duties of confidentiality.
  • Law enforcement and regulators when we are legally required to disclose, or when disclosure is necessary to protect rights, property, or safety.
  • Successors in interest in the event of a merger, acquisition, financing, or asset sale — subject to a successor commitment to honor this Policy.

We do not share personal information with advertisers, data brokers, or any party for their own marketing purposes.

07Sub-processors

5arz uses a small set of certified sub-processors. Each is contractually bound to security and confidentiality obligations, and each holds applicable certifications:

Sub-processorPurposeCertifications
Cloudflare, Inc. Edge hosting, DNS, WAF, request logging, secret vault ISO 27001, SOC 2 Type II, PCI-DSS
Stripe, Inc. Identity verification (Document + Selfie) and payments PCI-DSS Level 1, SOC 2 Type II, ISO 27001
Method Financial, Inc. Debt enumeration and payoff routing SOC 2 Type II
Plaid Inc. Optional bank-link and liabilities lookup SOC 2 Type II, ISO 27001
Google LLC Sign in with Google (OAuth), optional Google Translate UI ISO 27001, SOC 2, SOC 3
Base / Coinbase L2 blockchain settlement (public chain) SOC 1 Type II, SOC 2 Type II (Coinbase)

Our current sub-processor list is maintained on this page. We will notify members of any material addition or replacement at least 30 days before it takes effect, where feasible.

08Cookies & tracking

We use a minimal set of cookies and similar technologies:

  • Strictly necessary — session, CSRF, and authentication cookies required for the Services to function. These cannot be disabled.
  • Functional — a localStorage entry that remembers your chosen language so the Site renders in your preferred language on return visits.
  • Sub-processor cookies — Stripe, Plaid, Method, and Google set their own cookies when you interact with their embedded interfaces, under their own privacy policies.

We do not use third-party advertising cookies, behavioral profiling cookies, or cross-site tracking pixels. We do not knowingly respond to ad-network bid signals.

We honor Global Privacy Control (GPC) signals where applicable — if your browser transmits a GPC header we treat that as a do-not-sell-or-share opt-out for U.S. state privacy law purposes.

09Retention

We retain personal information only as long as we need it for the purposes described in this Policy or as required by law:

  • Account information — for the life of the member account plus 7 years to satisfy financial-services recordkeeping obligations.
  • Identity verification results — same retention as the account; we do not retain the underlying ID document or selfie images.
  • Edge request logs — 30 days at the edge; exported to long-term storage only on incident.
  • Support correspondence — 3 years from the last interaction.
  • Aggregated, de-identified analytics — indefinitely, as it no longer constitutes personal information.
  • On-chain data — public, immutable, and outside any party's ability to delete. We will not transmit any personal data to the chain.

10Security

5arz operates a documented Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022 and the AICPA SOC 2 Trust Services Criteria. Highlights:

  • TLS 1.3 only; HSTS with preload; full Content-Security-Policy on every page.
  • All secrets stored in the Cloudflare Worker encrypted vault — never in code, never in git.
  • Webhook signature verification (HMAC SHA-256, 5-minute replay window) on every Stripe event.
  • Hardware-backed 2FA on all production accounts; multi-sig (2-of-3) on all privileged on-chain actions.
  • PII boundary: Social Security, bank login, and card data never touch 5arz servers.
  • Public security disclosure channel: security.txt · security@5arz.com.

No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and applicable regulators within the windows required by law.

11Your rights

Depending on where you live, you may have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correct — ask us to fix inaccurate or incomplete information.
  • Delete — ask us to delete information, subject to legal-retention exceptions.
  • Portability — receive your data in a structured, machine-readable format.
  • Restrict or object — limit how we process your data in certain circumstances.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Opt out of sale or sharing — although we do not sell or share personal information.
  • Non-discrimination — exercise your rights without retaliation or degraded service.

To exercise any right, email privacy@5arz.com. We will respond within 30 days (45 days for complex requests, with notice). We may need to verify your identity before fulfilling the request.

12California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the CCPA):

  • Right to know what categories and specific pieces of personal information we collect, the sources, purposes, and recipients.
  • Right to delete personal information we have collected, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising. We honor GPC signals.
  • Right to limit use of sensitive personal information — we use sensitive personal information only as permitted by §7027 of the CCPA regulations.
  • Right to non-discrimination for exercising your rights.

Notice of financial incentives: 5arz does not offer financial incentives in exchange for personal information.

To submit a verifiable consumer request, email privacy@5arz.com. You may also designate an authorized agent to submit requests on your behalf.

13EU / UK (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, your rights under Articles 15–22 of the GDPR are described in Section 11, and the legal bases for our processing are in Section 5.

The data controller is 5arz, Inc. (Delaware C-Corp). We will designate an EU/UK representative under Article 27 GDPR before we begin offering Services to EEA/UK members, and we will update this Policy with their name and contact details at that time.

You have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first at privacy@5arz.com so we can try to resolve the issue.

14Children

The Services are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, email privacy@5arz.com and we will delete it.

15International transfers

We are headquartered in the Cayman Islands with operations in the United States. When we transfer personal information across borders, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, and equivalent mechanisms. Our certified sub-processors operate similar transfer mechanisms.

16Changes

We may update this Policy from time to time. When we do, we will revise the “Effective” date at the top and, for material changes, notify members by email at least 30 days before the change takes effect (where feasible). Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

17Contact us

Questions, requests, complaints, or disclosure reports:

Built by humans. Verified by humans. Defended by humans.
© 2026 5arz, Inc. All rights reserved.