Privacy Policy

Effective: March 1, 2026  ·  Jurisdiction: British Columbia, Canada  ·  Version 1.0

Who We Are

HederaToolbox is an MCP (Model Context Protocol) server that gives AI agents metered access to Hedera blockchain data. It is operated by an individual developer based in British Columbia, Canada.

Contact: github.com/mountainmystic/hederatoolbox/issues

What We Collect and Why

HederaToolbox is designed for AI agents, not individual humans. Most users are automated agents authenticating with a Hedera account ID. We collect the minimum data needed to operate the service.

Data Why we collect it Retention
Hedera account ID Your API key. Public on-chain identifier. Until account is inactive for 90+ days with zero balance
HBAR credit balance Required to meter and charge for tool calls Same as above
Tool call history Billing, fraud prevention, usage analytics Same as above
Deposit transactions Credit reconciliation and idempotency checks Same as above
Consent timestamp + terms version Legal record of terms acceptance Indefinite (the consent record itself)
IP address + user agent (consent event only) Fraud prevention at consent time Purged after 90 days. Consent record kept; only these fields are nulled.
We do not collect names, email addresses, passwords, payment card details, or any personal identity documents. Private keys are never collected and never transmitted to us.

Hedera Account IDs Are Public

Your Hedera account ID (e.g. 0.0.1234567) is a public blockchain identifier. Anyone can look it up on Hedera Mirror Node. We use it as your API key because it is already public — we are not exposing anything that was not already visible on-chain.

What we do store that is not public: your credit balance, tool call history, and deposit amounts. These are kept confidential and are not shared or sold.

Data Sharing

We do not sell, rent, or share your data with third parties for marketing purposes. Data may be disclosed only in these circumstances:

  • To comply with a valid legal obligation or court order
  • To protect against fraud or abuse of the platform
  • If the business is transferred to a new operator (you would be notified)

Infrastructure providers (server hosting) process data as part of normal operations. They are not permitted to use your data for their own purposes.

Your Rights (GDPR / PIPEDA)

If you are a human user in the European Economic Area or Canada, you have the right to:

  • Access — request a copy of data held about your account
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and all associated data
  • Portability — request your data in a machine-readable format

To exercise any of these rights, open an issue at our GitHub with the subject line "Data Request" and include your Hedera account ID.

We will respond within 30 days.

Data Security

Account data is stored in a database on a secured cloud server. Access is restricted to the platform operator only. Sensitive credentials (private keys, API secrets) are stored in environment variables and are never written to the database or included in logs.

IP addresses collected at consent time are automatically purged after 90 days.

No system is perfectly secure. In the event of a breach affecting user data, we will notify affected users via GitHub within 72 hours of discovery.

Cookies and Tracking

This website (hederatoolbox.com) does not use cookies, tracking pixels, or analytics scripts. No third-party advertising is served. The MCP API endpoint does not set cookies.

Changes to This Policy

If we make material changes to this policy, we will update the effective date above and, where feasible, notify users via the GitHub repository. Continued use of the service after a policy update constitutes acceptance of the revised terms.

Contact

For privacy questions or data requests: github.com/mountainmystic/hederatoolbox/issues