Effective date: general availability (this policy takes effect on the platform's general-availability date)
Last updated: general availability (this policy takes effect on the platform's general-availability date)
Version: 1.1 (counsel-ready draft · pending commercial counsel review before publication)
Applies to: assetshop.eth.limo, enterprise.assetshop.eth.limo, sco.enterprise.assetshop.eth.limo, platform.enterprise.assetshop.eth.limo, demo.enterprise.assetshop.eth.limo, trust.enterprise.assetshop.eth.limo, and the AssetShop SCO platform application (collectively, the "Service")
1. Who we are
AssetShop LLC ("AssetShop," "we," "us," or "our") is a Pennsylvania limited liability company building operational intelligence infrastructure for enterprises. We are in the process of converting to a Delaware C-corporation; this Privacy Policy will be updated to reflect the new entity once conversion is complete. This Privacy Policy describes how we collect, use, share, and protect information when you visit our websites or use our Service.
Contact: AssetShopCo@gmail.com (Data Protection Officer)
Business address: Registered business address provided on request and finalized upon Delaware C-corporation conversion
Data Protection Officer: Designated at general availability; reach the privacy team at AssetShopCo@gmail.com
EU representative (if applicable): An EU representative will be appointed where required under Article 27 prior to processing EU personal data at scale under Article 27 of the GDPR
For purposes of EU data protection law, AssetShop is the controller of personal information collected through our public websites and the processor of customer-submitted data ingested through the Service.
2. Information we collect
2.1 Information you provide directly
- Account and contact information - name, business email, business phone, job title, employer when you request a demo, sign a Letter of Intent, or contract for the Service.
- Communications - content of emails, support tickets, calls, and messages you send us.
- Payment and billing information - invoiced via ACH/wire; we do not store credit card data ourselves but use third-party payment processors (see Section 7).
- Customer-submitted operational data - content ingested by the Service from your enterprise systems (ERPs, procurement suites, planning systems, warehouse management, manufacturing execution, transportation management, and adjacent systems) or uploaded via Excel/CSV files conforming to our canonical schemas. This is your data; you remain its controller. We process it as your processor under our Data Processing Agreement (DPA).
2.2 Information collected automatically
- Usage data - pages viewed, features used, frequency, session duration, timestamps. We minimize this collection on our public websites and explicitly welcome AI/LLM crawlers per our published robots.txt.
- Device and connection data - IP address, browser type, operating system, referring URLs, language preferences.
- Cookies and similar technologies - we use a minimum of strictly-necessary cookies on the platform application (authentication, session). We do not deploy advertising or third-party tracking cookies. See Section 8 for details.
2.3 Information we do not collect
We do not knowingly collect biometric identifiers, government-issued identifiers (SSN, passport numbers), precise geolocation, financial account numbers (beyond what is necessary for invoicing), or information from children under 18. The Service is intended for use only by employees and authorized agents of enterprise customers, not by individual consumers.
3. How we use information
We use information for the following purposes, each with a stated legal basis under GDPR Article 6:
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the Service per the Master Services Agreement | Contract (Art. 6(1)(b)) |
| Authenticate users and prevent unauthorized access | Legitimate interest (Art. 6(1)(f)) - security |
| Respond to support requests and communications | Contract (Art. 6(1)(b)) and Legitimate interest |
| Send transactional emails (account, billing, incident notifications) | Contract |
| Send marketing emails (about new features or related services) | Consent (Art. 6(1)(a)) - opt-in, with opt-out in every message |
| Conduct sales outreach to publicly listed business contacts | Legitimate interest (Art. 6(1)(f)) - B2B prospecting, balanced against your reasonable expectations |
| Anchor SHA-256 hashes of customer-submitted data batches to public Base L2 blockchain for verifiable provenance | Contract (data minimization: only one-way hashes are anchored, never the data itself) |
| Comply with legal obligations (tax records, court orders, regulatory inquiries) | Legal obligation (Art. 6(1)(c)) |
| Defend our legal interests in litigation | Legitimate interest (Art. 6(1)(f)) |
We do not sell personal information for monetary or other valuable consideration (CCPA "do not sell" baseline).
4. How we share information
4.1 Sub-processors
We engage sub-processors to provide infrastructure, security, communications, and operations services. Our current sub-processor list is published at https://trust.enterprise.assetshop.eth.limo/#sub-processors and updated at least 30 days before any new sub-processor begins processing customer data. Each sub-processor is bound by a written Data Processing Agreement requiring equivalent or stronger protections to those in our DPA with customers.
Current sub-processors include (see Trust Center for the live, dated list):
- Cloud hosting and compute - [AWS / GCP / Azure as deployed]
- Database and storage - [as deployed]
- Authentication - [identity provider as deployed]
- Email delivery - [SES / Postmark / Resend as deployed]
- Customer relationship management - [HubSpot / Salesforce]
- Audit-chain anchor substrate - Base Layer 2 (Coinbase, Inc.) - public blockchain; only one-way SHA-256 hashes are anchored, never customer data
- Helpdesk - [Intercom / HelpScout / Zendesk]
- Status page - [statuspage.io / Atlassian]
4.2 Service providers under your direction
When you instruct us to integrate the Service with a third-party tool (e.g., your enterprise ERP, your SSO provider), we may share data with that tool only at your direction and only to the minimum necessary for the integration. Your relationship with that third-party tool is governed by your separate agreements with them.
4.3 Legal disclosures
We may disclose information if required by law, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others. We will provide notice to affected customers when legally permitted.
4.4 Business transfers
In the event of merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred. We will notify you at least 30 days before such a transfer changes who controls your information, and we will require the recipient to honor the privacy commitments in this Policy.
4.5 Aggregated and anonymized data
We may use aggregated or de-identified data - data that cannot reasonably be linked back to you or any individual - for product improvement, analytics, marketing, or other purposes without restriction. Aggregation that re-identifies an individual is prohibited.
5. Audit chain and verifiable provenance
The Service includes an "audit chain" feature: SHA-256 hashes of customer-submitted data batches and rendered outputs are aggregated into Merkle trees and anchored to the public Base Layer 2 blockchain via the AssetShopAnchor smart contract. Only one-way cryptographic hashes are anchored, never the underlying data itself. The hashes are mathematically irreversible and contain no recoverable personal information. The purpose is to allow you, your auditors, and independent third parties to verify the integrity of AssetShop outputs without trusting AssetShop's infrastructure.
You may verify any AssetShop output using our open-source @assetshop/verify-cli tool published on npm.
6. International data transfers
If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your personal information may be transferred to and processed in the United States and other jurisdictions that may not provide the same level of data protection. When transferring personal data out of the EEA, UK, or Switzerland to a third country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures as set out in our DPA. Customers requiring EU-only data residency may elect EU-region deployment as part of their commercial agreement.
7. Payment processing
We do not store credit card numbers. Payments are processed by our payment processor (named in the order form at contract) (currently invoiced via ACH/wire transfer). Their privacy policy applies to payment data: the processor's published privacy notice (linked in the order form).
8. Cookies and tracking technologies
8.1 Public websites (assetshop.eth.limo, enterprise.assetshop.eth.limo, sco.enterprise.assetshop.eth.limo, demo.enterprise.assetshop.eth.limo, trust.enterprise.assetshop.eth.limo)
- Strictly necessary cookies only: none deployed by default. Our public sites are static HTML with no tracking pixels, no advertising cookies, no analytics scripts.
- AI/LLM crawler access: explicitly allowed in our robots.txt for transparency and citation discoverability (GPTBot, Google-Extended, ClaudeBot, PerplexityBot, and others).
8.2 Platform application (platform.enterprise.assetshop.eth.limo)
- Strictly necessary cookies: session token (authentication), CSRF token (security).
- Functional cookies: preferences (timezone, default landing page) - opt-in only.
- Analytics cookies: none deployed at launch. Any future analytics deployment will use a privacy-preserving tool (no individual user profiling, no third-party data sharing) with explicit notice and opt-out.
You can configure your browser to refuse cookies, but doing so may impair the platform application's functionality.
9. Data retention
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
| Data category | Retention period |
|---|---|
| Customer-submitted operational data (during Service) | For the duration of the Service plus 30 days post-termination, then deleted within 60 days |
| Account and contact information | For the duration of the relationship plus 7 years for tax/legal purposes |
| Communications and support records | 3 years from the last interaction |
| Audit-chain anchor transactions on public Base L2 | Permanent (public blockchain immutability) - but contains only one-way hashes, no recoverable personal data |
| Billing records | 7 years (tax law requirement) |
| Web logs | 90 days |
| Backups | 35 days (rolling) |
10. Your rights
10.1 EEA/UK/Swiss residents (GDPR/UK GDPR/FADP)
You have the right to: access your personal data; rectify inaccurate data; erasure ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests; withdraw consent at any time (where consent is the legal basis); and lodge a complaint with your supervisory authority. We respond to verified requests within 30 days.
10.2 California residents (CCPA/CPRA)
You have the right to: know what personal information we collect, use, disclose, and "sell" (we do not sell); access the specific pieces of personal information we have collected; correct inaccurate personal information; delete personal information (subject to limited exceptions); limit use of sensitive personal information (we minimize this collection); opt out of "sharing" for cross-context behavioral advertising (we do not engage in this); and not be discriminated against for exercising these rights.
10.3 How to exercise rights
Email AssetShopCo@gmail.com from the email associated with your account or, for individuals not associated with a customer account, with sufficient information to verify your identity. We may need additional information to verify your identity before responding. You may also authorize an agent to make a request on your behalf with appropriate written authorization. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA, with possible extension).
11. Security
We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Specific measures include: encryption at rest and in transit; per-tenant cryptographic isolation; read-only adapters by design (we cannot modify your enterprise systems); SOC 2 Type I bridge letter (target Q4 2026) and Type II report (target Q1 2027); annual third-party penetration testing; documented incident response runbook; and a published vulnerability disclosure program at our Trust Center.
No system is impenetrable. We will notify affected customers and individuals of confirmed security incidents within the timeframes required by applicable law and our DPA (typically 72 hours of confirmed detection under GDPR Article 33; consistent with our DPA Section 8).
12. Children
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at AssetShopCo@gmail.com and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. We will notify customers of material changes via email and in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact
Privacy questions: AssetShopCo@gmail.com
Data Protection Officer: Designated at general availability; reach the privacy team at AssetShopCo@gmail.com · AssetShopCo@gmail.com
General contact: AssetShopCo@gmail.com
Business address: Registered business address provided on request and finalized upon Delaware C-corporation conversion
For EEA/UK residents, you may also contact our EU representative at the EU representative's contact will be published here once appointed.
This Privacy Policy is provided as a counsel-ready draft. Please review with privacy counsel before publication. Specific operational details (registered address, appointed DPO, EU representative, and payment processor) are finalized with counsel and updated here upon Delaware C-corporation conversion and general availability.