Privacy Policy

Last Updated: March 19, 2026

This Privacy Policy describes how Borealis Protocol ("Borealis," "we," "us," or "our") collects, uses, stores, and protects your personal information when you use our websites (borealisprotocol.ai, borealismark.com, borealisterminal.com, borealisacademy.com), APIs, and services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide

Account Information: Email address, username, and password (stored as a salted bcrypt hash, never in plain text) when you register
Profile Information: Display name, bio, and other optional profile fields you choose to provide
Agent Information: Details about AI agents you register for certification, including agent name, description, configuration data, and performance metrics
Marketplace Content: Listings, product descriptions, pricing, and transaction details if you use Borealis Terminal
Communications: Messages sent through the platform's messaging system, support requests, and feedback
Payment Information: Billing details processed through Stripe. We do not store full credit card numbers on our servers — payment processing is handled entirely by Stripe in accordance with PCI-DSS standards

1.2 Information We Collect Automatically

Usage Data: Pages visited, features used, actions taken, timestamps, and session duration
Device Information: Browser type, operating system, screen resolution, and general device category
Network Information: IP address, approximate geographic location (city/country level), and referring URL
Authentication Data: Login timestamps, session tokens, and security-related events (failed login attempts, password resets)

1.3 Information Generated by the Service

BM Scores: Trust assessment scores generated by our algorithms based on AI agent performance data
Progression Data: XP, AP, level, tier, and badge data associated with your account
Moderation Records: Content moderation actions, warnings, and enforcement history associated with your account
Blockchain Records: Transaction hashes submitted to the Hedera Hashgraph network. Note: data hashes submitted to public blockchains are immutable and cannot be deleted

2. How We Use Your Information

We use your information for the following purposes:

Providing the Service: Account creation, authentication, agent certification, marketplace operations, content delivery, and progression tracking
Trust Scoring: Generating and updating BM Scores based on agent performance data and behavioral analysis
Security: Detecting and preventing fraud, abuse, unauthorized access, and Terms of Service violations
Content Moderation: Enforcing community standards and preventing harmful content
Communication: Sending service-related notifications, security alerts, account updates, and responding to support requests
Improvement: Analyzing usage patterns to improve the Service, fix issues, and develop new features
Legal Compliance: Complying with applicable laws, regulations, legal processes, or governmental requests

What We Do NOT Use Your Information For

We do not use your personal information for:

Selling to third-party advertisers
Building advertising profiles
Making automated decisions about you as a natural person (BM Scores assess AI agents, not people)
Training AI models on your private data without explicit consent

3. How We Share Your Information

3.1 Public Information

The following information is publicly visible by design:

Agent names, descriptions, and BM Scores (this is the purpose of the certification platform)
Your username and public profile information
Marketplace listings you create
Public verification API responses for your registered agents

3.2 Service Providers

We share information with third-party service providers who assist in operating the Service:

Provider	Purpose	Data Shared
Render	API hosting and infrastructure	Account data, application data
Cloudflare	Content delivery, DDoS protection, DNS	IP addresses, traffic data
Stripe	Payment processing	Billing information (processed by Stripe directly)
Hedera Hashgraph	Blockchain anchoring	Data hashes only (not personal information)

These providers process data on our behalf under contractual obligations to protect your information.

3.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Borealis, our users, or the public.

3.4 Business Transfers

If Borealis is acquired, merged, or undergoes a sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

3.5 With Your Consent

We may share your information with other parties when you have given explicit consent.

4. Data Storage and Security

4.1 Storage Location

Your data is stored on servers provided by Render, Inc. (United States) and distributed through Cloudflare's global CDN network.

4.2 Security Measures

We implement the following security measures:

Passwords hashed with bcrypt (12 rounds of salting)
JWT-based authentication with HttpOnly secure cookies
Content Security Policy (CSP) headers on all sites
DOMPurify XSS protection on all frontend applications
Parameterized SQL queries to prevent injection attacks
Rate limiting on authentication and API endpoints
Dual-layer content moderation (frontend and server-side)

4.3 Limitations

While we implement commercially reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

4.4 Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by applicable law, and will take appropriate remediation steps.

5. Data Retention

5.1 Active Account Retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

5.2 Post-Deletion Retention

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or necessary for legitimate business purposes (fraud prevention, dispute resolution, legal obligations).

5.3 Blockchain Data

Blockchain-anchored data hashes cannot be deleted due to the immutable nature of blockchain technology. However, these hashes alone cannot be used to reconstruct your personal information.

5.4 Anonymized Data

Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytical and improvement purposes.

6. Your Rights

6.1 All Users

Regardless of your location, you have the right to:

Access the personal data we hold about you
Correct inaccurate personal data
Delete your account and associated personal data
Export your personal data in a commonly used format
Withdraw consent where processing is based on consent
Object to certain processing of your personal data

To exercise any of these rights, contact us at [email protected] or use the account settings within the Service. We will respond to requests within 30 days.

6.2 European Economic Area (EEA) and UK Residents — GDPR Rights

If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your personal data based on: performance of contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), consent (where explicitly given), and legal obligation (compliance with applicable laws)
Right to Restriction: You may request that we restrict processing of your data in certain circumstances
Right to Portability: You may request a copy of your data in a structured, machine-readable format
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority
Data Transfers: Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses and other approved transfer mechanisms to ensure adequate data protection

6.3 California Residents — CCPA Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: You may request details about the categories and specific pieces of personal information we have collected
Right to Delete: You may request deletion of your personal information, subject to certain exceptions
Right to Opt Out: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" option
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

7. Cookies and Tracking

7.1 Types of Cookies We Use

We use the following types of cookies:

Essential Cookies: Authentication tokens (bm_token), session management, and security cookies. These are required for the Service to function and cannot be disabled.
Functional Cookies: User preferences, language settings, and display preferences (such as localStorage data for onboarding completion and UI state)

7.2 Third-Party Tracking

We do not currently use third-party advertising cookies, social media tracking pixels, or cross-site analytics cookies.

7.3 Cookie Management

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from using authenticated features of the Service.

8. Automated Decision-Making

8.1 BM Score Generation

The Service uses automated processing to generate BM Scores for AI agents. This automated scoring evaluates AI agent performance and behavior — it does not make decisions about natural persons.

8.2 Content Moderation Automation

The Service uses automated content moderation to filter messages. Automated moderation decisions (muting, suspension) can be appealed through the support channel for human review.

8.3 No Decisions Affecting Persons

We do not use automated processing to make decisions that produce legal effects or similarly significant effects on natural persons.

9. Children's Privacy

9.1 Age Restriction

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

9.2 Parental Notification

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

9.3 Reporting Child Privacy Concerns

If you believe that a child under 18 has provided personal information to us, please contact us at [email protected].

10. International Data Transfers

10.1 US-Based Operations

Borealis is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

10.2 Compliance with Data Protection Laws

We take appropriate measures to ensure that international data transfers comply with applicable data protection laws, including the use of Standard Contractual Clauses for transfers from the EEA/UK.

11. Changes to This Policy

11.1 Policy Updates

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before the changes take effect.

11.2 Last Updated Date

The "Last Updated" date at the top of this policy indicates when it was most recently revised.

11.3 Acceptance of Changes

Your continued use of the Service after the effective date of an updated policy constitutes acceptance.

12. Contact Us

For privacy-related questions, data requests, or concerns:

Borealis Protocol — Privacy
Email: [email protected]
General Support: [email protected]
Website: https://borealisprotocol.ai

For EEA/UK users: If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local supervisory authority.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.