Privacy Policy
Last updated: February 2026
1. Information We Collect
Paid Reports
When you purchase a Governance Truth Report, we collect:
- Your email address (for report delivery)
- DAO identifier (Snapshot space ID for analysis)
- Payment information (processed securely by Stripe)
Free Governance Health Checks
When you request a free health check, we collect:
- Email address (required for report delivery)
- DAO identifier (Snapshot space ID)
- Governance score and metrics
- Timestamp of check
- Consent records (report delivery + optional marketing)
Purpose: Report delivery (required) + Quota enforcement (1 free check per month)
Storage: Email addresses are stored in plain text to deliver your report. A SHA-256 hash is also stored for quota tracking. If you opt into marketing emails, your email is added to our marketing list.
Retention: 24 months for quota records. Marketing list retained until unsubscribe.
Two Consent Options:
- Required: Report delivery via email (cannot use service without this)
- Optional: Marketing emails (updates, tips, offers - unsubscribe anytime)
Public Rankings (Optional)
You may opt-in to have your DAO's score displayed on our public leaderboard.
- What's published: DAO name, overall score, ranking position
- What's NOT published: Your email/wallet, detailed metrics, voter identities
- Opt-out: Email hello@chainsights.one anytime to remove your DAO from rankings
- Legal Basis: Consent (explicit opt-in required)
Email Notifications
We collect email addresses from users who opt-in to receive notifications about new DAO rankings.
Legal Basis: Consent (GDPR Article 6(1)(a))
Purpose: Sending weekly email notifications when new DAOs are analyzed and added to our rankings.
Data Stored: Email address, subscription timestamp, confirmation status, unsubscribe status
Retention: Email addresses are retained until you unsubscribe. You can unsubscribe at any time using the link provided in every email.
Email Processor: We use Resend (Ireland) as our email service provider. View their privacy policy at https://resend.com/legal/privacy-policy.
Your Rights:
- Access your data via the privacy request form
- Delete your data (unsubscribe link in emails or privacy request form)
- Export your data via privacy request form
Governance Score Card (Free)
When you request a free Governance Score Card, we collect:
- Email address (for Score Card PDF delivery)
- DAO identifier and governance scores (for Score Card content)
- Optional marketing consent (for newsletter — opt-in only)
- IP address (rate limiting and consent audit trail)
Lead Management: Your email is stored in our lead management system (masemIT Management System, hosted in Austria, EU) for order management and communication. If you opt into marketing emails, an unsubscribe link is included in every email.
PDF Generation: Your Score Card is generated as a branded PDF and sent to your email via Resend (Ireland, EU). The PDF is stored for 30 days for download access.
2. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Report generation | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Email communication | Performance of contract (Art. 6(1)(b)) |
| Free health checks (report delivery) | Performance of contract (Art. 6(1)(b)) |
| Free health checks (quota enforcement) | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails (opt-in) | Consent (Art. 6(1)(a)) |
| Public rankings (opt-in) | Consent (Art. 6(1)(a)) |
| Rankings Watch email notifications (opt-in) | Consent (Art. 6(1)(a)) |
| Score Card delivery | Performance of contract (Art. 6(1)(b)) |
| Score Card marketing consent | Consent (Art. 6(1)(a)) |
| Cookie analytics (masemIT tracker) | Consent (Art. 6(1)(a)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
3. Data Sharing
We share your data with the following service providers:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | USA | SCCs |
| Neon | Database hosting | Germany (EU) | GDPR |
| Resend | Email delivery | Ireland (EU) | GDPR |
| Anthropic | AI analysis | USA | SCCs |
| Vercel | Application hosting | Germany (EU) | GDPR |
| masemIT (MMS) | Lead & consent management | Austria (EU) | GDPR |
All providers have signed Data Processing Agreements and comply with GDPR requirements. SCCs = Standard Contractual Clauses approved by the European Commission.
4. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Order records | 7 years | Austrian tax/accounting requirements |
| Report data | 1 year after delivery | Service warranty and support |
| Email address | Until deletion requested | Service delivery and communication |
After these periods, data is automatically deleted unless required for legal obligations.
5. International Data Transfers
Your data may be transferred to service providers in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives equivalent protection outside the EU.
6. Your Rights
Under GDPR, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data (“right to be forgotten”)
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Restriction: Request limited processing in certain circumstances
To exercise any of these rights, contact us at hello@chainsights.one. We will respond within 30 days.
If you believe your rights have been violated, you may lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at.
7. Data Security
We use industry-standard security measures to protect your information, including TLS encryption for all data in transit and encrypted database storage. Payment processing is handled entirely by Stripe (PCI-DSS compliant) and we never store your payment card details.
8. Cookies
We use the following cookies:
| Cookie | Purpose | Duration | Legal Basis |
|---|---|---|---|
| cs_session | Authentication (Magic Link login) | 30 days | Necessary (Art. 6(1)(b)) |
| masemIT tracker | Analytics (page views, engagement) | Session | Consent (Art. 6(1)(a)) |
You can manage your cookie preferences via the consent banner shown on your first visit. You can also clear cookies at any time through your browser settings.
9. Analytics
We use two analytics services:
Vercel Analytics (no consent required)
Vercel Analytics is a privacy-first service that does not use cookies, does not collect personal information, and does not track users across websites. It is fully GDPR compliant without consent requirements.
masemIT Analytics (consent required)
We use a self-hosted analytics tracker (analytics.masem.at) to measure page views, scroll depth, and engagement. This tracker uses cookies and is only loaded after you accept analytics cookies via the consent banner. If you decline, no tracking data is collected.
Analytics data is aggregated and cannot be used to identify individual users. The tracker is hosted in Austria (EU) and data is processed under GDPR.
10. Contact
For privacy-related questions or to exercise your rights, contact us at: