ZERA SCAN

Privacy Policy

Last Updated: April 23, 2026

Zerascan is a blockchain explorer, API proxy, wallet-connection interface, and data presentation layer for the ZERA ecosystem. We design it to minimize personal data where possible. This policy explains the personal data and operational data processed to run Zerascan. It is written for the duty to inform under Article 19 of the revised Swiss Federal Act on Data Protection and, where applicable, Articles 13 and 14 GDPR.

1. Controller and Contact

Zerascan is engineered and operated by Visiondynamics AG. Visiondynamics AG is the controller for personal data processed through Zerascan unless another provider acts as an independent controller for its own service.

Visiondynamics AG

Oberallmendstrasse 18

6300 Zug, Switzerland

Commercial register: CHE-322.581.222

Privacy contact: [email protected]

Zerascan support: [email protected] or by post to Visiondynamics AG, Oberallmendstrasse 18, 6300 Zug, Switzerland

This is the service-specific notice for Zerascan. The Visiondynamics AG privacy policy provides group-level context, but this page controls Zerascan-specific disclosures.

2. Public Blockchain Data

Zerascan indexes and displays public blockchain data, including addresses, transaction hashes, blocks, token metadata, balances, governance information, and smart-contract or DEX activity. Public blockchain data is provided by the relevant network and may be permanent. Visiondynamics cannot delete or modify public ledger records.

Most public explorer features can be used without creating an account. We do not require KYC to browse the public explorer, and we do not ask for private keys or recovery phrases.

3. Personal Data and Operational Data We Process

  • Website and API access data: IP address, user agent, requested URL, referrer, timestamps, response status, error logs, and similar connection data processed to serve pages and proxy API requests.
  • Session and rate-limit data: the __zs HTTP-only session cookie, per-session bearer tokens, API request metadata, route paths, and rate-limit or abuse-prevention records.
  • Network selection data: selected network name, API URL, gRPC URL, and custom network URL values stored in cookies or local storage when you choose mainnet, testnet, or a custom network.
  • Timezone and display preferences: timezone cookie, theme preference, debug-log preference, and interface state stored in cookies, local storage, or session storage.
  • Wallet connection data: public wallet addresses, public keys, WalletConnect session topics, chain identifiers, transaction or message signing requests, callback URLs, and connection status when you connect a wallet or use a signing flow. Zerascan never asks for or receives your private keys or recovery phrase.
  • Temporary transaction state: pending swap, liquidity, governance vote, bootstrapping, or signing context stored in session storage so the interface can resume a user-initiated action.
  • Developer/API data, where applicable: API keys, bearer tokens, contact email, endpoint-level usage metrics linked to authenticated API credentials, request counts, credit consumption, rate-limit records, and related account, billing, or abuse-prevention records for authenticated API customers.
  • Support communications: email address, name if provided, message content, attachments, and related metadata when you contact us.

IP addresses, public-key identifiers, API keys, bearer tokens, and similar technical identifiers may qualify as personal data when they can be linked to a natural person. We treat them accordingly. Visiondynamics designs VD-Indexer API usage metrics to track endpoint usage rather than storing which wallet, address, or transaction hash was looked up in those endpoint metrics, but those metrics are still linked to authenticated API credentials for analytics, credit tracking, and limiting.

4. Purposes and Legal Basis

  • Explorer and API delivery: to display blockchain data, route API requests, cache responses, serve token media, and provide developer documentation. GDPR legal basis where applicable: performance of a contract or legitimate interests.
  • Authenticated API management: to issue or validate API credentials, track endpoint usage, calculate or enforce credits and quotas, produce customer analytics, and investigate misuse. GDPR legal basis: performance of a contract and legitimate interests.
  • Wallet features: to let you connect a wallet, review transaction context, initiate user-approved signing, and resume pending flows. GDPR legal basis: performance of a contract and legitimate interests.
  • Security, rate limiting, and abuse prevention: to mint per-session bearer tokens, prevent excessive traffic, block abusive origins, protect infrastructure, and investigate incidents. GDPR legal basis: legitimate interests.
  • Preferences and routing: to remember timezone, theme, selected network, and temporary interface state. GDPR legal basis: performance of a contract and legitimate interests.
  • Support and legal compliance: to answer requests, preserve necessary records, comply with law, and respond to competent authorities. GDPR legal basis: contract, legal obligation, or legitimate interests.

Zerascan does not sell personal data and does not use advertising profiles, behavioral advertising, or non-essential analytics. For public explorer usage, we aim to process only the technical and operational data needed to render pages, protect infrastructure, and support optional features.

5. Recipients and Third-Party Services

We disclose data only where needed to run Zerascan, secure the service, or comply with law. Recipient categories include:

  • Visiondynamics-operated infrastructure: ZERA indexer, API, authentication, and related application infrastructure operated by Visiondynamics.
  • External blockchain and market-data providers: blockchain RPC, indexing, wallet-relay, public market-data, token-metadata, and media-delivery services used only where needed to render explorer data or support user-initiated features.
  • Network delivery and security providers: DNS, CDN, TLS, DDoS protection, and related network or edge-security services.
  • Hosting and infrastructure providers: hosting, deployment, compute, storage, load-balancing, and operational infrastructure used to run Zerascan.
  • Email and support providers: mailbox, routing, spam filtering, and support tooling used to answer messages.
  • Authorities and advisers: courts, regulators, law enforcement, lawyers, auditors, or other advisers where required by law or necessary to protect rights.

6. International Transfers

Our servers and service providers may operate globally, including in Switzerland, the EEA, the United States, and other countries or regions depending on routing, failover, provider architecture, and deployment.

Where data is transferred to a country or international body without an adequate level of protection under Swiss or EU law, Visiondynamics intends to rely on a lawful transfer mechanism required by applicable law for the relevant recipient, which may include an adequacy decision, a certification framework, standard contractual clauses, or another legally recognized safeguard or exception, together with data processing agreements, encryption in transit, access controls, and data minimization. You can request information about the relevant transfer mechanism by writing to [email protected].

7. Cookies and Browser Storage

Zerascan uses strictly necessary cookies and browser storage for security, routing, display preferences, and user-initiated wallet flows. We do not use advertising cookies, tracking pixels, social-media cookies, fingerprinting cookies, or behavioral analytics tools. No consent banner is displayed because no non-essential tracking is active.

  • __zs: HTTP-only session cookie used for per-session bearer tokens and rate limiting. Retention: 24 hours.
  • zera-network-api and zera-network-name: network-routing cookies used for testnet or custom network selection. Retention: up to 12 months or until cleared.
  • tz: timezone cookie used to display dates in your local timezone. Retention: up to 12 months.
  • Local storage: theme, selected API/gRPC network URLs, wallet adapter state, WalletConnect state, and debug-log preference. Retention: until you clear browser storage or disconnect where supported.
  • Session storage: temporary pending transaction, swap, liquidity, vote, bootstrapping, or signing context. Retention: until the browser tab/session ends or the flow is completed or cleared.

8. Retention

  • Session cookies and per-session bearer data: normally 24 hours, with in-memory server token caches expiring according to token lifetime.
  • Security, API proxy, and infrastructure logs: normally up to 30 days, unless needed longer for security incidents, abuse investigations, legal claims, or compliance.
  • Network, timezone, and preference storage: until the stated cookie expiry, browser-session end, or deletion by you.
  • Developer/API keys and usage records: API keys are retained until revoked or the account is closed. Endpoint-level usage metrics linked to API keys or bearer tokens are normally retained for up to 12 months, unless longer retention is needed for billing/accounting, security, legal compliance, or dispute handling.
  • Support communications: normally up to 24 months after the matter is closed, unless a longer legal or dispute period applies.
  • Public blockchain data: retained by the underlying blockchain network and may be permanent.

9. Your Rights

Subject to applicable law, you may request access, correction, deletion, restriction, objection, and portability of personal data we control. Some data cannot be deleted by Visiondynamics because it is stored only on your device, controlled by a third-party service, or permanently recorded on a public blockchain.

Send privacy requests to [email protected] or by post to Visiondynamics AG, Oberallmendstrasse 18, 6300 Zug, Switzerland. We may need to verify your identity and will respond to legitimate requests within 30 days unless applicable law allows or requires a different timeframe.

You may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, www.edoeb.admin.ch. If the GDPR applies to you, you may also complain to your local EU or EEA supervisory authority.

10. Security and Breach Notification

We use technical and organizational measures designed to protect personal data and operational data, including encrypted transport, HTTP-only cookies for session identifiers, access controls, origin checks, rate limiting, token-based API access, monitoring, and least-privilege operations. If a data security breach is likely to result in a high risk to affected individuals, we will notify the FDPIC as soon as possible and inform affected individuals where required. Where the GDPR applies, we will also notify the competent EU supervisory authority within 72 hours when required by Article 33 GDPR.

11. Automated Decisions and Profiling

Zerascan does not use personal data to make decisions based solely on automated processing that produce legal effects or similarly significant effects. Automated security, origin-check, and rate-limit controls may block or throttle abusive traffic, but they are used to protect service integrity and can be reviewed if you contact us.

12. Updates

We may update this policy when the service, infrastructure, or legal requirements change. Material changes will be posted on this page with a new update date.