← Chiron’s Cave

Legal

Privacy Policy

Last updated: May 4, 2026

This policy describes the data chironchain.com collects, what it does not, and how the operator (the pseudonym “Chiron” / @chironchain) handles it. The policy is written to mirror what the website actually does. If you find a discrepancy, the actual code is the source of truth, and we will fix the policy.

1. What this policy covers

This policy covers chironchain.com only. After Unlock’s checkout modal closes — whether you complete a purchase or dismiss it — you are redirected to @ChironsCaveBot on Telegram. From that point forward, data handling occurs in the Cave’s Telegram infrastructure and is governed additionally by Telegram’s own privacy policy. The bot stores a binding between your wallet address and your Telegram user ID solely to gate access to the private group.

2. What we collect

a. Wallet addresses

We may receive an inviting member’s wallet address when we serve a referral landing page (e.g. chironchain.com/r/<id>): we resolve the opaque referral ID to a wallet on the server and pass it to Unlock’s embedded paywall as the referrer-fee recipient. We do not receive your wallet address as a buyer. Buyer wallets are visible only to Unlock Protocol and to the public Base blockchain. Wallet addresses we do receive are public blockchain data; we do not consider them personal data in isolation, but we treat them as identifying information for the purposes of this policy. Lawful basis: our legitimate interest in operating an honest referral program for members.

b. Referral attribution

Existing members may share invitation links of the form chironchain.com/r/<id>. When such a link is clicked, we record an attribution event so the inviting member sees their referral count. The referral system stores click counts keyed by the inviting wallet address. We do not store the visiting user’s wallet address. Lawful basis: our legitimate interest in operating a referral program for members.

c. One first-party cookie

When you visit a referral link, we set a single first-party cookie called ref-visitor-id. This cookie contains an opaque random UUID, expires after 24 hours, and is marked HttpOnly, Secure, and SameSite=Lax. Its sole purpose is to deduplicate rapid repeat clicks on the same invitation link from the same device, so a single visitor cannot inflate a member’s referral count by refreshing. Lawful basis: our legitimate interest in operating an honest referral counter.

d. Web analytics

We use a privacy-respecting cookieless web analytics product in its default cookieless mode. It records page views and coarse device characteristics (browser type, screen size, country) without setting cookies or collecting personal data. See §5 for the named provider and its privacy policy. Lawful basis: our legitimate interest in understanding aggregate site usage.

e. Server logs

Our hosting provider records standard request metadata for every HTTP request, including IP address, user-agent string, request path, response status, and referrer. We use these logs only for operational monitoring, abuse detection, and rate limiting. We do not enrich, correlate, or sell server logs. Lawful basis: our legitimate interest in operating a secure service.

f. Operational state in our key-value store

We use a third-party serverless key-value store (named in §5). The keys we read or write on this site are:

  • ref-id:<id>— resolves a short referral identifier to the inviting member’s wallet address.
  • clicks:<wallet>— lifetime referral click count for an inviting member.
  • clicks-day:<wallet>:<date>— per-day click count, used for graphs in the member-facing dashboard.
  • clicks-feed:<wallet>— rolling sorted set of recent click events (timestamp + opaque cookie id), capped at 100 entries, used to render the “recent clicks” column of the same dashboard.
  • click-dedup:<cookieId>:<wallet> — 24-hour dedup marker tied to the cookie above.
  • events:funnel:<name>:<date>— aggregate funnel counters (e.g. events:funnel:site-visit:2026-05-04) with no per-user granularity.
  • rl:<route>:<ip>— short-lived rate-limit counters keyed by IP address.

None of these keys contain off-chain personal information such as name, email, phone number, address, or payment data.

3. What we do NOT collect

  • No browser storage. The site does not set or read localStorage or sessionStorage, and sets no cookies other than the single one named above.
  • No payment data.Checkout is handled end-to-end by Unlock Protocol’s embedded paywall. We never see your credit-card number, bank details, or any off-chain payment instrument.
  • No email, phone, name, or address. The site has no signup form, no newsletter, and no contact form.
  • No precise geolocation. We do not request, read, or store geolocation. We do not derive country from IP. We do not read any cf-ipcountry-style header.
  • No browser fingerprinting. We do not fingerprint browsers beyond the coarse, cookieless device metrics our analytics product collects.
  • No advertising trackers. No Meta Pixel, no Google Analytics, no Hotjar, no third-party retargeting.

4. Cookies summary

NamePurposeTypeDuration
ref-visitor-idDeduplicate referral link clicks from one deviceFirst-party, HttpOnly, Secure, SameSite=Lax24 hours

That is the entire cookie inventory.

5. Third parties we share data with

  • Vercel— hosting and cookieless analytics. Privacy policy.
  • Upstash— key-value storage for referral counters and rate-limit state. Privacy policy.
  • Unlock Protocol— embedded checkout and onchain membership. Privacy policy.
  • Base— the public Layer-2 blockchain on which the membership contract lives. Wallet addresses and on-chain transactions are public by design.
  • Telegram— the messaging platform on which the Cave operates after checkout, via @ChironsCaveBot. Privacy policy.

We do not sell, rent, or trade data to anyone. We share data with the third parties above only to the extent required to provide the service.

6. International transfers

Our hosting and key-value providers operate in the United States and the European Union, and your data may be processed in either region depending on routing. Where required, our processors rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Retention

DataRetention
ref-visitor-id cookie24 hours
click-dedup marker24 hours
Per-day click countersApprox. 25 hours, then expired by KV TTL
Lifetime click countersFor as long as the Cave operates
Rate-limit counters1 minute
Server logsPer our hosting provider’s standard retention policy
Web analytics aggregatesPer the analytics provider’s standard retention policy

8. Your rights

Depending on where you live, applicable law (such as the EU GDPR, the UK GDPR, or the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)) may give you the right to:

  • request a copy of the data we hold about you;
  • request correction or deletion of inaccurate data;
  • object to or restrict processing carried out on the basis of legitimate interest;
  • request portability of data you provided to us; and
  • lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us by direct message to @chironchain on X. We will respond within 30 days. Because the site collects no off-chain identifiers, the most actionable request is typically deletion of records keyed to your wallet address; we will need you to prove control of that address (for example, by signing a message) before acting.

9. Changes

We update this policy by changing the “Last updated” date at the top. Because we maintain no email list, we do not notify you of changes by email; you should re-read this page when significant product changes occur.

10. Contact

Questions, requests, and complaints: direct message @chironchain on X.