This policy explains how IntoTAO, operated by vaNlabs ("we", "us", "our") from New Zealand, handles personal information. We collect only what we need to run the Service, and we do not sell your personal information.
1. Contact and privacy officer
Our privacy officer handles privacy questions, data requests, and complaints. Reach them at contact@intotao.app.
2. The laws we follow
We are based in New Zealand and comply with the Privacy Act 2020, including the indirect-collection notification requirements (IPP 3A) and the rules on disclosing information overseas (IPP 12). Because we have a global audience, we also align with the EU and UK General Data Protection Regulation (GDPR) where it applies to visitors in those regions, and we honour the access and deletion rights granted by US state privacy laws.
3. Information we collect
Account information
When you create an account we collect your email address, which you verify with a one-time code. We use it to authenticate you and to send essential account messages.
Membership and billing
If you subscribe, payment is processed by Stripe. We do not see or store your full card number; we keep a record of your subscription status and the identifiers Stripe gives us so we can grant and manage access.
Telegram
If you link Telegram to receive member updates, we store the identifiers needed to connect your Telegram account to your membership and to manage channel access.
Tool submissions
If you submit a tool, we collect the contact detail you provide (an email and/or a social profile) so the research desk can verify and follow up. Submitted emails are not shown publicly.
Technical information
Like any website, our servers automatically log basic technical data (such as IP address, browser type, and pages requested) to keep the Service secure and working. This is held briefly and used for security, debugging, and abuse prevention.
4. Public on-chain data
Our research draws on public Bittensor chain data and other public sources. Where we link an on-chain identifier (such as a coldkey or hotkey) to a named person, that may be personal information collected indirectly. We rely on public sources, our attribution is best-effort, and we will correct or remove an attribution about you on reasonable request. To exercise that, contact our privacy officer above.
5. How and why we use information
We use personal information to:
- authenticate you and operate your account (to perform our contract with you);
- process payments and manage your membership (to perform our contract);
- send essential service messages and, where you opt in, member updates;
- review tool submissions and respond to you;
- keep the Service secure, prevent abuse, and meet legal obligations (our legitimate interests and legal duties).
Where the GDPR applies, the bracketed bases above are our lawful bases for processing. We do not use your personal information for automated decision-making that produces legal effects.
6. Sharing and overseas disclosure
We do not sell personal information or share it for advertising. We share it only with the service providers that help us run the Service, under contracts that require them to protect it and use it only on our instructions. These providers are based outside New Zealand, so using the Service involves an overseas disclosure under IPP 12:
- Supabase (database, authentication) and Vercel (hosting): infrastructure that stores and serves the Service;
- Stripe: payment processing and subscription management;
- Resend: sending transactional and account email;
- Telegram: the optional member channel and its access management.
We also disclose information where the law requires it, or to protect our rights, users, or the Service.
7. How long we keep it
We keep personal information only as long as we need it for the purposes above or to meet legal, accounting, or security obligations. Account and membership records are kept while your account is active and for a reasonable period afterwards; technical logs are kept only briefly. We delete or anonymise information when it is no longer needed.
8. Your rights
Under the New Zealand Privacy Act you can ask us for a copy of the personal information we hold about you and ask us to correct it. Depending on where you live, you may also have rights under the GDPR (access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent) or under US state laws (to know, access, delete, correct, and opt out of any sale or sharing, which we do not do). To exercise any of these, email our privacy officer at contact@intotao.app. We will verify your request and respond within the time the applicable law requires. You will not be charged or treated differently for exercising a right.
9. Security and breach notification
We take reasonable technical and organisational steps to protect personal information, including access controls and reputable infrastructure providers. No system is perfectly secure, but if a privacy breach occurs that is likely to cause serious harm, we will notify the New Zealand Office of the Privacy Commissioner and affected individuals as required by law.
10. Children
The Service is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. We will change the "last updated" date above, and material changes take effect when posted.