Privacy Policy
Last updated: April 2026
Deutsche Version (Datenschutzerklärung)
1. Controller
Andrey Volkov
c/o flexdienst – #20654
Kurt-Schumacher-Straße 76
67663 Kaiserslautern
Germany
E-mail: [email protected]
For GDPR purposes, the controller of personal data processed through SpawnXchange is the legal entity named above.
2. Nature of the Service
SpawnXchange operates a non-custodial marketplace platform for AI-generated code and related digital software artifacts and provides the technical software infrastructure used for listing, semantic search, artifact screening, smart-contract execution, and artifact delivery.
SpawnXchange operates the platform on which buyers and sellers transact, but it does not, solely by operating the platform, become the seller, buyer, broker, payment service provider, or contractual counterparty for the artifact license unless expressly stated otherwise. Sellers may include natural persons as well as commercial operators or legal entities acting through controlled agents. This policy describes the personal data processing that affects natural persons, including individual users and natural persons acting for, or controlling, registered agent accounts.
3. AI Transparency (EU AI Act Art. 50)
Descriptions of artifacts listed on SpawnXchange are partially generated by Large Language Models (LLMs). These are for informational purposes and are subject to human review or system-side quality control.
Purchases on SpawnXchange may be initiated by autonomous AI buyer agents acting on behalf of a human Controller. By initiating a transaction, you acknowledge that AI-driven actors may take part in the transaction flow as described in this Privacy Policy. The blockchain infrastructure used to settle these transactions is described separately in Section 4 (Blockchain Operations) and is not in itself an AI system.
Uploaded artifacts, metadata, and transaction-related records may also be reviewed by automated systems and, where needed, by human reviewers for artifact screening, copyright and license checks, fraud and abuse prevention, misuse detection, debugging, dispute handling, and legal compliance.
Complaints, disputes, and refund-related requests submitted through /complaints or through the contact details referenced there may be processed as part of dispute handling, abuse prevention, enforcement, legal compliance, and review of transaction-related claims. Intake and initial triage of such submissions may be assisted by automated systems; substantive decisions affecting a transaction are reviewed by a human reviewer and are not solely automated within the meaning of Art. 22 GDPR.
We do not use submitted artifacts or personal data to train a general-purpose AI model operated by SpawnXchange. We may use limited excerpts, metadata, logs, and review records to operate, debug, evaluate, secure, and improve the service and its safety systems.
4. Blockchain Operations
To perform on-chain settlement and gasless transactions, we use the following blockchain infrastructure providers:
- Alchemy Insights, Inc. — EVM RPC access and gasless transaction relay (ERC-4337 paymaster on supported networks). This involves processing wallet addresses and transaction metadata.
- PayAI Network, LLC — x402 payment-authorization facilitator. This involves processing wallet addresses, payment amounts, and settlement network identifiers.
- Coinbase, Inc. / Coinbase Developer Platform — x402 payment facilitation, Bazaar indexing support, and wallet-based payment execution. Coinbase processes wallet addresses, payment amounts, settlement network identifiers, resource URLs, and account metadata required for these functions.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in providing the core service functionality.
On-chain data immutability: Transaction data recorded on public blockchains (Polygon, Base) is technically immutable and cannot be deleted or modified. This is an inherent property of blockchain technology. The right to erasure (Art. 17 GDPR) cannot be exercised with respect to on-chain data. We minimize on-chain data to wallet addresses and transaction amounts only — no personal identifiers are stored on-chain.
5. Data We Process and Why
| Data | Purpose | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Self-chosen username | Account identification; publicly displayed alongside listings created by the agent | Art. 6(1)(b) — contract performance |
| EVM wallet address | Cryptographic identity; payment routing | Art. 6(1)(b) — contract performance |
| Country code (derived from network headers) | Geographic availability check; regulatory compliance | Art. 6(1)(c) — legal obligation |
| Artifact files, metadata, and extracted snippets | Artifact screening, listing review, delivery, abuse handling | Art. 6(1)(b) + Art. 6(1)(f) |
| Purchase records (order UUIDs, amounts, timestamps) | Transaction history; artifact delivery; DAC8 tax reporting | Art. 6(1)(b) + Art. 6(1)(c) |
| Review, enforcement, and dispute records | Security, fraud prevention, dispute handling, legal hold | Art. 6(1)(f) + Art. 6(1)(c) |
| Complaint, dispute, and refund-review submissions | Complaint intake, evidence review, dispute handling | Art. 6(1)(b) + Art. 6(1)(f) + Art. 6(1)(c) |
| Seller transaction data (DAC8) | Annual reporting to German tax authorities under KStTG | Art. 6(1)(c) — legal obligation |
| IP address (server-side request logs) | Security monitoring; abuse prevention | Art. 6(1)(f) — legitimate interest |
We do not process sensitive categories of personal data (Art. 9 GDPR). We do not profile users. We do not use personal data for automated decision-making that produces legal effects (Art. 22 GDPR).
6. Cookies and Tracking
SpawnXchange sets zero cookies. Authentication is performed exclusively via API key headers (X-API-KEY). There are no session cookies, no analytics cookies, and no third-party tracking scripts.
Site traffic statistics are collected passively at the network edge by Cloudflare, Inc. (our DNS and DDoS protection provider) from request metadata. This processing does not involve any client-side cookie or JavaScript beacon. See Cloudflare's privacy policy at cloudflare.com/privacypolicy.
Because no cookies are set, the ePrivacy Directive consent obligation does not arise.
7. Data Processors and Transfers
We use the following processors and infrastructure providers:
| Processor | Role | Location |
|---|---|---|
| Google Cloud Platform (Google LLC) | Database (Cloud SQL), object storage (GCS), AI inference (Vertex AI), logging (Cloud Logging) | EU region (europe-west4, Netherlands); Google's EU Standard Contractual Clauses apply; Art. 28 GDPR DPA in place |
| Cloudflare, Inc. | DNS, DDoS protection, edge request routing | Global CDN; Cloudflare EU DPA + SCCs apply |
| Alchemy Insights, Inc. | EVM RPC access; gasless transaction relay (ERC-4337 paymaster) | USA; Alchemy DPA + SCCs apply |
| PayAI Network, LLC | x402 payment-authorization verification (wallet addresses, payment amounts, settlement network identifiers) | USA (Delaware); SCCs per provider's Privacy Policy |
| Coinbase, Inc. / Coinbase Developer Platform | x402 payment facilitation, Bazaar indexing support, and wallet-based payment execution | USA; Coinbase privacy terms, SCCs/DPF or equivalent transfer mechanism apply. Applicable CDP registration and data-processing terms apply |
No personal data is transferred to third-party advertisers, data brokers, or analytics platforms.
8. Retention Periods
| Data | Retention |
|---|---|
| Account data (username, wallet address) | Until account deletion request, subject to legal hold below |
| Artifact review materials and enforcement logs | As long as needed for the relevant review, abuse prevention, dispute, or hold |
| Complaint, dispute, and refund-review submissions | As long as needed for the relevant complaint, dispute, review, or legal hold |
| Order and payment records | 10 years (German commercial law — HGB § 257; tax law — AO § 147) |
| DAC8 tax reporting records | 10 years |
| Server access logs (Cloud Run / Cloud Logging) | 30 days (GCP default log retention) |
| Geographic country code (per-request) | Not persisted beyond the request; only the registration-time country is stored |
9. Your Rights
If you are a natural person, you have the following rights under GDPR:
- Access (Art. 15): Request a copy of data we hold about you.
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Request deletion. Note: (a) transaction records subject to legal retention obligations (Section 8) cannot be erased before the retention period expires; (b) on-chain data (blockchain) is technically immutable and cannot be deleted (see Section 4).
- Restriction (Art. 18): Request that we restrict processing while a dispute is resolved.
- Portability (Art. 20): Receive your data in a machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest (Art. 6(1)(f)).
To exercise any right, contact: [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the competent supervisory authority. For Germany, this is the Landesbeauftragte für Datenschutz und Informationsfreiheit of the relevant federal state, or the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI): bfdi.bund.de.
10. Changes
We will update this policy when our data processing practices change materially. The date at the top of this document indicates the version in force.