OCB — Legal
Privacy Policy
Effective June 19, 2026
Made by Kindred LLC, operating the OnChain Benchmark service (“OCB,” “we,” “us,” or “our”), operates this website, the account-based research product, the APIs, and the data products associated with them. This policy describes the personal data we collect, how and why we use it, who we share it with, and the choices and rights available to you. It applies to the Service and not to any third-party site or product we link to.
1. What we publish
The OCB-RWA Index, Trust Ratings, and supporting evidence are derived from public onchain data, public attestations published by issuers, and public regulatory filings. We do not host or redistribute non-public information about any individual.
2. What we collect from you
We collect the following categories of personal data:
- Account data. Your email address, which you provide to create an account and to sign in via a passwordless email link (we generate a short-lived sign-in token tied to your email). From your email we derive and store a stable, hashed account identifier and your email domain (used to detect disposable-email signups). We do not use or store passwords.
- Billing data. When you purchase a paid plan or credits, payment is processed by our third-party payment processor (Stripe). We do notreceive or store your full card number or card security details. We store the processor’s customer reference and checkout-session identifiers, the email associated with the purchase, and a ledger of credits granted and consumed.
- Attribution data. To understand how people find OCB, we store a first-party cookie (ocb_attribution, 30 days, SameSite=Lax) recording, from your first visit, the marketing campaign parameters in the link you arrived through (utm_source, utm_medium, utm_campaign), the host of the referring website (without the full URL, path, or query string), and the first page you landed on. At signup, this is associated with your account so we can measure acquisition channels. If you arrived through a referral link, we also record the referral relationship to grant referral credits.
- Product analytics. We use a privacy-oriented analytics provider (PostHog) to understand which pages and features are used and where users encounter friction. Analytics events may be associated with your account once you are signed in; we do not enable session-replay of your screen for advertising, and we do not sell this data.
- Issuer intake submissions. If you submit an instrument for coverage, the name, email, role, organization, instrument details, and any optional URLs you provide. Used to evaluate the instrument and to contact you about the review.
- Server logs. Basic request metadata (IP address, user agent, request path, timestamp) retained for operational security and abuse prevention.
We do not use cross-site advertising or retargeting cookies, we do not sell or “share” your personal data for targeted advertising as those terms are defined under applicable law, and we do not host or redistribute non-public information about any individual.
3. How we use it
We use personal data to:
- Provide the Service — authenticate your sign-in, operate your account, meter and grant credits, and deliver the features you request.
- Process payments and prevent payment fraud, through our payment processor.
- Operate and secure the Service (uptime monitoring, debugging, rate-limiting, and abuse response).
- Understand product usage and measure acquisition channels in aggregate, and operate the referral program.
- Reply to inquiries you initiate and review issuer intake submissions.
- Comply with legal obligations and enforce our Terms.
Where required by law, our legal bases for processing are: the performance of our contract with you (providing the Service); our legitimate interests (securing the Service, preventing abuse, measuring acquisition); your consent (where we ask for it); and compliance with legal obligations.
4. Sharing
We do not sell your personal data. We share it only with service providers acting on our behalf under contract, and only as needed:
- Infrastructure— hosting, database, and transactional email providers necessary to operate the Service.
- Payments— our payment processor (Stripe), which handles your payment information under its own privacy terms.
- Analytics— our product-analytics provider (PostHog), to help us understand aggregate product usage.
- Professional advisors — counsel or auditors under confidentiality, if required.
- Authorities— only when compelled by valid legal process, or where we reasonably believe disclosure is necessary to protect rights, safety, or the integrity of the Service.
- Successors— in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
5. Cookies and similar technologies
We use a small number of cookies and similar technologies:
- Strictly necessary— a session cookie that keeps you signed in (ocb_research_session), and local storage for preferences such as chart-toggle state. These are required for the Service to function.
- Attribution— a first-party cookie (ocb_attribution, 30 days, SameSite=Lax) that records, on your first visit, the marketing parameters and referring-site host through which you arrived, so we can measure how people discover OCB. It does not track you across other websites.
- Analytics— first-party product analytics (PostHog) to understand aggregate usage.
We do not use third-party advertising cookies and do not participate in cross-site tracking networks. Where supported, we respect your browser’s Global Privacy Control (GPC) or “Do Not Track” signal for non-essential analytics and attribution.
6. Retention
We retain personal data only as long as needed for the purpose for which it was collected, or as required by law:
- Issuer intake submissions: retained while the instrument is under review and for 24 months after a coverage decision, to support audit trails on coverage decisions.
- Server logs: 90 days for security and abuse-prevention review.
- Account or correspondence records: as long as the relationship is active and for 24 months thereafter, unless a longer period is required by law.
You may request earlier deletion at any time, subject to legal obligations and legitimate-interests exceptions (e.g., fraud prevention, ongoing legal proceedings).
7. Your rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port the personal data we hold about you, and to object to or restrict certain processing. Specifically:
- EEA / UK (GDPR / UK GDPR). Rights of access, rectification, erasure, restriction, portability, and objection; right to withdraw consent where processing is based on consent; right to lodge a complaint with a supervisory authority.
- California (CCPA / CPRA). Rights to know, delete, correct, and opt out of sale or sharing of personal information (we do not sell personal information). We do not knowingly process the data of California residents under 16 without affirmative authorization.
- Other jurisdictions. Similar rights may apply under applicable law (e.g., Virginia, Colorado, Brazil’s LGPD). We honor verifiable requests consistent with the law of your residence.
To exercise any of these rights, contact privacy@onchainbenchmark.com. We may need to verify your identity before responding.
8. Security
We implement administrative, technical, and physical safeguards designed to protect personal data, including transport encryption (TLS), access controls scoped by least privilege, and at-rest encryption for database contents. No system is perfectly secure; in the event of a breach affecting your data, we will notify you and applicable authorities as required by law.
9. International transfers
We operate from the United States, and your data may be processed there or in any jurisdiction where our infrastructure providers operate. Where required, we rely on appropriate transfer mechanisms (e.g., Standard Contractual Clauses for transfers out of the EEA/UK).
10. Children
The service is not directed to individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes
We will update this policy as the product and applicable law evolve. Material changes will be announced on this page with a revised effective date. Continued use of the service after a change becomes effective constitutes acceptance.
12. Contact
Questions about this policy or your data: privacy@onchainbenchmark.com.