Privacy isn’t a feature. It’s the architecture.
We collect the minimum we need, we don’t sell anything to anyone, and we tell you exactly what is stored, where, and for how long.
Data Controller
AllowanceGuard is operated by EazyAccess Ltd, registered in England & Wales. We are the data controller for personal data processed through this service.
Contact: legal.support@allowanceguard.com
What we collect and why.
Every data point earns its place. If we don’t need it to run the service, we don’t collect it.
Wallet addresses
When you scan a wallet, we query public blockchain data to retrieve your token approvals. Free-tier addresses are not stored beyond the session. Pro/Sentinel addresses are stored to enable continuous monitoring, alerts, and historical tracking. SIWE sign-in links your wallet to your account — this may constitute personal data under GDPR. You can remove wallets at any time.
Email address
Used for subscription billing, monitoring alerts (Pro/Sentinel), security notifications, and team invitations. Authentication uses SIWE — no email required for login. Never shared with third parties for marketing.
Payment data
All payment processing is handled by Stripe (PCI DSS Level 1). We never see or store your card number, CVV, or full card details. We store: Stripe customer ID, subscription plan, status, and billing period dates.
Analytics events
If you accept analytics in the cookie banner, we collect anonymous usage events (scan started, wallet connected) in our own database — not via third-party services. If you select "Essential only," no analytics events are recorded. Change your preference at any time by clearing browser storage.
Monitoring & usage data (Pro/Sentinel)
Approval snapshots, monitoring events, risk score history, revocation rule configurations, webhook settings, and team membership. This data enables the monitoring, alerting, and compliance features you subscribe to.
API usage (B2B)
API key prefix (not the full key), endpoint called, response status, request duration, and daily call counts. Used for rate limiting, usage metering, and billing.
Server logs
IP address, user agent, request ID, and timestamp. Collected for security monitoring, abuse prevention, and incident response. Automatically purged after 30 days. No personal identifiers are extracted or stored beyond this period.
How your data works for you.
- Process wallet scans and display token approvals with risk assessments
- Deliver monitoring alerts via email, Slack, or Telegram (Pro/Sentinel)
- Process subscription payments and send billing communications
- Enforce rate limits and usage quotas per subscription tier
- Generate compliance audit reports (Sentinel)
- Detect and prevent abuse, fraud, and security threats
- Improve the service through aggregated, anonymised analytics (never sold)
How long we keep it.
Data has a shelf life. When the purpose ends, the data goes.
| Data type | Retention |
|---|---|
| Account profile | Until account deletion |
| Wallet monitoring data | Until wallet removed or account deletion |
| Subscription & billing records | 7 years (legal/tax requirement) |
| Audit logs | 90 days, then deleted |
| API usage records | 90 days (aggregated thereafter) |
| Server logs (IP, user agent) | 30 days |
| Webhook delivery logs | 30 days |
| Session tokens | 30 days (auto-expire) |
What you can do about it.
Under GDPR and equivalent global frameworks, you have the following rights. Exercise them at any time.
Access (Art. 15)
Request a copy of all personal data we hold. Use the data export feature in your account dashboard or call GET /api/user/export.
Portability (Art. 20)
Export your data in structured, machine-readable JSON — profile, wallets, monitoring settings, rules, and usage.
Deletion (Art. 17)
Request complete deletion of your account and all associated data. Active subscriptions will be cancelled. Some billing records retained for legal obligations.
Rectification (Art. 16)
Update your email or profile via account settings. Contact us to correct any other inaccurate data.
Restrict processing (Art. 18)
Disable monitoring for specific wallets or pause your account. Contact legal.support@allowanceguard.com for broader restrictions.
Object to processing (Art. 21)
Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to lodge a complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO).
What we set and why.
Two essential cookies. No third-party trackers. No advertising pixels.
We set two cookies, both essential for the service to function:
ag_sessSession authentication. HttpOnly, Secure, SameSite=Lax. 30-day expiry.ag_csrfCross-site request forgery protection. Secure, SameSite=Lax, 30-day expiry. Readable by JavaScript so the client can echo the token in an x-csrf-token header.The “Analytics” toggle in our cookie banner controls server-side database tracking, not cookies. If you select “Essential only,” no behavioural events are recorded. Server-side operational events (scan requests, error rates) run under legitimate interest and are not gated by consent — they contain no personal identifiers.
Full details: Cookie Policy
Who else touches your data.
We share only what each service needs to function. No data is sold. No marketing partners.
Where your data goes.
Your data may be processed in the United States and European Union, where our infrastructure providers operate. We ensure appropriate safeguards for international transfers, including standard contractual clauses (SCCs) where required.
Sentinel and Enterprise customers may request a Data Processing Agreement (DPA).
Questions about privacy?
We’re committed to transparency. If you have questions or want to exercise your rights:
- Privacy inquiries: legal.support@allowanceguard.com
- Data export / deletion: Account dashboard or API endpoints
- DPA requests: legal.support@allowanceguard.com
Last updated: April 13, 2026. We notify registered users of significant changes via email with at least 30 days’ notice.