This policy describes how we handle information in connection with the public Site. Our products are architected to minimize data, but the Site is still a website and can involve basic technical data and, when you email us, the content you choose to send.

What we do not do

• We do not use third-party advertising or marketing trackers on the Site in order to build profiles of visitors.
• We do not sell your personal data.
• We do not use the Site to run behavioral analytics in the way typical ad-supported sites do.

What may be processed

• Server and network metadata: When you request pages, infrastructure providers (e.g. hosting, CDN) may process technical data such as IP addresses and logs needed to operate a website and to protect against abuse, depending on how you deploy the Site.
• Email: If you contact us, we process the information you include (for example, your address and your message) to respond and to maintain our relationship with you.
• Payment providers: If you use links to Stripe, Patreon, or similar, those providers process payment data on their own systems under their terms.

Legal bases (EEA/UK, where applicable)

Where GDPR-style rules apply, we rely on appropriate bases such as: (1) our legitimate interest in operating and securing the Site and communicating with you; (2) performance of a contract, where applicable; and (3) your consent, where we ask for it in a specific manner.

Your rights

Depending on your location, you may have rights to access, rectify, delete, object, or port personal data, and to complain to a supervisory authority. You may contact us at legal@zbelthas.com and we will respond in line with applicable law.

Children

The Site is not directed at children under 16 (or a higher age required locally). We do not knowingly collect personal information from children for marketing purposes.

Zero cookies. Zero third-party trackers. The Site deliberately does not set HTTP cookies of any kind, and does not load advertising, analytics, or fingerprinting scripts. That is why you do not see a cookie banner: there is nothing to consent to.

For your theme preference (light / dark), the Site stores a single value in your browser’s local storage under the key theme. Local storage is not transmitted to us and is not a marketing tracker. A service worker may also cache static assets locally to make the Site work offline; see the PWA notice below. You can clear both at any time from your browser settings.

Payment pages you open on third-party domains (for example, Stripe’s hosted checkout) are governed by those pages’ own notices.

The assistant accessible from the floating orb on this Site is a retrieval-augmented large-language model (Cloudflare Workers AI, Llama 3.3 Instruct class) operating on public Zbelthas content. It is intended solely to help you navigate the Site and understand the project.

What we do not do: we do not store your prompts, responses, or conversation history beyond the ephemeral request lifetime; we do not build user profiles; we do not use your queries to train any model. Responses are marked noindex.

Rate limiting: to protect the service, a lightweight per-IP rate limit is applied at the edge. It uses a daily-rotating SHA-256 bucket key (IP + date + salt) — the raw IP is never stored.

EU AI Act alignment: the assistant is a low-risk, informational tool with human oversight (you press send, you can ignore the answer). It is not used for any legal, biometric, employment, or other high-risk decision. It cannot execute actions on your behalf.

Limits: model output may be wrong, incomplete, or out of date. Nothing the assistant says is legal, financial, or security advice. For binding information, refer to this page and to the official documentation.

General. The information here is provided for convenience only. It is not legal, tax, accounting, or investment advice. Laws differ by country, region, and over time. You are responsible for understanding and complying with the laws and regulations that apply to you, including (where relevant) financial promotion rules, consumer protection, sanctions and export controls, anti-money-laundering and counter-terrorist financing requirements, data protection, e-money or payment services rules, charity and fundraising laws, and rules applicable to virtual assets, securities, and taxes. If you are unsure, seek professional advice before contributing.

Voluntary support; not an investment. Unless a separate platform clearly states otherwise at the point of payment, contributions you make through direct cryptocurrency transfers, optional Web3 or on-chain transactions linked from the Site, or card and bank payments processed by Stripe, are intended as voluntary support for Zbelthas’s work. They are not investments, do not entitle you to any ownership, equity, interest, or profit, and are not a secondary-market instrument. Past or future use of the Zbelthas name, software, or services by others does not change the non-investment, voluntary character of a contribution described as a donation.

No quid pro quo for simple donations. For one-time and direct “donation” flows (including typical crypto, Web3, and Stripe checkout paths we describe on the Donate page), you should not expect goods, services, or exclusive rights in return; any incidental acknowledgments are gratuitous. Patreon is different: recurring Patreon support is a subscription managed by Patreon; tier descriptions and benefits are set on Patreon and are subject to Patreon’s terms, creator policies, and any stated perks—not the short summary on the Donate page.

Third-party processors and networks. Payment links to Stripe, Patreon, and blockchain interactions run on those providers’ or networks’ systems. Their terms, privacy notices, and fees apply. We do not control network fees, confirmation times, or reversals. Use only addresses, contracts, and links we publish; verify everything before you send value.

Taxes, receipts, and deductibility. Tax treatment (including whether a payment is a gift, a membership fee, or a potentially deductible contribution) depends on your facts, the recipient’s status, and local law. We do not represent that any payment is tax-deductible, VAT-exempt, or eligible for a receipt unless we explicitly state so in writing for your jurisdiction. You are responsible for your own reporting and for consulting a qualified professional.

Refunds, chargebacks, and errors. Digital asset transfers to wallet addresses and many on-chain transactions are generally irreversible. For card and wallet payments, refund and dispute rules follow Stripe’s policies and the rules of your card or bank. Do not use our donation options to evade lawfully owed amounts or to manipulate payment networks.

Eligibility; prohibited use. You must have legal capacity to contribute and you must not use our donation options for illegal purposes, including to violate sanctions, launder money, or defraud any person. We may decline or return support where we are required or permitted to do so by law or policy.

No professional relationship; updates. Nothing here creates an attorney–client, advisory, or fiduciary relationship. This section may be updated. Where mandatory consumer or other non-waivable rights exist in your country, they remain unaffected.

To report a security vulnerability, email security@zbelthas.com. Our machine-readable policy is published at /.well-known/security.txt (RFC 9116).

Scope

In scope: zbelthas.com, all *.zbelthas.com subdomains, and signed Zbelthas release artifacts.

Out of scope: third-party services we do not operate (Stripe, Patreon, GitHub, RPC providers, block explorers); social-engineering of staff; physical attacks; recently disclosed CVEs (<30 days) in upstream dependencies; theoretical issues without a working proof of concept.

Rules of engagement

• Report privately first — do not publish details before we have responded and a fix is available.
• Do not exfiltrate user data. Stop at proof of concept.
• Do not degrade the service (no stress / DoS / spam of third parties).
• If you need to probe live systems, use accounts and data that you own.

Our commitments

• Acknowledgement within 72 hours.
• Triage and preliminary severity within 7 days.
• Transparent status updates on the fix schedule.
• Safe-harbor: security researchers acting in good faith under this policy will not be pursued legally.
• Credit in the fix announcement (opt-in) unless you prefer to remain anonymous.

A coordinated bug-bounty programme is not yet public. When it is, scope, rewards, and platform will be announced here and on the Trust Center. The bounty will complement — not replace — independent third-party audits.