Wokey Privacy Policy
This Policy explains how Wokey collects, uses, shares, retains, and protects personal information and related business data when you create an account, call our APIs, custody provider credentials, participate in referrals, use the admin console, or interact with wallets and on-chain features.
1. Scope
This Policy applies to the Wokey website, consoles, API gateway, provider onboarding flows, referral features, admin tools, and related services that link to this Policy. If a specific service has its own privacy notice, that notice controls for that service. This Policy reflects the data handling behavior described by the current repository and product documents as of April 10, 2026.
2. Information We Collect
Account and profile data: email address, password hash, display name, username (if enabled), language preference, timezone, account status, role status, and account timestamps. Authentication and key data: email-verification logs, session information tied to access and refresh tokens, hashes and masked prefixes of platform API keys, last-used timestamps, expiry times, and for admin-console users, an admin token stored in browser local storage. Provider data: identity type, display name, encrypted upstream credentials, credential fingerprints, secret hints, base URLs, model configuration, budgets and limits, connection-test logs, risk status, and payout wallet information. Request and usage data: selected model, upstream vendor, request status, request and execution timestamps, token usage, charges, settlement strategy, routing/lease/price snapshot references, and related ledger entries. Exception archive data: for failed, abnormal, or investigative requests, we may retain the full original request payload, interface name, and request context. In the current MVP, these archives are kept for 14 days and are not automatically redacted or masked; authorized admins may review them when handling incidents. Payment, wallet, and finance data: when you use or enable top-up, payout, refund, internal transfer, referral, or on-chain settlement features, we may collect wallet addresses, network, asset, payer address, payee address, transaction hashes, settlement status, ledger entries, and approval records. Referral, support, and admin data: referral codes, attribution links, reward records, support tickets, audit logs, admin actions, risk events, incident tasks, and your communications with us. Browser and local storage data: language selection, locally stored login tokens, locally stored admin tokens, and basic technical information naturally sent by your browser with requests. In the current web app, we do not see third-party advertising trackers or non-essential analytics cookies. An important detail: in the current implementation, the core request tables do not persist full prompts or full outputs for every normal successful request; those tables mainly retain request metadata, token usage, and cost information.
3. How We Use Information
To create, verify, maintain, and secure your account and role permissions. To generate, validate, rotate, and revoke platform API keys and manage authentication sessions. To test provider connectivity, route traffic, invoke upstream models, calculate token usage, complete billing, revenue splits, referrals, payouts, and refunds. To detect fraud, anomalies, abuse, upstream failures, risk events, and security issues, and to investigate, remediate, alert on, and audit them. To send verification emails, service notices, risk alerts, support responses, billing updates, and legally permitted product communications. To improve the product, analyze operational health, understand supply-demand behavior, and meet regulatory, tax, accounting, and legal obligations.
4. Legal Bases
Where applicable law requires us to describe the legal basis for processing, we generally rely on the following bases: performing our contract with you, pursuing legitimate interests in operating and protecting the platform, complying with legal obligations, and, in specific scenarios, your consent.
5. How We Share Information
Upstream model providers: to fulfill your API request, we send the relevant request content and necessary technical context to the selected upstream vendor. Email and notification providers: for example, Resend, which we use to send verification and service-notice emails. Payment, wallet, and blockchain infrastructure: when the relevant features are enabled, x402, Base, USDC, or related payment and settlement services may process necessary on-chain or payment data. Operations and incident-response tools: for example, Telegram alerting; if an external AI incident-analysis service is enabled, we may also send structured failure-case data to that service. Service providers, advisors, and transaction counterparties: shared as necessary for hosting, audit, legal, accounting, financing, restructuring, or business-transfer activities. Legal and safety disclosures: when necessary to comply with law, enforce our terms, protect the platform and users, respond to regulatory requests, or investigate unlawful activity. As of April 10, 2026, the current web implementation does not use third-party advertising trackers, and we do not believe the current implementation sells personal information or shares it for cross-context behavioral advertising. If that changes, we will update this Policy.
6. International Transfers
Wokey serves global developers and may invoke upstream models, notification services, and blockchain infrastructure located in different jurisdictions. As a result, your information may be transferred to and processed outside your country or region. Where required by applicable law, we use reasonable contractual, organizational, or technical measures to support international transfers; however, cross-border processing also means your data may be subject to the laws of other jurisdictions.
7. Retention
Account records, role status, and security data: retained during the life of the account and for a reasonable backup, dispute-resolution, or compliance period afterward. Platform API key hashes, provider fingerprints, ledger records, audit logs, and finance records: retained as needed for security, accounting, tax, and anti-fraud purposes. Exception payload archives: in the current MVP, they are hard-deleted after 14 days. Blockchain or public-ledger data: once written on-chain, it may not be erasable by us and may remain publicly visible for a long time. Login tokens, admin tokens, and locale settings stored in browser local storage: generally remain until you log out, clear the browser, or remove them manually.
8. Security
We use password hashing, encryption for provider credentials, role controls, audit logs, and least-exposure practices to protect data. In the current codebase, passwords are hashed with Argon2 and provider credentials are stored using AES-256-GCM encryption. No system can guarantee absolute security; you should also protect your own email account, browser environment, wallet, and access credentials.