Legal
Privacy Policy
Last updated: July 2, 2026
Graviton is built for an audience that values anonymity, so the privacy design is simple: collect the minimum, never sell it, and never touch what matters most (your keys, your funds). This page says exactly what we collect and why.
1.What we collect
- Account identity. If you sign in with X: your X user id, handle, display name, and avatar (public profile data). If you sign in with a Solana wallet: your public wallet address and a one-time signed message proving you control it. If you pick a username: that username.
- Learning progress. Lessons completed, drill and exam results, XP and simulated reward balances, streaks, certifications, referral attribution, and affiliate status. This is the product.
- Product analytics. Usage events (pages viewed, lessons started, features used) via PostHog, served first-party from our own domain with a first-party analytics identifier. Used to fix and improve the product, never for advertising.
- Errors and security. Error reports via Sentry (what broke, with your account id attached so we can help), and standard server logs including IP addresses, retained transiently by our hosting provider for security. Rate limits are account-based, not IP-profiles.
- Payments (if they go live). On-chain payments are inherently public: the transaction signature (from which the paying wallet is publicly derivable on-chain) is recorded to activate your credential. We never hold your funds.
2.What we never collect
- Private keys or seed phrases, ever. Wallet sign-in uses message signatures only. Nobody from Graviton will ever ask for your keys.
- No custody of funds. No bank or card numbers on our servers.
- No advertising trackers, no cross-site profiles, no data sales.
- No government identity documents today. If regulated on-chain claims ever require identity verification, it will be announced, optional to the claim, and handled by a specialized provider.
3.What is public by design
Graviton is a proof-of-skill product, so some data is public on purpose:
- Leaderboards: your handle, avatar, level, and rank appear publicly when live boards launch (today's boards show demo traders).
- If you activate an affiliate badge: your X handle, avatar, and standing on the public roster. Revoked badges come off the roster; the revocation is reflected in the public revocation count on the Trust Dashboard.
- Share cards you choose to post.
Activation is your choice. If you never activate, you never appear on the roster.
4.Where it lives
Data is processed in the United States by our infrastructure providers: Supabase (database and authentication), Vercel (hosting), PostHog (analytics), Sentry (error monitoring), and Resend (operational email). Each receives only what its job requires. We do not sell or rent personal data to anyone.
5.Cookies and local storage
We use first-party cookies for sign-in sessions, a first-party analytics identifier (PostHog, product analytics only), and your browser's local storage for local-first learning progress (so the academy works before you ever create an account). No third-party advertising cookies.
6.Retention and deletion
Account and progress data are kept while your account is active. You can request deletion at hello@graviton.global. One disclosed exception: we keep a minimum record that a credential was revoked (the credential entry, date, and violation category) for as long as the registry operates; this is our legitimate interest in the integrity of the credential program. On a verified deletion request we de-identify your public presence (your handle and X account come off public surfaces), while the revocation event and count remain. Disputed revocations can be appealed at the same address.
7.Security
Row-level security on every table, service-role-only writes, least privilege access, and independent security review before any real-money feature ships. No system is perfect; if a breach affects your data, we will notify you without undue delay and describe what happened and what we are doing about it.
8.Your rights
Wherever you live, email us to access, correct, export, or delete your data and we will do it, subject only to the registry exception above. Our services are operated and data is processed in the United States.
9.Children
The service is not directed to anyone under 18, and we do not knowingly collect data from children. If you believe a minor has an account, contact us and we will remove it.
10.Changes and contact
Material changes to this policy update the date above and are announced before they take effect. Questions and requests: hello@graviton.global. See also the Terms of Service and the Trust Dashboard.