Privacy policy

• no kycme.ochk.io never collects your legal name, government ID, or physical address
• no pii at signupyou sign up with a Bitcoin signature or an email/phone one-time code — your choice
• scoped identityintegrating sites receive a per-site identifier, not your master identity; they cannot correlate you across sites
• no advertisingno third-party ad identity, no behavioural ad targeting, no data sale — ever
• deletableyou can permanently revoke your identity from /me/settings

The list below is what an auditor would find in OrangeCheck’s production infrastructure. Every item is metadata; none of it lets OrangeCheck sign on your behalf.

• account rowopaque did_oc, optional display name and Nostr npub, timestamps. The underlying email is encrypted at rest; a BIP-322 address is stored plaintext (it is already public on-chain). No password hash, no private key, no mnemonic.
• session recordthe session JWT id, account id, and issue/revoke timestamps. The session token itself lives only as a cookie in your browser.
• event envelopesper billable event: a content-addressed, signed record of what was authorized, by whom, and the fee breakdown. Used to route cashback.
• custody-state envelopesa record of each federation ⇄ self-custody transition (graduation), surfaced on your own identity timeline.
• public anchorsOpenTimestamps proofs and Nostr-published event roots — public by design, verifiable against Bitcoin without OrangeCheck online

Each integrating site receives a deterministic scoped subject derived from your master identity and that site’s project key. Scoped subjects are stable per-site (the integrator recognizes a returning user) but unlinkable across sites (two integrators cannot collude to correlate you). An integrator only ever receives your master Bitcoin address, email, or attestation tier if you explicitly grant that scope for that site — each scope is opt-in, per-site, and revocable at any time from /me/identity.

Integrators never receive your event history with other sites, your wallet balance, your connected-sites list, or any cross-integrator data, regardless of scopes granted.

OrangeCheck’s billing engine necessarily knows which user earned which cashback across integrating sites — that join is how the right wallet is credited. Today that linkage exists in plain storage on me.ochk.io infrastructure; OrangeCheck commits, as a policy matter enforced by access controls and audit logging, not to build cross-site behavioural profiles. A per-integrator blinded-identifier design that removes the linkage architecturally is active research and not yet shipped. We disclose this honestly rather than overclaim.

Two cookies. oc_session — the Ed25519-signed session token issued by ochk.io (HttpOnly, Secure, SameSite=Lax, Domain=.ochk.io). oc_theme — your dark/light preference, not auth-bearing. No tracking cookies, no advertising IDs, no third-party pixels. Page analytics use Plausible — cookie-free, no PII, aggregate only.

• >>Route cashback to the correct identity and wallet
• >>Detect and prevent sybil farming, wash-trading, and abuse
• >>Operate sign-in and verification across the OrangeCheck family
• >>Fix bugs, improve the Service, and respond to support requests

• event & rebind envelopesretained as the canonical earnings and custody-state record; anchored copies on Bitcoin and Nostr are immutable
• technical logsretained 90 days for security and debugging, then auto-deleted
• session recordsretained until the session is revoked or expires
• account rowdeleted on request via the account-deletion flow, subject to the immutability of anchored data

HTTPS in transit; emails encrypted at rest; access to production data is allowlisted and audit-logged. No method of storage is perfectly secure — we use reasonable measures but do not warrant security; see the Terms of Service. If we become aware of a breach of personal data we hold, we will notify affected users and any competent supervisory authority as required by applicable law.

• access & portabilityrequest a copy of your personal information in a machine-readable format
• correctionrequest correction of inaccurate or incomplete information
• deletionrequest deletion of personal information we hold (data published to public networks cannot be deleted by us — see retention)
• objectionobject to or restrict processing in certain circumstances
• withdraw consentwithdraw consent where consent is the legal basis for processing

To exercise any right, email hello@ochk.io. We respond within 30 days.

From /me/settings → advanced → delete you can permanently revoke your OrangeCheck identity. A federation-custodied balance must be swept to your own wallet first (the graduate flow). OrangeCheck deletes the operational records it holds about you; events already anchored to Bitcoin headers or published to Nostr are immutable public records of fee flows and cannot be deleted by anyone.

OrangeCheck is operated from the United States. If you access me.ochk.io from elsewhere, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate. For users in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international transfers.

california (ccpa / cpra)

• >>Right to know the categories of personal information collected
• >>Right to delete and to correct your personal information
• >>Right to opt out of sale or sharing — we do not sell or share personal information
• >>Right to limit use of sensitive personal information — we do not collect sensitive PI as defined by the CPRA
• >>Right to non-discrimination for exercising your rights

europe (gdpr) & united kingdom (uk gdpr)

• legal basisconsent, contract performance, legitimate interests (security, abuse prevention, service improvement), and legal obligations
• your rightsaccess, rectification, erasure, restriction, portability, objection, and withdrawal of consent
• supervisory authorityright to lodge a complaint with your local EU/EEA data-protection authority, or the UK ICO
• eu/uk representativeif and when required, we will designate an Article 27 representative and publish the details here

other jurisdictions

If you reside in a jurisdiction with a comprehensive privacy law — including Brazil (LGPD), Canada (PIPEDA / Law 25), Australia, Japan (APPI), South Korea (PIPA), Switzerland (FADP), or any U.S. state privacy law — you have the equivalent rights of access, correction, deletion, portability, and objection. Email hello@ochk.io and we will honour applicable rights under the law of your residence.

me.ochk.io is not intended for children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, email hello@ochk.io immediately and we will delete it.

• >>We will update the "last updated" date above
• >>For material changes, we will provide prominent notice on the website
• >>Continued use after changes constitutes acceptance