Privacy Policy
Last Updated: July 11, 2026
This Privacy Policy describes how DARTRi ("we", "us", or "our") collects, uses, and protects your personal information when you use the ALEA platform ("Service"). We are committed to protecting your privacy and handling your data with transparency and care.
1. Information We Collect
1.1 Information You Provide
When you create an account or use our Service, we collect:
- Account Information: Name, email address, organization name, and a one-way password verifier; plaintext passwords are not retained
- Billing Information: If billing is enabled later, Stripe may collect payment-card and billing details on its hosted Checkout; ALEA does not currently collect card data in this web application
- Case Data: Cryptocurrency addresses, transaction IDs, case notes, and investigation details you submit
- Communications: Messages you send to our support team or through the Service
1.2 Information Collected Automatically
When you use the Service, we automatically collect:
- Request Metadata: IP address, user agent, request path, access time, and request identifier used for security and operations
- Log Data: Error, audit, authentication, and system activity needed to operate and protect the Service
- Cookies: Host-only authentication session cookies; access and refresh credentials are not exposed to browser JavaScript
1.3 Blockchain Data
We access publicly available blockchain data to provide tracing services. This data is not personally identifiable unless you explicitly associate it with your case.
2. How We Use Your Information
We use the collected information to:
- Provide the Service: Process requested traces and display available transaction-path analysis
- Account Management: Create and maintain your account and provide support; payment processing is currently disabled
- Improve the Service: Diagnose failures, develop features, and fix bugs
- Communications: Send service updates, security alerts, billing notifications
- Security: Detect fraud, prevent abuse, protect against security threats
- Legal Compliance: Comply with legal obligations, respond to law enforcement requests
3. Information Sharing and Disclosure
We do not sell your personal information. We may share your information with:
3.1 Service Providers
We share data with third-party service providers who assist us in operating the Service, including:
- Stripe, only if hosted billing is enabled and you choose to begin a Checkout session
- Cloudflare for DNS, web delivery, traffic security, and inbound email routing
- Infrastructure and email providers configured for Service operations
- Public Bitcoin data providers, which receive requested transaction identifiers or addresses needed to retrieve public-chain data
These providers are contractually obligated to protect your data and use it only for the purposes we specify.
3.2 Legal Requirements
We may disclose your information when required by law or to:
- Comply with legal process (subpoenas, court orders)
- Respond to government or law enforcement requests
- Protect our rights, property, or safety
- Enforce our Terms of Service
- Investigate fraud or security issues
3.3 Business Transfers
If we undergo a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4. Data Security
Current application-level safeguards include:
- TLS for data in transit on production web endpoints
- Argon2id password hashing, with migration support for legacy bcrypt hashes
- Authenticated access controls for account and case data
- Security-relevant audit logging in the application
Hosting-level encryption, backup, monitoring, and security testing depend on the deployed environment and are not represented here as independently certified. No system is completely secure.
5. Data Retention
We retain your information for as long as necessary to:
- Provide the Service to you
- Comply with legal obligations
- Resolve disputes and enforce agreements
- Maintain business records
Automated tier-specific retention schedules are not currently available. Authenticated users can delete account-owned traces, sessions, API keys, usage, and local subscription data from the Account page after canceling any active paid subscription. Limited de-identified financial, audit, legal, or security records may be retained when required.
6. Your Privacy Rights
Depending on your jurisdiction, applicable law may provide the following rights:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal data
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain data processing activities
- Restriction: Request restriction of data processing
- Withdrawal of Consent: Withdraw consent for data processing
Authenticated account deletion is available on the Account page and requires the current password and explicit confirmation. For access, portability, objections, or requests that cannot be completed there, contact privacy@aleaforensics.com; manual requests may require identity verification.
7. Browser Storage and Tracking
The current web client uses limited browser state to:
- Maintain sessions using host-only Secure, HttpOnly authentication cookies; access and refresh tokens are not stored in JavaScript browser storage
- Hold interface and CSRF state in memory while a page is open
- Provide security and prevent request forgery
ALEA does not persist authentication credentials, invite material, or product analytics in Local Storage or Session Storage. The CSRF value used for unsafe account requests is held only in memory. Clearing or blocking cookies signs you out or prevents authenticated functionality.
8. International Data Transfers
Your information may be processed in countries other than your country of residence, where data protection laws may differ. Contact privacy@aleaforensics.com for current hosting and transfer-mechanism information before submitting sensitive data.
9. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Third-Party Links
The Service may contain links to third-party websites or services (e.g., blockchain explorers). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Email: privacy@aleaforensics.com
Website: https://aleaforensics.com
By using ALEA, you acknowledge that you have read and understood this Privacy Policy.