Effective date: 1 January 2025 — Last updated: 1 January 2025
Operated by: Arqive Solutions (ZZP, Netherlands)
This Privacy Policy explains how Arqive Solutions ("we", "us", or "our"), operating the WenRug service at wenrug.app and via the Telegram bot @WenRuggBot, collects, uses, and protects your personal data. Arqive Solutions is the data controller for personal data processed in connection with the Service. We are a sole trader (ZZP) based in the Netherlands and subject to the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Dutch Implementation Act (Uitvoeringswet AVG). Data Controller Contact: Arqive Solutions Operating name: WenRug Country: Netherlands Privacy contact: arqive.solutions.app@gmail.com For all data protection queries, requests to exercise your rights, or complaints, please contact us at the email above. We will respond within 30 days as required by GDPR.
Data You Provide Directly: • Email address — used for account creation, login, and service communications • Password — stored in hashed form only, never in plain text (handled by Supabase Auth) • Telegram user ID and username — collected when you link your Telegram account via the /link command Data Generated Through Your Use of the Service: • Scan history — token contract addresses you scan and the results, stored with your account • Subscription and billing data — your subscription tier, billing dates, and Stripe customer ID. We do not store your card number, CVV, or full payment details. All payment card data is processed exclusively by Stripe in accordance with PCI-DSS standards. • Usage data — scan counts per month, timestamps, and which interface triggered the scan Data Collected Automatically: • Server logs — IP addresses and request metadata may be collected by our infrastructure providers (Vercel and Supabase) for security and operational purposes We do not use cookies for tracking or analytics at this time.
Under GDPR, we rely on the following legal bases: • Contract performance (Article 6(1)(b)) — processing your email, Telegram ID, and scan history is necessary to provide the Service • Legal obligation (Article 6(1)(c)) — we may be required to retain certain data to comply with applicable laws • Legitimate interests (Article 6(1)(f)) — we process server logs and usage data to ensure security and proper functioning of the Service • Consent (Article 6(1)(a)) — if we introduce marketing or analytics in the future, we will request your explicit consent
We use your personal data exclusively for: • Creating and managing your account • Authenticating you and verifying subscription status before processing scan requests • Linking your Telegram account and routing scan results to the correct user • Storing your scan history for review • Processing payments and managing your subscription via Stripe • Sending transactional emails (account confirmation, payment receipts, subscription changes) • Enforcing our Terms of Service, including scan quotas and age restrictions • Responding to support enquiries We do not sell, rent, or trade your personal data to any third party. We do not send marketing emails at this time.
We engage the following third-party processors: Supabase, Inc. (USA) — Database hosting, authentication, and serverless functions. Data transfers governed by EU-US Data Privacy Framework or Standard Contractual Clauses. Vercel, Inc. (USA) — Web application hosting. Data transfers governed by applicable transfer mechanisms including SCCs. Stripe, Inc. (USA) — Payment processing. PCI-DSS Level 1 certified. We do not receive or store card details. Anthropic, PBC (USA) — AI-generated risk verdicts. Only publicly available blockchain data is sent; no personal account details. Helius Labs (USA) — Solana blockchain data retrieval. No personal account details are shared. Telegram Messenger Inc. — Bot interface delivery via Telegram’s infrastructure.
Your personal data is stored and processed in the United States through Supabase and Vercel infrastructure. We rely on: • EU Standard Contractual Clauses (SCCs) • EU-US Data Privacy Framework (where applicable) We are evaluating migrating our Supabase instance to an EU region. Contact arqive.solutions.app@gmail.com for information about specific transfer mechanisms.
• Account data (email, Telegram ID) — retained for account duration plus 12 months after deletion or last login • Scan history — retained for account duration; deleted within 30 days of account deletion • Payment and billing data — retained for 7 years from the last transaction (Dutch tax requirements) • Server logs — retained for a maximum of 90 days by infrastructure providers You may request deletion at any time (see Section 09). Some data may be retained where required by law.
We implement appropriate technical and organisational measures including: • All passwords hashed using industry-standard algorithms via Supabase Auth • All data in transit encrypted via TLS/HTTPS • API keys and secrets stored in environment variables, never exposed client-side • Telegram webhook requests validated via secret token on every request • Supabase Row Level Security (RLS) policies ensure users can only access their own data In the event of a personal data breach, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and notify you directly where required by GDPR.
As a data subject in the EU, you have the following rights: • Right of Access (Article 15) — request a copy of all personal data we hold about you • Right to Rectification (Article 16) — request correction of inaccurate or incomplete data • Right to Erasure (Article 17) — request deletion of your personal data • Right to Restriction of Processing (Article 18) — request restricted processing in certain circumstances • Right to Data Portability (Article 20) — receive your data in a structured, machine-readable format • Right to Object (Article 21) — object to processing based on legitimate interests • Right to Withdraw Consent (Article 7(3)) — withdraw consent at any time To exercise these rights, email arqive.solutions.app@gmail.com with the subject "GDPR Data Request". We will respond within 30 days. You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.
The Service is strictly for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we become aware of such data, we will delete it immediately and terminate the associated account.
We do not currently send marketing communications or use analytics tracking tools. If we introduce either in the future, we will update this policy, seek explicit consent where required by GDPR, and provide clear opt-out mechanisms. You will never be automatically opted in.
We may update this policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email or a notice on wenrug.app. The most recent update date is shown at the top.
Data Controller: Arqive Solutions (operating as WenRug) Netherlands Email: arqive.solutions.app@gmail.com Dutch Supervisory Authority: Autoriteit Persoonsgegevens Website: autoriteitpersoonsgegevens.nl Telephone: +31 (0)70 888 85 00