Privacy Policy

Most tech companies operate on a "Vacuum Model"—they suck up every piece of data they can find. Roylith operates on a "Toxic Waste Model."

We view user data as a liability, not an asset. Storing your data creates a security risk for us. Therefore, our core philosophy is Data Minimization: We collect only what is legally required to operate, and we delete it as soon as the law allows.

We categorize data into three buckets. We are transparent about what lives where.

Roylith utilizes client-side encryption for all sensitive wallet operations. When you create a wallet on Roylith:

• The key generation happens locally on your device (browser/app).
• The private key is encrypted with your password before it ever touches our servers.
• We store only the encrypted blob. Without your password, that blob is useless static to us.

This means if Roylith's servers were hacked tomorrow, the attackers would get a database of useless, encrypted gibberish.

We protect your off-chain data (email, password), but you must understand that on-chain data is public forever.

When you send a transaction on Bitcoin or Ethereum via Roylith:

• The transaction amount is public.
• The sender and receiver addresses are public.
• The timestamp is public.

Sophisticated analytics firms (Chainalysis, Elliptic) can correlate these public transactions with your identity if you interact with KYC exchanges. Roylith cannot "hide" your on-chain activity.

We do not sell your data. Ever. However, we rely on specific vendors to function:

• Identity Verification: We use SumSub/Onfido for KYC. They process your ID document securely.
• Infrastructure: We use AWS (Amazon Web Services) for encrypted cloud hosting.
• Support: We use Zendesk for ticketing (only if you email us).

We have signed Data Processing Agreements (DPAs) with these vendors ensuring they adhere to GDPR standards.

We hate cookies. But we use a few essential ones to keep you logged in.

Analytics: We use a self-hosted instance of Plausible Analytics (privacy-focused). We do NOT use Google Analytics. We do not track you across other websites. We do not build an advertising profile on you.

Regardless of where you live, we extend GDPR-level rights to all users:

• Right to Access: You can download a copy of all data we hold on you.
• Right to Rectification: You can fix wrong info.
• Right to Erasure ("Right to be Forgotten"): You can ask us to delete your account. Note: We cannot delete transactions from the blockchain.

To exercise these rights, email privacy@roylith.com. We verify all requests to prevent social engineering.

We employ military-grade defense protocols:

• Data in Transit: TLS 1.3 Encryption.
• Data at Rest: AES-256 Encryption.
• Access Control: Strict "Least Privilege" access for Roylith employees.
• Audits: Annual penetration testing by third-party security firms.

Roylith is a global network. Your data may be processed on servers located outside of your country of residence, including in Switzerland and Singapore. By using the service, you consent to this transfer. We ensure these jurisdictions have adequate data protection laws.

As of the date listed below, Roylith has NOT received any secret government subpoenas, National Security Letters, or gag orders demanding user data.

If you have questions about this manifesto, contact our Data Protection Officer (DPO):