Privacy notice.

Who is the controller

The data controller is Steven, sole trader, operating from England, United Kingdom. There is no legal entity behind the operator; this is a one-person business.

What we collect

We collect different categories depending on which service you use:

Public website (this site)

• Server access logs: IP address (truncated to /24 within 24h), user-agent string, requested URL, response code, timestamp.
• The cookie-banner acknowledgement (see Cookies below).

Mining pool

• Your wallet address (the username you connect with).
• Your worker name(s) (which you set).
• Your IP address at the time of share submission.
• Your accepted/rejected/stale share counts, hashrate, and timestamps.
• Payout history: which address, which coin, which amount, which transaction.

Account settings (only if you sign in)

• Optional email address (only if you supply one for payout / security alerts).
• TOTP secret (encrypted at rest) if you enable 2FA.
• WebAuthn public-key credential metadata (if you enable hardware key 2FA).
• Session tokens (HTTP-only cookies, sliding 30-day expiry).

Why we collect it

• Operate the pool (lawful basis: legitimate interests — running the service you connected to).
• Pay you (lawful basis: contract — you connected to mine; the payout is the consideration).
• Detect abuse (DDoS, share spam, account take-over attempts) — legitimate interests.
• Comply with HMRC — we keep payout records for the period the law requires.

Cookies

We use one cookie:

• gcc_cookies_accepted — value essential, 365-day expiry, set on first visit when you dismiss the cookie banner. No tracking, no third-party content, no marketing.

Signed-in users additionally receive an HTTP-only session cookie scoped to the dashboard, valid for 30 days on a sliding window. It is not shared with any third party and is never read by JavaScript.

Who we share with

We do not sell your data. We share it only with:

• Our hosting provider, which stores the server logs on disk.
• Blockchain networks, when we send your payout. The transaction itself is public on-chain by design — anyone can read it.
• HMRC or law enforcement, if compelled by a valid UK court order or production notice.

Retention

• Server access logs: 30 days, then deleted.
• Pool share data: 90 days at full resolution, then summarised.
• Payout history: kept for the period HMRC requires (currently 6 years from the relevant tax year-end).
• Account email / 2FA settings: kept until you delete the account or ask us to.

Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you.
• Correct anything that's wrong.
• Have it deleted (subject to legal retention requirements above).
• Restrict or object to processing.
• Receive a copy in a portable format.
• Complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these, email steven@getcrypto.co.in. We aim to respond within 30 days as required by the Regulation. There is no charge.

Security

Our infrastructure runs hardened, fail2ban-monitored, key-only-SSH servers behind a UFW firewall. All traffic is served over TLS. Account data at rest is encrypted using a master key held only on the operator's machine. Where custody of funds is possible at all, we minimise it — payouts go directly to the address you supply.

No system is ever fully secure. If we are compromised in a way that affects your data, we will notify you and the ICO within 72 hours as required.

Contact

Privacy questions: steven@getcrypto.co.in. Postal address available on request.