logo

Privacy Policy

Understand how we collect, use, and protect your personal information to ensure your privacy and security

Privacy Policy

Last updated: 11 November 2025

Plain‑English summary: WalletTag provides wallet risk signals and related tooling. We collect limited personal data to run our website, dashboard and APIs. For customer‑submitted wallet addresses, we generally act as a processor; for our own analytics, models and service operations, we act as a controller. This policy explains what we collect, why, how long we keep it, how we share it, and your rights under UK data law.

Who we are: WalletTag is a trading name of Workx UK Ltd ("we", "us", "our"). We are a company registered in England & Wales.

Registered office: 20 Wenlock Road, London, N1 7GU

Company number: 15397051

ICO registration number: ZB757118

Privacy contact: privacy@wallet-tag.com

1) Scope

This Privacy Policy covers personal data processed when you:

  • visit www.wallet-tag.com or any sub domains such as score.wallet-tag.com, dashboard.wallet-tag.com etc (the Website/Dashboard);

  • sign up for or use our services, including the WalletTag API and integrations (the Services);

  • receive communications from us (emails, in‑app messages, support);

  • participate in beta/preview programmes, surveys, events or marketing.

This policy does not apply to third‑party sites or services that we link to. Those have their own policies.

2) Roles under UK law

Depending on the context, Workx UK Ltd acts as:

Controller of: account data, billing records, operational telemetry, security logs, Website/Dashboard analytics, and our proprietary models/derived data used to provide and improve the Services.

Processor of: Customer Input Data (e.g., wallet addresses or other identifiers you submit to be scored via our API) to the extent we process them solely on your documented instructions. Our Data Processing Addendum (DPA) (Annex A) applies to that processing.

Independent Controller of: Derived Data (e.g., aggregated statistics, model weights, risk indicators not referencing an identifiable person) created to operate and enhance the Services.

If you are unsure about our role for a specific processing activity, contact us at privacy@wallet-tag.com.

3) The data we collect

A. You provide:

Account & profile (name, email, role, organisation, password hash, MFA settings).

Business details (company name, billing contact, postal address, VAT number).

Support content (tickets, chat, emails, call recordings with notice).

Marketing preferences (newsletter, webinars, events).

B. Collected automatically:

Usage & device (IP address, device/browser, time zone, language, referral URL, pages viewed, API calls, response codes, latency, error logs).

Security & fraud signals (login events, MFA events, suspicious activity, abuse indicators).

Cookies & similar tech on the Website/Dashboard (see §9).

C. From third parties:

Payment processors (transaction tokens, last‑4 of card, billing status; we do not store full card or bank details).

Identity/abuse tools (e.g. bot or spam signals, geo IP lookup).

Public blockchain data and partner datasets relevant to risk scoring.

Special category data: We do not intentionally collect special category data. Please don't submit it in support tickets or API inputs.

4) Purposes & legal bases (UK GDPR)

We process personal data for:

Service delivery & account administration (create accounts, authenticate, provide API/dashboard access, fulfil contracts). Legal basis: Contract.

Security, abuse prevention & service integrity (detect/prevent fraud, enforce AUP, protect networks). Legal basis: Legitimate interests.

Service analytics & improvement (performance, feature usage, reliability, ML model quality). Legal basis: Legitimate interests.

Billing & collections (invoicing, payments, tax). Legal basis: Contract and Legal obligation.

Communications (service notices, security alerts). Legal basis: Legitimate interests/Legal obligation.

Marketing (newsletters, product updates). Legal basis: Consent (or soft opt‑in for existing customers, with opt‑out in each message).

Compliance (law enforcement requests, sanctions screening of customers/transactions where required). Legal basis: Legal obligation/Legitimate interests.

You can object to processing based on our legitimate interests when it impacts you (see §11).

5) Sharing your data

We share personal data only with:

Processors/Sub‑processors under contract (hosting, analytics, email/SMS vendors, payment processors, support tools).

Professional advisers (lawyers, auditors, insurers) under obligation of confidentiality.

Corporate transactions (merger, acquisition, financing) with appropriate safeguards.

Authorities where required by law or to protect rights, safety and security.

We do not sell personal data.

6) International transfers

We may transfer personal data outside the UK (e.g. to the EEA or US) where vendors or infrastructure are located. When we do, we use approved safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, plus transfer risk assessments and supplementary measures where necessary. Details are in the DPA (Annex A) and our sub‑processor list.

7) Retention

We keep personal data only as long as necessary for the purposes above:

Account/billing records: 7 years (tax/legal).

Security logs: up to 12 months, unless required longer for investigations.

Support records: up to 24 months.

Marketing data: until you unsubscribe or after a period of inactivity (we regularly cleanse lists).

Customer Input Data sent to the API: retained transiently to process the request and for short‑term caching/diagnostics [configure: e.g. up to 30 days], unless your contract specifies otherwise.

We may keep aggregated Derived Data that no longer identifies any individual.

8) Your rights

Under UK GDPR you can request:

  • Access to your personal data;

  • Rectification of inaccurate data;

  • Erasure (where no longer needed or if consent is withdrawn);

  • Restriction or objection to certain processing;

  • Portability of data you provided to us; and

  • To withdraw consent at any time (for marketing/cookies).

To exercise rights, email privacy@wallet-tag.com. We may verify your identity. You also have the right to complain to the Information Commissioner's Office (ICO) at https://ico.org.uk or 0303 123 1113.

9) Cookies & similar technologies

We use essential cookies for login, security and load‑balancing, and (with consent) analytics/marketing cookies on our Website/Dashboard. You can manage preferences via our cookie banner and your browser settings.

10) Children

Our Services are business‑focused and 18+. We do not knowingly collect data from children.

11) Automated decision‑making & profiling

WalletTag computes wallet risk signals. We do not make decisions about individuals with legal or similarly significant effects. Customers that use our outputs to make automated decisions are responsible for providing appropriate transparency, conducting impact assessments where required, and honoring data subject rights.

12) Security

We implement organisational and technical measures appropriate to risk (encryption in transit, access controls, MFA, audit logging, least‑privilege). No system is 100% secure. If we discover a breach affecting your data, we will notify you and regulators where required by law.

13) Changes

We'll update this policy from time to time. We'll post the new version here and, if changes are material, we'll notify account holders by email or in‑app.

14) Contact

Questions or requests: privacy@wallet-tag.com

Postal: Workx UK Ltd, 20 Wenlock Road, London, N1 7GU

Annex A – Data Processing Addendum (Short Form)

This DPA forms part of the agreement between Customer and Workx UK Ltd ("Processor") where Processor processes Customer Personal Data as a processor on behalf of Customer (Controller).

1. Subject matter & duration

Processing Customer Personal Data submitted to the Services for wallet scoring and related functionality, for the term of the Agreement plus limited archival periods.

2. Nature & purpose

Hosting, computation, transmission, storage, support and security.

3. Types of data & data subjects

Business contact data (Customer users); identifiers submitted by Customer (e.g., wallet addresses and related metadata which may relate to individuals); support ticket content. Data subjects include Customer's users and individuals whose data appears in Customer Input Data.

4. Processor obligations

Process only on documented instructions; confidentiality; implement appropriate security; assist Controller with data subject requests & DPIAs; delete or return Customer Personal Data at termination; make available information to demonstrate compliance; notify personal data breaches without undue delay.

5. Sub‑processing

Processor may use sub‑processors under written contracts with at least equivalent protections and will provide notice of new sub‑processors (email or webpage). Controller may object on reasonable grounds; if unresolved, parties may terminate affected Services with a pro‑rata refund of prepaid fees.

6. International transfers

Where Customer Personal Data is transferred outside the UK, Processor will use a valid transfer mechanism (UK IDTA or UK Addendum to EU SCCs), plus supplementary measures as needed.

7. Audit

Processor will provide audit reports/certifications (if any) and reasonable cooperation; on‑site audits no more than annually with reasonable notice and safeguards.

8. Return/Deletion

On termination, Processor will delete Customer Personal Data within [e.g., 30–90] days, unless retention is required by law. Backups will cycle out per standard schedules.

9. Liability & order of precedence

Each party's liability is governed by the Agreement. If this DPA conflicts with the Agreement, this DPA controls for processing of Customer Personal Data.