Privacy Policy

Akashi Labs ("Akashi Labs", "we", "us", or "our") operates the Exclusivo website and related services located at exclusivo.one and associated subdomains (collectively, the "Services"). We act as an independent privacy decision-maker regarding personal information processed to operate Exclusivo as described in this Policy.

This Policy applies to visitors to our public websites, creators and merchants using dashboards and storefront tools, purchasers and community members interacting with NFT launches and commerce features, and other individuals whose personal information we otherwise process while providing the Services. If you disagree with how we collect or use personal information, you must stop using the Services where required by applicable law.

Creators and stores hosted on Exclusivo may operate their own token-gated or public storefronts. When a storefront publishes About, Privacy, or Terms content through the Policies experience, those materials describe how that creator communicates with shoppers in addition to what we outline here. Creator policies do not supersede mandatory laws, but creators may impose additional requirements for accessing their storefronts.

For personal information governed by Regulation (EU) 2016/679 ("GDPR") or the retained UK GDPR, Akashi Labs is the controller described in Article 13/14 notices when we determine the purposes and means of processing solely for Platform operations. Supplemental contracts (for example storefront subscription terms or commercial agreements with enterprise customers) control where expressly stated.

Privacy requests and enquiries: privacy@exclusivo.one. A postal address for formal notices and any appointed EU or UK representative (if legally required) will be published alongside this Policy when finalised.

We collect information that you voluntarily provide when you register, sign in, build storefronts or launchpad projects, upload media, connect a wallet where the product supports it, complete purchases, contact support, participate in surveys, or otherwise use interactive features. We also collect certain technical information automatically when you access the Services.

• Account and authentication: Email address, authentication credentials processed by Google Firebase Authentication (we do not store cleartext passwords on our own servers in the standard email/password flow), multi-factor authentication factors you enable, session tokens, and security-related events needed to protect your account.
• Profile and storefront configuration: Display names, biographies, storefront branding, catalogue or collection metadata you enter, NFT or product descriptions, URLs and social handles you associate with a profile, invites or allowlists you upload, configuration settings for storefront appearance.
• Commerce and payouts: Orders, carts, fulfilment addresses for physical goods, customer service correspondence about transactions, Stripe customer and payment identifiers, payment-method brand and last digits as presented by Stripe, chargeback notices, invoices, and billing contact details tied to Stripe objects.
• Communications with us: Messages you send to support or staff, attachments you voluntarily provide (for example proofs of purchase), feedback you submit, and correspondence related to disputes or legal requests.
• Blockchain-connected information: Wallet addresses or public keys you choose to link, signatures or payloads you submit to prove ownership or eligibility, transaction identifiers you reference in support tickets, Candy Machine / collection addresses you associate with storefronts — all in addition to data that necessarily appears on public blockchains as described below.

We automatically collect limited technical information such as truncated or full IP addresses, user agent strings, referring URLs, language preferences, approximate region inferred from IP, timestamps, coarse device and browser type, diagnostic logs, error reports, and performance metrics. This includes events collected through Vercel Analytics and Vercel Speed Insights loaded with the application. Certain product surfaces (such as NFT mint flows) may post first-party telemetry to our own API routes for reliability and diagnostics; payloads are acknowledged server-side and may be persisted or analysed as engineering practices evolve.

If optional Google tags or similar scripts are present in your environment (our Content Security Policy allows Google Tag Manager hosts; some client code can send events when a global `gtag` function exists), those tags may set or read additional cookies or identifiers subject to their provider’s policies.

Transactions on public blockchains (including Solana and Ethereum networks that Exclusivo surfaces) are permanently recorded on distributed ledgers viewable by anyone. Wallet addresses, smart contract interactions, mint counts, pricing events, and related metadata are not secret. We cannot delete, modify, or anonymize information that has been committed to a public chain, and law may require us to retain certain records even if you request erasure of associated off-chain profile data.

You are responsible for segregating wallets used for personal versus professional activity. Treat connected addresses as public identifiers linked to your activity on supported networks.

Where GDPR or the UK GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Operating accounts, processing purchases, delivering NFT minting flows, enabling storefront configuration, providing customer support tied to active agreements.
• Legitimate interests (Art. 6(1)(f)): Securing the Services, detecting fraud, improving reliability, conducting limited internal analytics that do not require consent, enforcing our Terms, communicating service updates that are not purely marketing, maintaining audit logs, defending legal claims where proportionate.
• Consent (Art. 6(1)(a)): Optional marketing communications, non-essential cookies or similar technologies where required, experimental beta features clearly labelled as opt-in.
• Legal obligation (Art. 6(1)(c)): Tax, accounting, anti-money-laundering checks where triggered by payment partners, responding to lawful requests from authorities after appropriate review.
• Vital interests (Art. 6(1)(d)): Rare processing necessary to protect the life of a person, for example when law enforcement provides verified emergency disclosure requests.

You may withdraw consent where processing is consent-based without affecting the lawfulness of processing before withdrawal. Withdrawing consent may disable certain features such as optional analytics cookies.

In the United States and other jurisdictions without GDPR-style bases, we process personal information for the same operational purposes described above. Depending on your state of residence, you may have additional rights regarding access, deletion, correction, appeal, and opt-out of certain disclosures for cross-context behavioral advertising or “sales” as defined locally.

We do not sell personal information for money. We may share limited personal information with analytics and infrastructure providers in ways that some state laws characterise as “sharing” for advertising. You may contact privacy@exclusivo.one to exercise opt-out rights where available, and we will honour browser-based opt-out signals such as Global Privacy Control where legally required once operational controls are fully deployed.

We use cookies, local storage, session storage, and comparable technologies to keep you signed in, remember theme preferences, prevent abuse, and measure performance. Our root application includes Vercel Analytics and Vercel Speed Insights, which collect pseudonymous usage and performance metrics subject to Vercel’s policies.

Our Content Security Policy permits connections to Google Tag Manager hosts, and client code may emit events to `gtag` when that object is present in your browser (for example if you or an administrator injects compatible tags). We do not rely on `gtag` for core storefront operation.

You can control cookies through browser settings. Blocking strictly necessary authentication cookies may prevent login. Consult your browser documentation or use private browsing modes when evaluating optional analytics.

We disclose personal information to categories of recipients when necessary:

• Infrastructure and application providers: Google Cloud Firebase (authentication, Firestore database, Firebase Storage object storage, Firebase security rules evaluations), Google Cloud KMS or related cryptographic services leveraged for secret management integrations where configured.
• Payments: Stripe, Inc., for processing cards and related payment methods pursuant to Stripe’s terms incorporated by reference at checkout flows.
• Hosting and observability: Vercel Inc., for deploying the Next.js application, CDN delivery, Analytics, Speed Insights.
• Blockchain networks and RPC providers used to fulfil read/write operations initiated by creators or purchasers (for example RPC endpoints configured for Solana Core Candy Machine integrations or Ethereum JSON-RPC providers). Such networks independently process transactional data pursuant to protocol rules.
• Professional advisers: Accountants, auditors, or lawyers bound by confidentiality when necessary.
• Authorities: Regulatory bodies or courts after legal review consistent with Terms and applicable law.
• Corporate transactions: Successor entities in mergers, acquisitions, or asset transfers covered by requisite notices.

Creator storefront operators may independently receive shopper information forwarded through storefront checkout flows hosted on Exclusivo. Their use of such data falls under creator policies.

We operate globally and may transfer personal information to the United States and other jurisdictions where subprocessors operate. Where required, we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission or UK extension addendum together with supplementary measures where DPIAs identify residual risk.

You may request copies of safeguards by emailing privacy@exclusivo.one, subject to redactions necessary to protect third-party confidentiality.

We retain personal information only so long as necessary for the purposes above, typically scoped as follows:

• Account records: Lifetime of account plus statutory limitation periods thereafter unless earlier deletion succeeds.
• Transactional tax and finance records: As required under applicable bookkeeping laws (often multiple years).
• Security logs: Rolling windows typically between 30 and 180 days unless an incident requires longer preservation.
• Marketing consents and suppression lists: Until consent is withdrawn or legal requirements demand longer retention of unsubscribe evidence.
• Blockchain-adjacent metadata cached for UI performance: Refreshed regularly; does not remove on-chain history.

We implement administrative, technical, and organisational measures intended to protect personal information, including role-based access for internal tools, transport encryption (HTTPS), secure handling of integration secrets (for example Stripe webhook signing keys), monitoring and logging for abuse and incidents, and reliance on the security features of our cloud and payment providers. Specific controls evolve as the Services mature.

No method of storage or transmission is completely secure. If you believe an account or device used with Exclusivo has been compromised, contact privacy@exclusivo.one promptly and rotate credentials through your wallet or email provider as appropriate.

Depending on jurisdiction, your rights may include:

• Access and portability requests apply to personal information we control and maintain; they do not include data stored by third-party wallet providers.
• Rectification where profile details are inaccurate.
• Deletion subject to exemptions (for example undeletable blockchain artefacts, lawful retention obligations, ongoing fraud investigations).
• Restriction when you contest accuracy or lawfulness.
• Objection where processing rests on legitimate interests and your situation warrants an override.
• Withdrawal of consent for optional processing anchored in consent.
• Non-discriminatory treatment for exercising US privacy rights subject to permissible incentives laws allow.

Submit privacy rights requests via privacy@exclusivo.one. We may authenticate your identity against account records before disclosing sensitive information. Residents of Colorado, Connecticut, Virginia, Utah, Texas, Montana, Delaware, Nebraska, Iowa, Tennessee, Kentucky, Maryland, Indiana, Rhode Island or other states granting comprehensive privacy rights retain independent appeal paths after we decline or partially fulfill requests.

Supervisory authorities in your country (for EU/UK persons) remain competent regulators for complaints unresolved directly with Akashi Labs.

We do not make decisions based solely on automated processing that produces legal effects or similarly affects you unless such processing is mandated by regulation and we expressly notify you. Limited abuse scoring informs manual review workflows but humans retain escalation authority.

The Services are not directed at children under 13 (or older age mandates where jurisdictions require storefront operators to refrain from knowingly collecting minors’ personal information absent verifiable parental consent). If you discover a child bypassed safeguards, notify privacy@exclusivo.one so we can delete associated account records when legally permissible.

The Services may link to third-party sites, embed social players, or load assets from external CDNs. Those parties operate under separate policies; review their disclosures before supplying personal information.

We may update this Policy to reflect Services changes, regulatory updates, or operational practices. Material changes will be signalled by updating the effective date above, posting a notice on dashboard login surfaces where practicable, and/or emailing account holders when required by law. Continued use after the effective date constitutes acceptance where permitted by applicable law.

Questions about this Policy or privacy practices: privacy@exclusivo.one. For legal process, include reference numbers and contact details for responsible counsel after Akashi Labs designates them publicly.