VEIL PROTOCOL

Privacy Policy

Effective Date: June 5, 2026

Veil Protocol is built on a foundational principle: your data belongs to you. This Privacy Policy explains what information we process, where it stays, and how we protect it.

1. Our Core Privacy Commitment

Veil is designed so that we cannot surveil you even if compelled. The architecture enforces privacy by design:

• Your biometric data (face, voice, keystroke) is processed locally on your device only — it never leaves
• Our VPN nodes see only encrypted traffic — not its contents, origin, or destination
• Our messenger nodes relay sealed-sender ciphertexts — not message contents or sender identity
• We do not maintain logs that associate users with network activity
• We do not serve advertising. We do not sell data. Ever.
• We cannot produce your data in response to legal demands because we do not hold it

2. Information We Process

2.1 Information You Provide

Wallet address (optional): If you provide a cryptocurrency wallet address during onboarding, it is stored locally on your device and associated with your Veil Points balance on-chain. We do not link wallet addresses to personal identity.

Waitlist signup: If you joined our waitlist, we collected your email address and optionally your wallet address for the purpose of beta access notification. This data is stored securely and not shared with third parties.

2.2 Biometric Data — Local Only

During enrollment, Veil captures:

• Facial geometry (landmark points derived from your face — not a photograph or image)
• Voice frequency patterns (a mathematical embedding — not a recording)
• Keystroke timing dynamics (inter-key intervals — not the keystrokes themselves)

These inputs are converted locally into a deterministic cryptographic seed via a fuzzy extractor. The raw biometric input is immediately discarded after conversion. The derived seed never leaves your device in recoverable form. Encrypted shards derived from this seed are distributed across Veil network nodes — these shards cannot reconstruct your key independently, in any combination below the 3-of-5 threshold, or reveal any biometric information.

We do not collect, store, transmit, or retain biometric data on any server. This is not a policy choice that can be reversed — it is an architectural constraint.

2.3 Technical Data

Veil may process limited technical data for protocol operation:

• Device type and operating system version (for compatibility)
• Crash reports (only if you explicitly opt in — off by default)

We do not collect or log IP addresses in connection with user identity. VPN traffic routing is designed to prevent correlation of traffic to users.

2.4 On-Chain Data

Veil Points balances and VEIL token transactions are recorded on the Base blockchain (Ethereum L2). Blockchain data is public by nature. We do not control or have the ability to delete on-chain data.

3. How We Use Information

We use information solely to:

• Operate and improve the Veil protocol
• Distribute beta access to waitlist members
• Track Veil Points balances for token conversion at TGE
• Respond to support and security inquiries

We do not use your information for advertising, profiling, behavioral analysis, or sale to third parties.

4. Information Sharing

We do not sell, rent, or share your personal information. The narrow exceptions:

• Legal process: If compelled by valid legal process, we will disclose what we hold — which by design is minimal. We will notify affected users when legally permitted to do so.
• Security: To protect the integrity of the Veil protocol against active attacks.
• Successor entity: In connection with a merger or acquisition, subject to identical privacy commitments.

We will publish a warrant canary at veilprotocol.net that updates monthly. Its absence signals receipt of a gag-ordered legal demand.

5. Biometric Data — Illinois BIPA Notice

If you are a resident of Illinois, you have rights under the Illinois Biometric Information Privacy Act (BIPA). Veil collects biometric identifiers (facial geometry, voiceprint embedding, keystroke dynamics) for authentication purposes only. This data is:

• Processed exclusively on your local device — never transmitted to Veil
• Never sold, leased, traded, or profited from in any form
• Retained only for as long as you use the Veil application on that device
• Destroyed upon account deletion or device unenrollment

By enrolling in Veil, you provide informed written consent to this local biometric processing. To exercise your BIPA rights or request information about our biometric data practices, contact: veilprotocol@yahoo.com.

6. Data Retention

Waitlist email addresses are retained until beta access is distributed and the purpose is fulfilled, then deleted. Biometric-derived cryptographic data lives on your device under your sole control. On-chain data is permanent by the nature of blockchain technology. You may request deletion of any off-chain data associated with your email by contacting us — we will action this within 30 days.

7. Security

Veil employs post-quantum cryptography throughout, including ML-KEM-768 for key encapsulation and ML-DSA-65 for digital signatures. All messenger content uses the Double Ratchet protocol with forward secrecy and sealed sender. All VPN traffic uses WireGuard with quantum-resistant handshake extensions. Despite these measures, no system is perfectly secure. Beta software carries inherent risk and should not be used to protect information whose exposure would cause irreversible harm.

8. Children's Privacy

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that a minor has provided information, we will delete it promptly.

9. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access information we hold about you
• Request deletion of your off-chain information
• Withdraw consent to biometric processing (by unenrolling from the application)
• Opt out of any communications

To exercise these rights, contact: veilprotocol@yahoo.com. We will respond within 30 days.

10. Warrant Canary

Veil publishes a monthly warrant canary at veilprotocol.net. The canary confirms we have received no gag-ordered legal demands for user data during the preceding period. The absence of an updated canary should be interpreted as a signal that such a demand has been received.

11. Changes to This Policy

We may update this Privacy Policy as the protocol evolves. Changes will be posted at veilprotocol.net/privacy with an updated effective date. Material changes will be communicated to waitlist members by email where contact information is available.

12. Contact

Privacy inquiries: veilprotocol@yahoo.com

Security disclosures: veilprotocol@yahoo.com — Subject: SECURITY DISCLOSURE

Last updated: June 5, 2026