policy · privacy

privacy policy

Name: Aevia Protocol
Author: Aevia LLC

what we collect, why, how we retain it, and how you exercise rights under ccpa/cpra (california), gdpr (european union), and lgpd (brazil).

version 0.1 · published 2026-04-17 · controller: aevia llc · delaware, usa

§1

who controls your data

the controller (data controller / operador) is aevia llc, a delaware limited liability company, united states of america. privacy contact: contact@aevia.network. for lgpd in brazil, this address also functions as the encarregado/dpo channel.

§2

what we collect and why

the aevia design minimizes collection of personal data. what we collect, we collect with explicit purpose:

email — when you reach out, request provider-node waitlist, or file a dmca notice. purpose: respond to the specific request.
wallet address — when you sign a manifest or operate a provider node. it is a public identifier on base l2; we do not treat it as a secret, but we record association with your operation.
technical request logs — ip, user-agent, route, status code, timestamp. purpose: service operation, security, debugging. maximum retention: 30 days.
aggregate metrics — request counts and aggregated geographic origin via cloudflare analytics. do not identify individuals.

aevia does not collect sensitive data (art. 11 lgpd, art. 9 gdpr) without explicit consent and specific purpose. aevia does not build commercial profiles, does not sell personal data under the ccpa definition, and does not share data with data brokers.

§3 · gdpr/lgpd

legal basis for processing

the legal bases under gdpr art. 6 and lgpd art. 7 are:

contract performance — to operate the service you requested (sign a manifest, operate a provider node).
legitimate interest — for security, fraud prevention, debugging (technical logs).
legal obligation — to respond to dmca takedowns, subpoenas, ncmec reports.
consent — when explicitly requested (e.g., communication about protocol updates).

§4

rights you have

depending on your jurisdiction, you have rights over your personal data. aevia recognizes them universally to the maximum we can operate. send a request to contact@aevia.network with subject privacy request and specify which right. we reply within 30 days.

access — obtain a copy of the personal data we hold (ccpa §1798.100, gdpr art. 15, lgpd art. 18 II).
rectification — correct inaccurate data (gdpr art. 16, lgpd art. 18 III).
deletion — delete data no longer necessary (ccpa §1798.105, gdpr art. 17, lgpd art. 18 VI). caveat: manifests anchored on base l2 are immutable by design; what we can delete are off-chain associations.
portability — receive your data in a structured format (gdpr art. 20, lgpd art. 18 V).
objection / sale opt-out — restrict legitimate-interest processing (gdpr art. 21). aevia does not sell data, but we respect such objection as general policy (ccpa §1798.120).
human review — for automated decisions that significantly affect you (gdpr art. 22, lgpd art. 20). applicable to the risk score; you may request manual review.

§5

retention and minimization

technical logs: 30 days. contact records (emails): 2 years. dmca and counter-notification records: as required by law (17 u.s.c. §512). ncmec reports: 90 days per 18 u.s.c. §2258a(h). we delete data once it leaves all these windows.

§6

international transfers

aevia is based in the united states. data of european economic area users transferred to the united states is protected by standard contractual clauses (gdpr art. 46(2)(c)). for brazilian data subjects, international transfers rely on specific clauses per lgpd art. 33. we will update this paragraph if we join the eu–us data privacy framework.

§7

third-party processors

aevia uses the following processors to operate the service. each has a formal data processing agreement (dpa) and cannot use the data for its own purposes:

cloudflare — hosting, cdn, aggregated analytics, email routing. standard dpa.
privy — embedded wallet and creator authentication. data: wallet address, optional email.
base (coinbase) — l2 blockchain network where manifests are anchored. all transactions are public by design.

§8

cookies

aevia.network uses only strictly necessary cookies (language toggle, privy session). there are no tracking, advertising, or third-party analytics cookies. if we add any in the future, a consent banner is required (gdpr ePrivacy, lgpd art. 8).

§9

minor privacy

per aup §3, aevia is not directed to users under 13 (coppa), 16 in the eea (gdpr art. 8), and requires parental authorization for ages 13–17 in brazil (lgpd art. 14). if we discover personal data of a minor below the applicable age, that data is deleted without the need for a formal request.

§10

changes to this policy

when we materially amend this policy, we update the version at the top and publish a notice on the roadmap. changes that restrictively affect data-subject rights take effect 30 days after publication, giving time for prior exercise of current rights.

§11 · privacy contact

aevia llc · delaware, usa · contact@aevia.network. for complaints to a supervisory authority: usa — state ag of residence; eea — national data protection authority; brazil — autoridade nacional de proteção de dados (anpd).