Legal
Privacy Policy
This policy explains how Starknet Holdings processes personal data in connection with the Starkscan Website, the Dead Eye Website, developer and ecosystem supports, and related services.
1. Introduction
This privacy policy applies to processing activities performed by the Company in relation to the personal data that it collects relating to users of the Websites and in relation to developer and ecosystem supports (including potential investments) (“you” or “your” as the context requires).
Privacy is of the utmost importance to us. Please see below information about how the Company manages personal data, and for information about your rights with respect to the processing of your personal data.
The Company is committed to processing your personal data in accordance with applicable data protection laws, including the Cayman DPA, GDPR, and other similar privacy laws where applicable. The Company implements appropriate safeguards to ensure that your personal data is protected during international transfers and is processed in a lawful, fair, and transparent manner.
This Privacy Policy covers personal data collected online, through direct interactions, via third-party sources, and through blockchain networks where applicable.
2. Definitions
The following terms are defined as follows:
2.1 “Personal data” refers to any information relating to an identified or identifiable natural person, including names, identification numbers, location data, an online identifier, or to one or more factors specific to the physical, economic, cultural or social identity of a natural person.
2.2 “Company” means Starknet Holdings.
2.3 “Starkscan Website” means the website located at starkscan.co, together with its respective subdomains.
2.4 “Dead Eye Website” means the website located at deadeye.wtf, together with its respective subdomains.
2.5 “Websites” means the Starkscan Website and the Dead Eye Website together, including each of their respective subdomains.
2.6 “Cayman DPA” means the Cayman Islands Data Protection Act (2021 Revision).
2.7 “GDPR” means the General Data Protection Regulation (EU) 2016/679.
2.8 “Biographical information and contact information” means full name, residential address and contact details (e.g. email address, telephone number etc.), date of birth, place of birth, gender, and citizenship.
2.9 “Financial information” means bank account information, wallet addresses, credit card details, details about your source of funds, assets and liabilities, and information relating to economic and trade sanctions lists.
2.10 “PEP information” means information on whether you (or someone close to you) holds a prominent public function.
2.11 “Starkscan Services” means the services provided via the Starkscan Website.
2.12 “Authentication Data” means GitHub login and profile data, Better Auth session data, including name, email, profile image if provided, provider account ID, session metadata, IP and user agent where captured, workspace metadata, API-key metadata, and API usage or audit metadata collected in connection with the Starkscan Services.
2.13 “Technical Data” means technical request metadata and online identifiers, e.g. IP and forwarded headers, request IDs, page path or URL, chain ID, analytics and performance telemetry when enabled, cookies, and browser storage used for UX state like sidebar state, recent searches, watchlist, preferences, survey pacing, and cached UI or session state.
2.14 “Feedback and Bug Report Data” means free-text feedback or bug messages, optional name and email, page URL and context, Sentry event ID, replay/debug context if enabled, and triage metadata.
2.15 “Contact Information” means any, all of or a combination of the following: full name, email address, telephone number, Telegram handle or such other contact details as provided by you in order to engage in the onboarding process for the Websites and/or provision of voluntary Feedback for said Websites.
2.16 “Third Party Services” means any third-party account, website, mobile software application or service that is not owned or controlled by the Company, to which the Websites may contain links or enable interaction.
2.17 “LIA” means a Legitimate Interests Assessment, being a balancing test conducted to ensure that processing based on legitimate interests is necessary and does not override the fundamental rights and freedoms of data subjects.
2.18 “Children” or “Child” means persons under the age of 18.
3. Our Role as Data Controller or Data Processor
The Company acts as a data controller under applicable data protection laws when it determines the purposes and means of processing your personal data — for example, when you apply for a grant, interact with our community initiatives, or communicate directly with us.
In certain situations, the Company may act as a joint controller alongside our service providers. In such cases, both parties may determine the purposes and means of data processing, and the Company will clarify those responsibilities in our agreements and, where applicable, through joint privacy notices.
In other instances — such as when the Company uses third-party platforms (e.g., GitHub for integrations) — the operators of those platforms may act as independent data controllers. Your use of those services will also be governed by their own privacy policies.
You may contact our Data Protection Officer (or equivalent representative) at [email protected] for any questions regarding this Privacy Policy or your personal data.
4. Information we collect about you from time to time
Personal Data the Company collects about Developer & Ecosystem Supports (including potential investments):
The Company obtains information about you in a number of ways through information provided in the course of on-going support to developers, the ecosystem and people who engage with us.
The minimum information required for entering into a contract governing your interaction with us, and for enabling us to comply with our statutory obligations, is Biographical information and Contact information, PEP information, and Financial information.
Information the Company collect about user(s) of the Starkscan Website:
The Company obtains information about you in a number of ways through your use of the Starkscan Website, in order to offer the services provided therein, and depending on which services you avail of, the Company may collect Authentication Data. Where Technical Data or Feedback and Bug Report Data contains personal data, for example online identifiers or information voluntarily provided by you, we process it as described in this Privacy Policy and our Cookie Policy.
Information the Company collect about user(s) of the Websites:
The Company obtains information about you through the Feedback you voluntarily provide in relation to the Websites, in order for us to improve the services provided therein, and depending on the means of communication, the Company may collect your Contact Information.
Information the Company receives about you from other sources:
The Company also receives information about you from third parties such as our service providers assisting with AML, fraud, and security compliance, and through publicly available sources.
Third Party Links:
Links to and interaction with third party products. The Websites may enable you to interact with or contain links to Third Party Services. The Company is not responsible for the privacy practices or the content of such Third Party Services. Please be aware that Third Party Services may collect Personal Information from you. Accordingly, the Company encourages you to read the terms and conditions and privacy policy of each Third Party Service that you choose to use or interact with.
Conversation Transcripts and Recordings
We may collect and retain transcripts or recordings of conversations with you, including but not limited to email exchanges, chat communications (e.g., via X, Discord or Telegram), video calls (e.g., via Zoom or Google Meet), or other communication platforms used in the connection with the services offered on the Websites. These records may include your name, contact details, time stamps, message content, and other metadata associated with the interaction.
Such data is collected to facilitate communication, provide support, document decision-making, improve services delivery, and meet operational, legal or compliance requirements. Where applicable, the Company will notify you in advance when conversations may be recorded.
Your Rights
Depending on applicable data protection laws, you have the following rights regarding your personal data:
- The right to access your personal data.
- The right to correct or update inaccurate or incomplete personal data.
- The right to request the deletion of your personal data.
- The right to object to or restrict the processing of your personal data.
- The right to data portability, which allows you to obtain and reuse your personal data for your own purposes across different services.
- The right to withdraw your consent at any time where we rely on your consent to process your personal data.
- The right to lodge a complaint with a supervisory authority if you believe we have infringed your data protection rights.
To exercise any of these rights, please contact us at [email protected].
Security Measures
The Company implements industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or alteration. These measures include but are not limited to:
- Encryption of personal data during transmission and at rest.
- Access control protocols to restrict access to personal data only to authorized personnel.
- Regular monitoring and auditing of our security practices.
- Secure storage solutions and cybersecurity protections to prevent unauthorized access to systems.
- For the Starkscan Website, security measures may also include API authentication, scoped API keys, rate limiting and abuse-prevention controls, audit logs for API-key activity, restricted operator access, secure secrets management, monitoring, and privacy-preserving telemetry or error-reporting settings where applicable.
However, please note that no method of transmission over the internet or method of electronic storage is completely secure, and the Company cannot guarantee absolute security.
Where the Company stores personal data:
For interactions involving users of the Websites and/or external stakeholders such those seeking developer and ecosystem supports (including potential investments), the Company may store data on platforms such as Google Workspace, Notion, Airtable, DocuSign, HubSpot, and other trusted service providers. All vendors are selected based on their privacy and security standards and are bound by data processing agreements where applicable.
For the Starkscan Website, we store data on:
Starkscan infrastructure and databases such as our Hetzner-hosted PostgreSQL database and server logs: this covers authorised users, sessions, workspace data, API-key metadata, API-key audit events, API usage events, feedback triage outbox data, and technical request or rate-limit metadata; and
GitHub: this covers self-serve login via GitHub OAuth as GitHub is involved for authentication and profile/account data.
Protection of Minors
The Company does not knowingly collect personal data from individuals under the age of 18. If the Company becomes aware that we have inadvertently received personal data from a person under 18 years of age without verified parental consent, the Company will delete such information from our records. If you believe that the Company might have any information from or about a child under 18, please contact us at [email protected].
5. Our legal justification for processing personal data
When relying on our legitimate interests as a legal basis for processing your personal data, the Company has conducted an LIA to ensure that such processing is necessary and does not override your fundamental rights and freedoms. Our legitimate interests include supporting and operating the Websites, ensuring security of the Websites, enabling us to provide and perform our services to you and fostering ecosystem development.
Legal basis for processing personal data
| Why the Company processes your personal data | Legal Justification | Categories of personal data |
|---|---|---|
| To enter agreements with ecosystem teams providing supports and/or investments. | Performance of a contract and anti-money laundering laws. | Biographical information and contact information, financial information, PEP information (where relevant), verification information and other information. |
| To conduct or arrange for the conducting of identity checks | Legal obligation to comply with “Know your customer” and customer due diligence regulatory obligations. Such processing is also in our legitimate interest to prevent and detect potential crime and/or fraud and to protect our business. | Biographical information and contact information, financial information, PEP information (where relevant), verification information and other information. |
| To verify your identity and comply with legal obligations, including responding to subpoenas, court orders, and other judicial processes, fulfilling tax and regulatory reporting requirements, and supporting internal risk management and compliance procedures. | Legal obligation; legitimate interests in ensuring transparency and legal compliance. | Biographical information and contact information, financial information, PEP information (where relevant), verification information and other information. |
| To market our Websites and the services offered therein. | Consent, where you have agreed to receive marketing messages directly. The Company relies upon our legitimate interest to process information about how our services and the Websites are used to decide on marketing strategies. | Biographical information and contact information, other information and browser information. |
| To conduct surveys. | It is in our legitimate interest to send you surveys and conduct such surveys in order to gather information on how the Websites and the services offered therein are working for you and how to improve them. Your participation in those surveys will be on the basis of your consent. | Biographical information and Contact Information, other information and browser information. |
| For internal business purposes and recordkeeping. | The Company has legal obligations to keep certain records. Such processing is in our legitimate interest for internal business and research purposes as well as for record keeping purposes. It is also in our legitimate interest to keep records to ensure that you comply with your contractual obligations pursuant to the agreement governing our relationship with you. | Biographical information and contact information, financial information,verification information, other information and browser information. |
| To establish, enforce, or defend our legal rights, including initiating or responding to legal proceedings, managing disputes, or addressing claims before courts, regulatory bodies, or other competent authorities. | Legitimate interests in protecting the Company’s legal rights and resolving disputes | Biographical information and contact information, financial information, verification information, other information and browser information. |
| To notify you of changes to the services offered via the Websites and/or to laws and regulatory rules and regulations | Legal obligation. Often the law requires us to advise you of certain changes to the services offered via the Websites or laws related thereto. The Company may need to inform you of changes to the terms or the features of the services offered via the Websites. The Company needs to process your personal data to send you these legal notifications. You will continue to receive this information from us even if you choose not to receive direct marketing information from us. Where such notification is not legally required, it may be in our legitimate interest to notify you of such changes. | Biographical information and contact information, financial information, and other information. |
| To administer and secure our operations, including maintaining IT and system security, implementing access controls, and detecting or preventing fraud and other potential threats. | Legitimate interests in ensuring the security and integrity of our systems, data, and infrastructure. | Biographical information and contact information, financial information, verification information, other information and browser information |
| To tailor the Websites and the services offered therein to better align with your needs and preferences, and to ensure continuity in our engagement with you. | Legitimate interests in delivering relevant support and improving the effectiveness of the Websites and the services offered therein. | Other information, browser information and log information. |
| To communicate with you. | It is in our legitimate interest to communicate with users of the Websites and investment applicant(s) to ensure the effective delivery of the Websites and the services offered therein and to fulfill the objectives of the Company. | Biographical information and contact information, financial information and other information. |
| To receive services from third parties including services such as administrative, legal, tax, compliance, insurance, IT, analytics, identity verification, research or other services. | It is generally in our legitimate interest to receive such services from third parties to ensure the effective delivery of Websites and the services offered therein. | Biographical information and contact information, financial information, PEP information (where relevant), verification information, other information, browser information. |
| To enable us to provide the Starkscan Services to you. | It is generally in our legitimate interests to enable us to provide the Starkscan Services to you by allowing us to authenticate users and manage API permissions, rate limits, manage workspaces and to maintain security and audit trails. | Authentication Data, Technical Data or Feedback and Bug Report Data (where relevant). |
6. Disclosure of your personal data
6.1 Service Providers and Data Processors
The Company may disclose your personal data to third-party service providers who process data on our behalf and under our instructions. These may include vendors that provide services such as identity verification, cloud storage, IT support, analytics, KYC/AML compliance, and security monitoring.
These service providers are contractually obligated to handle your data in compliance with applicable data protection laws and only for the purposes the Company instructs. They act as our data processors under GDPR and similar laws.
The Company may also disclose personal data when it is compelled by law, for example to a government agency as a result of a valid court order.
7. For UK & EEA clients: Transfers of personal data outside of the European Economic Area (EEA) and the United Kingdom (UK)
The Company may transfer your personal data outside the EEA and UK to affiliated entities, service providers and business partners. Transfers outside of the EEA or the UK (as appropriate) are done in accordance with lawful transfer mechanisms. If personal data is transferred to a country which has been found by the European Commission to have an essentially equivalent standard of data protection to the EEA, then the Company may rely on an ‘adequacy decision’ to transfer that personal data. See here for a list of countries with adequacy decisions. If personal data is transferred from the EEA or UK to the US, the Company may rely on standard contractual clauses.
Transfers of personal data outside the European Economic Area (EEA) and the United Kingdom (UK) are carried out in compliance with applicable data protection laws. Where no adequacy decision exists, the Company uses appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
8. Privacy when using digital assets and blockchains
Your use of digital assets may be recorded on a public blockchain. Public blockchains are distributed ledgers, intended to immutably record transactions across wide networks of computer systems. Many blockchains are open to forensic analysis which can lead to re-identification of transacting individuals and the revelation of personal data, especially when blockchain data is combined with other data.
As blockchains are decentralized or third-party networks which are not controlled or operated by us, the Company is not able to erase, modify, or alter personal data on such networks. Please avoid including personal data in blockchain transactions or metadata where it is not strictly necessary. Blockchains are immutable and public by design, and data written to a blockchain generally cannot be modified or deleted. Where you choose to store or transmit data on-chain, you should ensure that it does not contain personal information or sensitive data that may infringe upon your privacy rights.
9. Data retention
When personal data is no longer necessary for the purposes for which it may lawfully be processed, the Company will remove any details that will identify you, or the Company will securely destroy the relevant records. The Company may need to maintain records for a significant period of time after you cease being a user or investment applicant for legal or regulatory reasons, for example when the Company needs to retain information to help manage a dispute or legal claim.
If you have opted out of receiving marketing communications the Company will hold your details on our suppression list so that the Company knows you do not want to receive these communications.
The Company may keep your personal data for periods in line with the below table:
Data retention periods
| Data Type | Examples | Purpose | Retention Period |
|---|---|---|---|
| KYC/AML data | ID, wallet address, source of funds, sanctions check | Compliance, anti-fraud | UK & Cayman - 5 years after the end of the business relationship EU - 7 years after the end of the business relationship |
| Contract data | Name, address, email contained in contracts, GitHub login and profile data, Better Auth session data, for instance, name, email, profile image if provided, provider account ID, session metadata, IP and user agent where captured, workspace metadata, API-key metadata, and API usage or audit metadata. | Legal, audit, dispute management | UK & Cayman - 6 years after termination EU - 10 years after termination |
| Financial data | Name, address, emails contained in contracts. | Tax, accounting | UK - 6 years. EU - 10 years. Cayman Islands - 5 years. |
| Communications | Emails, chat logs, meeting notes | Documentation, support | EU, UK & Cayman - 6 years |
| Marketing data | Email, preferences, sign-up info | Websites & services updates | UK, EU & Cayman - 2 years or until opt-out |
| Cookies Data | Technical request data, analytics, browser storage data | Websites functionality, analytics and enhancing of user experience | 6 months |
10. Cookies
To learn more about cookies and why we collect them, read our cookies policy.
11. Your rights regarding your personal data
The rights that are available to you in relation to the personal data of the Company process are outlined below. You may request to exercise these rights subject to any limitations provided for under applicable data protection laws.
Access: You can ask us to confirm whether the Company is processing your personal data and, if so, what information the Company processes and to provide you with a copy of that information.
Rectification: It is important to us that your personal data is up to date. The Company will take all reasonable steps to make sure that your personal data remains accurate, complete and up-to-date. Please inform us if your personal data changes. If the personal data the Company holds about you is inaccurate or incomplete, you are entitled to have it rectified. If the Company has disclosed your personal data to others, the Company will let them know about the rectification where possible. If you ask us, and if possible and lawful to do so, the Company will also inform you with whom the Company has shared your personal data.
You may inform us at any time that your personal details have changed by emailing us at [email protected]. Subject to applicable law, the Company will change your personal data in accordance with your instructions. To proceed with such requests, in some cases the Company may need supporting documents from you as proof i.e. personal data that the Company is required to keep for regulatory or other legal purposes.
Erasure: You can ask us to delete or remove your personal data in certain circumstances. Such requests may be subject to any retention limits the Company are required to comply with in accordance with applicable laws and regulations. If the Company has disclosed your personal data to others, the Company will let them know about the erasure request where possible. If you ask us, and if possible and lawful to do so, the Company will also inform you with whom the Company has shared your personal data.
Processing restrictions: You can ask us to block or suppress the processing of your personal data in certain circumstances such as if you contest the accuracy of that personal data or object to us processing it. It will not stop us from storing your personal data. If the Company has disclosed your personal data to others, the Company will let them know about the restriction of processing if possible. If you ask us, and if possible and lawful to do so, the Company will also inform you with whom the Company has shared your personal data.
Data portability: In certain circumstances you may have the right to obtain personal data you have provided to us, in a structured, commonly used and machine-readable format, and to re-use it elsewhere or ask us to transfer this to a third party of your choice, where technically feasible.
Objection: You can ask us to stop processing your personal data, and the Company will do so, if the Company are:
Relying on our own or someone else’s legitimate interests to process your personal data except if the Company can demonstrate compelling legal grounds for the processing or for the establishment, exercise or defence of legal claims;
Processing your personal data for direct marketing; or
Processing your personal data for research unless the Company reasonably believes such processing is necessary for the performance of a task carried out for reasons of public interest (such as by a regulatory or enforcement agency).
Automated decision-making and profiling: If the Company has made a decision about you based solely on an automated process (e.g. through automatic profiling) that affects your ability to access our programmes or initiatives or has another significant effect on you, you can request not to be subject to such a decision unless the Company can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and us. Even if a decision is necessary for entering into or performing a contract, you may contest the decision and require human intervention. The Company may not be able to offer our programmes or initiatives to you, if the Company agrees to such a request (i.e. end our relationship with you).
Complaints: You have the right to complain to a competent data protection authority. Contact details are set out in Section 15 below. The Company asks that you first contact [email protected] to give us an opportunity to address any concerns.
Withdraw consent: You have the right to withdraw consent to processing based on consent at any time. Note this will not affect the lawfulness of processing based on consent prior to the withdrawal of consent or on grounds where consent is not required.
12. Changes to this privacy notice
Our privacy notice is reviewed and updated regularly in light of new regulations, technologies, and any changes to our business operations. Any personal data the Company processes will be governed by our most recent privacy notice. Please review this privacy notice from time to time. The Company will publish any material changes to this privacy notice on the Websites.
The Company will notify you of material changes in a timely manner and, where appropriate prior to the change taking effect via note on the Websites or direct communication where appropriate.
13. Our products and services are not available to children
Neither the Websites, the services offered therein, nor the ecosystem supports (including possible investments) are directed at Children and the Company does not knowingly collect personal data from children. If the Company learns that the Company has inadvertently processed personal data from a child, the Company will take legally permissible measures to remove that data from our records. The Company will not allow the Child to apply or enter into any form of support programme. If you are a parent or guardian of a Child, and you become aware that a Child has provided personal data to us, please contact us at [email protected].
To help enforce this policy, the Company applies age-screening or confirmation steps (e.g., “18+ only” disclaimers) on the Websites and in the case of possible investments confirms via Know your customer processes. If the Company relies on third-party platforms (e.g., social media channels), the Company expects those platforms to enforce their own age restrictions under their terms of service.
14. Contact information
Any questions, complaints, comments and requests regarding this privacy notice are welcome and should be addressed to [email protected].
15. Data Protection Authorities
If you are not satisfied with our response to your complaint, you have the right to submit a complaint to a competent data protection authority. You may complain to your local supervisory authority or to our lead supervisory authority the Portuguese Data Protection Commission. Examples of relevant data protection authorities are listed below:
For residents of the Cayman Islands:
Office of the Ombudsman
3rd Floor, Anderson Square
Shedden Road, George Town
Grand Cayman, Cayman Islands
P.O. Box 2252
For residents of the United Kingdom:
The Information Commissioner’s Office
Wycliffe House, Water Ln
Wilmslow SK9 5AF, UK
For residents of Portugal:
CNPD - Comissão Nacional de Proteção de Dados
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Portugal