Privacy Policy

Scan Verus (scan.verus.cx) is a public blockchain explorer for the Verus ecosystem. This policy describes what data we collect, why, how long we keep it, and your rights over it.

Plain-English summary: we don't run analytics, don't sell anything, don't share data with third parties, and don't hold anyone's wallet keys. We don't log normal traffic — your IP only gets recorded if your request looks abusive (rate-limited, brute-force, scraping, attack probes). If you log in with a VerusID we remember your iAddress so we can recognise you next time. Everything else is opt-in.

What we collect

• Security log (abuse only). Normal traffic is not logged. Only requests that return a 4xx/5xx response or trigger a rate limit — signals of brute-force, scraping, or attack probes — are recorded (IP, timestamp, requested URL, user-agent, HTTP status). Used to block abusers and protect the service.
• VerusID (i-address) when you log in. If you choose to log in with VerusID, we store your iAddress (e.g. i6QEb…) and the wallet-provided friendly name (e.g. veruscx@). Used to recognise you across sessions and bind API keys to your identity.
• API keys you create. A SHA-256 hash of the key (never the key itself), the key prefix, the tier, and usage counts.
• Notification preferences (opt-in, coming soon). If you set up address-watching alerts, we'll store the addresses you watch and the channel info you provide (email, Telegram chat ID, webhook URL).
• Payment records (opt-in). If you pay for a Pro API tier in VRSC, we record the invoice, payment address, and the on-chain txid that paid it.

What we don't collect

• We do not use Google Analytics, Mixpanel, or any third-party analytics service.
• We do not currently embed third-party scripts that track you across sites.
• We never see your wallet keys. All authentication and on-chain signing happens in your wallet. We only verify signatures via the Verus daemon.

Cookies & local storage

• Session cookie (set when you log in with VerusID): a signed token identifying your iAddress. HTTP-only, Secure, SameSite=Strict, 30-day expiry. Cleared when you log out. This cookie is strictly necessary for the login feature you requested and is exempt from consent requirements under Article 5(3) of the ePrivacy Directive.
• Dark mode preference: stored in browser localStorage. Local to your browser only, never sent to us.

Retention

• Security log (4xx/5xx only): 7 days, then automatically deleted. Successful requests are never written to disk.
• VerusID, API keys, notification preferences, invoices: kept until you delete them via your account, or indefinitely if your account is active. You can request full account deletion via the contact below.
• Public blockchain data (transactions, blocks, addresses) is indexed and retained — this is on-chain data, not personal data about you.

Third parties

We currently do not share data with any third party. When we add email notifications (planned) we will use a transactional email provider (e.g. Mailgun or Postmark) and this section will be updated to name them and link to their privacy policies.

Your rights

If you're a resident of the EU, UK, or another GDPR-equivalent jurisdiction, you have the right to:

• Access — request a copy of data we hold about you
• Rectify — correct inaccurate data
• Erase — request deletion of your account and associated data
• Object — opt out of any optional processing
• Withdraw consent — for any opt-in feature, by removing it from your account

To exercise any of these, contact us at the address below.

Contact

Questions about this policy, or to exercise your rights: message veruscx@ via VerusID, or reach out through the Verus Discord.