Privacy Policy
Last updated: April 20, 2026
This Privacy Policy describes how Fretum ("we," "us") — operated by Cameron Fagan as a sole proprietor — collects, uses, and protects your information when you use the Fretum platform ("Service").
1. Information We Collect
| Data | Source | Purpose |
|---|
| GitHub profile (username, email, avatar, account age) | GitHub OAuth | Account creation, credit assessment |
| API keys (hashed, never stored in plaintext) | Registration | Authentication |
| Wallet addresses | Coinbase CDP | Wallet management |
| Transaction history (endpoint, amount, timestamp) | Platform usage | Billing, analytics, webhook delivery |
| Storefront data (name, endpoints, pricing, showcase) | User-submitted | Registry listings |
| Webhook URLs | User-configured | Event delivery |
| IP address | HTTP requests | Rate limiting, abuse prevention |
2. Information We Do NOT Collect
- Private keys (MPC keys are managed by Coinbase CDP — we never see them)
- Passwords (authentication is via GitHub OAuth or API keys)
- Financial account information (bank accounts, credit cards)
- Source code from your GitHub repositories (we list repo names only)
- Tracking cookies or third-party analytics
3. How We Use Your Information
- Operate the Service: Process wallet operations, sign transactions, deliver webhooks
- Security: Rate limiting, fraud detection, abuse prevention
- Analytics: Aggregate usage statistics (not sold or shared)
- Communication: Service announcements, security alerts (email, if provided)
4. Data Storage and Security
- All data is stored locally on our server infrastructure
- API keys are hashed with SHA-256 before storage
- Secrets and credentials are encrypted at rest with AES-256-GCM
- Webhook signing secrets are generated with cryptographically secure random bytes
- HTTPS is enforced for all production traffic
- We do not use third-party cloud databases or data warehouses
5. Data Sharing
We do not sell, rent, or share your personal information with third parties except:
- Coinbase CDP: Wallet provisioning and transaction signing (required for Service operation)
- GitHub: OAuth authentication (you authorize this during login)
- Legal compliance: If required by law, subpoena, or government request
- Storefront data: Information you choose to publish in the registry (name, descriptions, pricing) is publicly visible by design
6. Data Retention
- Account data: Retained while your account is active. Deleted within 90 days of account closure.
- Transaction logs: Retained for 5 years (regulatory compliance).
- Audit logs: Retained for 1 year.
- Webhook delivery logs: Retained for 30 days.
7. Your Rights
You have the right to:
- Access: Request a copy of your data at any time
- Correction: Update inaccurate information via the dashboard
- Deletion: Request account deletion (subject to retention requirements for transaction logs)
- Export: Download your transaction history and storefront data
- Withdraw consent: Revoke GitHub OAuth access at any time via GitHub settings
8. California Residents (CCPA)
If you are a California resident, you have additional rights under the CCPA including the right to know what data we collect, the right to delete, and the right to opt out of data sales. We do not sell personal information. To exercise your rights, contact us at the email below.
9. Children
The Service is not intended for users under 18. We do not knowingly collect information from minors.
10. Changes
We may update this Privacy Policy periodically. Material changes will be communicated via the dashboard or email. The "Last updated" date at the top reflects the most recent revision.
11. Contact
Privacy questions or data requests: [email protected]