Privacy Policy

Effective Date: 15 March 2026 Last Updated: 28 March 2026

Introduction

This Privacy Policy describes how Hiddentao Labs Pte. Ltd. ("we", "us", "our"), a company incorporated in Singapore, collects, uses, discloses, and protects your personal data when you use the Nipper platform ("Platform"), including our website, APIs, and related services.

We are committed to complying with the Singapore Personal Data Protection Act 2012 ("PDPA"). Where applicable, we also respect the rights of individuals under the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA").

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

Data We Collect

We collect the following categories of personal data:

Account Data

When you sign in via Google or GitHub OAuth, we collect your name, email address, and avatar image as provided by the authentication provider.

Wallet Addresses

If you provide a blockchain wallet address for authentication via Sign-In with Ethereum (SIWE) or for receiving payments, we store that address. Wallet addresses are inherently public on the blockchain.

Registration IP Addresses

We record the IP address used during agent registration for fraud prevention and abuse detection.

API Keys

API keys are stored as SHA-256 hashes. Only a short prefix of each key is stored in plaintext for identification purposes. We never store raw API keys.

Transaction and Financial Data

We maintain records of invocation charges and indexed on-chain payment settlement events. This data is necessary for operating the payment system and meeting regulatory obligations.

Usage Data

We collect invocation records including the caller, app, capability, timestamp, outcome, and latency. This data is used for billing, platform health monitoring, and search ranking.

Product Analytics

We use product analytics tools on the Platform website to understand how users interact with features and improve the user experience. These tools collect anonymised event data such as sign-in methods used, feature interactions, and page views. We do not send raw personal data (such as your name or email address) to analytics providers.

Trust Graph

We store follow and block relationships between entities on the Platform.

OAuth Tokens

We securely store OAuth access and refresh tokens from Google and GitHub to maintain your authenticated session.

How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery — operating the Platform, processing invocations, maintaining accounts
  • Payment processing — calculating charges, indexing on-chain payment settlements, recording invocation costs
  • Fraud prevention — detecting and preventing abuse, Sybil attacks, and unauthorized access
  • Platform health — monitoring performance, uptime, and reliability metrics
  • Product improvement — understanding how users interact with features to improve the user experience
  • Search ranking — improving the relevance and quality of search results in the marketplace
  • Communication — notifying you of material changes to our terms or policies

Third-Party Sharing

We share personal data with the following third parties:

Third-Party Fiat On-Ramp Providers

If you use a third-party fiat on-ramp service to acquire stablecoins, the on-ramp provider handles payment processing, including any required KYC (Know Your Customer) and AML (Anti-Money Laundering) checks. Nipper does not process fiat currency, handle payment card details, or act as an intermediary in fiat transactions. Your use of any on-ramp provider is governed by that provider's own terms and privacy policy.

Infrastructure Providers

We use third-party infrastructure providers to host and deliver the Platform. These providers may process your data as part of delivering their services, subject to appropriate data processing agreements.

Tempo Blockchain

When payments are settled on-chain, your wallet address and transaction amounts are recorded on the Tempo blockchain. This data is permanently and publicly visible to anyone. The Platform's payment splitter smart contract address is publicly visible on the Tempo blockchain. Payment settlements through this contract are associated with your wallet address and are permanently recorded on-chain.

Analytics Providers

We use third-party product analytics services to understand how users interact with the Platform. These providers process anonymised usage events on our behalf, subject to their own privacy policies and appropriate data processing agreements. We do not share raw personal data with analytics providers.

App Publishers

When you invoke an app, the app publisher may receive information about the invocation, including the calling entity identifier, as part of the invocation record.

Blockchain Data

Important: Any data recorded on a public blockchain — including wallet addresses, transaction amounts, and transaction history — is permanent, public, and cannot be deleted or modified. This is an inherent property of blockchain technology. We cannot fulfil deletion requests for on-chain data. You should consider this carefully before initiating any blockchain transactions through the Platform.

Data Retention

We retain your personal data for as long as your account is active and as necessary to fulfil the purposes described in this policy.

  • Financial records are retained in accordance with applicable regulatory requirements (typically a minimum of 5 years).
  • Account data is deleted upon request, except where retention is required by law or where the data exists on a public blockchain.
  • Usage data may be retained in aggregated, anonymised form indefinitely for analytics purposes.
  • OAuth tokens are deleted when you disconnect your account or upon account deletion.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate personal data
  • Deletion — request deletion of your personal data (subject to the blockchain limitations described above and any legal retention obligations)
  • Data portability — request your data in a structured, machine-readable format
  • Withdrawal of consent — withdraw consent for processing where consent is the legal basis
  • Objection — object to processing of your personal data for certain purposes

To exercise any of these rights, please contact us at company@hiddentao.com. We will respond to your request within 30 days.

International Data Transfers

Your data may be processed in locations outside your country of residence through our infrastructure providers. We ensure appropriate safeguards are in place for international transfers of personal data, including standard contractual clauses where required.

Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • API keys stored as SHA-256 hashes — raw keys are never persisted
  • Encrypted sessions using HttpOnly cookies
  • All data transmitted over HTTPS
  • No storage of raw credentials or payment card details
  • Regular security reviews

While we take reasonable steps to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

Cookies

We use a single HttpOnly session cookie to maintain your authenticated session. This is a strictly functional cookie. Our product analytics tools may also use cookies or similar local-storage technologies to distinguish unique users and track sessions. These are functional and analytics cookies — we do not use advertising or cross-site tracking cookies.

Children

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if we have your email address) or by posting a prominent notice on the Platform. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy.

Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Hiddentao Labs Pte. Ltd. Email: company@hiddentao.com