B3OS Privacy Policy

1. Introduction

NPC Labs, Inc., a Delaware corporation ("NPC Labs," "we," "us," or "our") operates B3OS, an onchain automation platform for cross-chain blockchain workflows, accessible at b3os.org and through related applications, APIs, and services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Services.

By accessing or using B3OS, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, organization name, and authentication credentials. If you sign up through a third-party provider (e.g., Google OAuth), we receive the information you authorize that provider to share with us.

2.2 Wallet and Financial Information

B3OS facilitates the creation and management of blockchain wallets through our non-custodial infrastructure partner, Turnkey. NPC Labs does not custody your funds and does not charge any markup, spread, or additional fees on onchain transactions. We collect and process the following wallet-related information: wallet addresses associated with your organization; encrypted wallet data managed by Turnkey (we do not have access to unencrypted private keys); transaction history and execution logs; gas usage and compute credit consumption; and session key configurations for connected smart wallets.

If you import an existing wallet, the private key is encrypted directly in your browser via Turnkey's iframe and transmitted only in encrypted form. Our servers never see or store your unencrypted private key (zero-knowledge architecture).

Turnkey provides non-custodial wallet infrastructure via Trusted Execution Environment (TEE) technology. You can export your private keys and mnemonics at any time via the Wallet Management tab in B3OS, which uses Turnkey's client-side export feature (P256 keypair encryption, decrypted in an isolated iframe). Once you export your keys, Turnkey flags the wallet as "Exported" and can no longer guarantee its security.

For subscription payments via Stripe, your payment card information is collected and processed directly by Stripe; we do not store your full card number. For crypto payments via AnySpend, we record the transaction hash, wallet address, and payment amount.

2.3 Workflow and Operational Data

When you create and run workflows, we collect: workflow configurations (trigger types, action nodes, parameters); execution history and run logs; error logs and debugging information; data processed through your workflows (which may include data from connected third-party services); and template usage and customization data.

2.4 AI Interaction Data

When you use our AI assistant ("Caddie") or other AI-powered features, we collect your prompts, instructions, and the AI-generated responses and workflow outputs. We use a third-party evaluation platform (Braintrust) to log and evaluate AI interactions for quality assurance and product improvement.

2.5 Third-Party Service Credentials

To enable integrations, you may connect third-party services (e.g., Slack, Telegram, Google Sheets, Stripe) to B3OS. We store OAuth tokens, API keys, and webhook configurations necessary to maintain these connections. We access data from these services only as directed by your workflow configurations.

2.6 Technical and Usage Data

We automatically collect: IP address, browser type, device information, and operating system; pages visited, features used, and interaction patterns; performance data, error reports, and API call logs; and cookies and similar tracking technologies (see Section 7).

2.7 Blockchain Network Data

To power workflow triggers and actions, we may read publicly available data from blockchain networks, including token balances, transaction events, smart contract states, and token prices. This data is publicly available on the blockchain and is not collected from you.

3. How We Use Your Information

We use the information we collect for the following purposes: to provide, maintain, and improve the Services, including executing workflows, managing wallets, and processing transactions; to create and manage your account and organization; to process payments, manage subscriptions, and enforce usage limits; to provide AI-powered features, including workflow generation and assistance; to communicate with you about your account, service updates, and support inquiries; to monitor and analyze usage trends, performance, and reliability; to detect, prevent, and address fraud, abuse, security incidents, and technical issues; to comply with legal obligations, including applicable financial regulations; and to enforce our Terms of Service and protect our rights and the rights of others.

We may create aggregated, de-identified, or anonymized data from personal information. Such data is not personal information and may be used for any lawful purpose, including analytics, research, product improvement, and benchmarking, without restriction.

4. AI Features and Data Processing

B3OS includes AI-powered features, including our workflow assistant ("Caddie"), AI-generated workflow suggestions, and natural language interfaces for creating automations. When you use these features:

Your prompts and instructions are sent to our AI infrastructure for processing. AI-generated outputs (workflow configurations, suggestions, responses) are created based on your inputs and our pre-configured system context. We log AI interactions for quality evaluation, debugging, and product improvement using Braintrust.

B3OS processes your prompts and workflow context to provide AI-powered features within the Services. We do not use Customer Data to train, retrain, or fine-tune third-party foundational AI models. Your data is not provided to third-party AI model providers for the purpose of improving their general-purpose models. However, we may use aggregated, de-identified AI interaction patterns to improve B3OS product features and the quality of AI-generated suggestions.

Important: AI-generated workflows may execute financial transactions. You are solely responsible for reviewing and approving any workflow before activation. We do not guarantee the accuracy, completeness, or suitability of AI-generated outputs.

5. How We Share Your Information

We do not sell your personal information to third parties. We share information only in the following circumstances:

5.1 Service Providers and Subprocessors

We share data with third-party service providers who assist us in operating the Services, including: Turnkey (wallet infrastructure and key management); Stripe (payment processing); Braintrust (AI evaluation and logging); Cloudflare (infrastructure, hosting, database services); Railway (backend hosting); Pipedream (integration connectors); QuickNode (blockchain RPC services); and Google Analytics (website analytics for non-authenticated pages).

A current list of subprocessors is maintained at b3os.org/subprocessors. We will provide reasonable notice before adding new subprocessors that process personal data.

5.2 Third-Party Integrations

When you connect third-party services to B3OS, data flows between B3OS and those services as directed by your workflow configurations. You are solely responsible for complying with the terms and privacy policies of connected third-party services. We are not responsible for their privacy practices. Please review their privacy policies before connecting them.

5.3 Blockchain Networks

When workflows execute onchain transactions, transaction data (including wallet addresses and transaction details) is recorded on public blockchain networks. This data is inherently public and immutable. B3OS cannot delete, modify, or restrict access to data recorded on public blockchains.

5.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others; detect or prevent fraud or security issues; or comply with applicable sanctions, anti-money laundering, or counter-terrorism financing requirements.

5.5 Business Transfers

If NPC Labs is involved in a merger, acquisition, bankruptcy, or asset sale, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

6. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide the Services. We also retain information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

Upon account deletion: your account data and organization data will be deleted within 30 days; workflow configurations and run history will be deleted within 30 days; you should export your wallet private keys via the Wallet Management tab before requesting account deletion; wallet data managed by Turnkey will be handled in accordance with Turnkey's data retention policies; AI interaction logs in Braintrust will be deleted within 90 days; and data recorded on public blockchains cannot be deleted.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Services. These include: essential cookies required for authentication, security, and core functionality; functional cookies that remember your preferences and settings; and analytics cookies (Google Analytics) used on non-authenticated pages to understand usage patterns.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Services.

We do not currently respond to "Do Not Track" browser signals. There is no uniform industry standard for recognizing or honoring DNT signals, so we do not alter our data collection and use practices based on such signals.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including: encryption of data in transit (TLS) and at rest; zero-knowledge wallet architecture via Turnkey (private keys encrypted client-side, never visible to our servers); isolated, sandboxed execution environments for workflow runs; access controls and authentication for internal systems; regular security reviews and use of pre-audited smart contract libraries (OpenZeppelin); and nonce management and transaction queuing to prevent concurrent execution conflicts.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Your Rights

9.1 General Rights

Depending on your jurisdiction, you may have the right to: access the personal information we hold about you; correct inaccurate or incomplete information; delete your personal information (subject to certain exceptions); restrict or object to certain processing activities; data portability (receive your data in a structured, machine-readable format); and withdraw consent where processing is based on consent.

9.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; opt out of the sale or sharing of personal information (we do not sell personal information); and non-discrimination for exercising your rights.

9.3 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law.

10. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. By using the Services, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.

Additionally, certain data (wallet addresses, transaction data) is inherently global when recorded on public blockchain networks.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised "Last Updated" date, and where required by law, by email or in-app notification. Your continued use of the Services after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

NPC Labs, Inc.

Email: [email protected]