Privacy Policy

IntLiq is operated by Keyton ApS, a company registered in Denmark. We provide liquidity intelligence for tokenised real world assets (RWAs). This policy explains what data we collect, why we collect it, and how we handle it.

As a Danish entity, we are subject to the EU General Data Protection Regulation (GDPR). We treat GDPR as our baseline standard for all users, regardless of jurisdiction.

We collect the following categories of information:

• Account information: Name, email address, company name, and billing details provided during registration.
• Watchlist preferences: The protocols you choose to monitor, alert thresholds you configure, and notification settings.
• API usage: Endpoints called, request frequency, response status codes, and API key identifiers (hashed, never stored in plaintext).
• Protocol viewing patterns: Which protocol pages you visit, score comparisons you run, and reports you generate. We use this to improve the platform, not to build advertising profiles.
• Technical data: IP address, browser type, and device information transmitted automatically with each request.

We use the information we collect to:

• Provide, maintain, and improve the liquidity intelligence Service
• Compute and deliver liquidity scores, watchlist alerts, and intelligence reports
• Monitor usage for billing, rate limiting, and abuse prevention
• Communicate with you about your account, service updates, and security notices
• Send watchlist alert notifications when monitored protocols cross your configured thresholds
• Analyse aggregate usage patterns to improve platform performance and data coverage

We do not use your data for advertising. We do not sell your data. This is not a negotiable point.

Usage data and platform activity are retained according to your subscription plan:

• Observer (free): 30 days
• Analyst: 1 year
• Institutional: Unlimited retention for the duration of the subscription

Account data is retained for as long as your account remains active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or resolving disputes).

Generated PDF reports are stored in encrypted cloud storage and follow the same retention schedule as your plan. You can download your reports at any time before deletion.

We use the following third-party services to operate the platform. Each processes data on our behalf under contractual obligations consistent with GDPR requirements:

• Supabase: Database hosting, authentication, and file storage. Data stored in EU-region infrastructure.
• Stripe: Payment processing and subscription management. Stripe handles card details directly — we never see or store your full card number.
• Resend: Transactional email delivery for onboarding sequences, watchlist alerts, and billing notifications.
• Vercel: Application hosting and edge deployment. Request logs are retained for operational monitoring.
• Sentry: Error tracking and performance monitoring. Captures technical errors with minimal personal data (no account content, no watchlist data).

We do not share your data with data brokers, advertising networks, or any party that would use it for purposes outside the operation of this Service.

We implement industry-standard security measures to protect your data:

• Encryption of data at rest and in transit (TLS 1.2+)
• Row-level security policies on all database tables
• API key hashing — keys are never stored in plaintext
• Role-based access controls and the principle of least privilege
• Regular dependency audits and vulnerability monitoring

No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. Protect your account credentials and API keys accordingly.

We use a minimal set of cookies, all of which are essential to the operation of the Service:

• Authentication session: Managed by Supabase Auth. Maintains your login state across page navigations. Expires when you sign out or after session timeout.
• Session fingerprint: A security cookie used to detect session hijacking and validate request origin. Contains no personal information.

We do not use tracking cookies, analytics cookies, or advertising cookies. There is no cookie consent banner because there is nothing optional to consent to.

As a data subject under GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@intliq.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

Your data may be processed in the European Union and the United States, where our infrastructure providers operate. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions as recognised by the European Commission.

Our primary database infrastructure is hosted in the EU. Edge deployment via Vercel may route requests through global points of presence, but persistent data storage remains within EU-region infrastructure.

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@intliq.com and we will take steps to delete such data.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email at least thirty (30) days before the changes take effect.

The “Effective date” at the top of this page indicates when the policy was last updated.

If you have questions about this Privacy Policy or our data practices: