Privacy Policy

This is the privacy policy for Billateral (the website at billateral.io). Billateral is a project of Skrrt LLC, a Wyoming limited liability company. References to "we," "us," and "our" mean Skrrt LLC. We are the data controller for the personal data described in this policy.

When you join the waitlist

• Your email address.
• Anything you type in the optional note field.
• Your IP address (read from request headers).
• Your browser's user-agent string (truncated to 500 chars).
• The timestamp of submission.
• Which list you signed up for ("user" or "fund").

When you email us

The contents of your message and any reply thread.

What we don't collect

• No analytics platforms (Google Analytics, Posthog, Plausible, Vercel Analytics).
• No advertising pixels (Meta, X/Twitter, LinkedIn, Google Ads).
• No session-replay tools (FullStory, LogRocket, Hotjar).
• No third-party tracking scripts.
• No marketing or analytics cookies.

Server logs from our hosting provider (Vercel) and DNS provider (Cloudflare) capture standard request metadata — IP, timestamp, path, user-agent, response status — for security and debugging. Those logs are retained according to each provider's own retention rules.

Under the GDPR we have to name a "lawful basis" for each piece of processing. Here it is in one table:

Under "legitimate interests," we keep the data minimal, store no more than we need, and use it only for the purposes listed above.

• To confirm you joined the waitlist (the welcome receipt email).
• To send a small number of further emails as access opens up or the product changes.
• To respond when you reach out to us.
• To rate-limit submissions and prevent abuse.
• To debug and operate the website.

We don't use your data for automated decision-making or profiling.

We use a small set of vendors ("sub-processors") to run the service. Each one is bound by its own privacy commitments and a data-processing agreement with us.

We do not sell your personal information. We do not share it for cross-context behavioral advertising. We disclose information only:

• to the sub-processors above, under their own privacy terms;
• if we're required to by law (subpoena, court order, valid legal process);
• to protect the rights, property, or safety of anyone; or
• in connection with a merger, acquisition, or sale of all or part of Skrrt LLC's assets — in which case we'll notify you by email.

Our servers and sub-processors are located in the United States. If you're in the European Economic Area, the United Kingdom, Switzerland, or another region with cross-border transfer rules, your data is transferred to the US under the Standard Contractual Clauses maintained by each of our sub-processors. You can request copies of those clauses by emailing our privacy team.

• Waitlist record (email, note, IP, user-agent): kept while we operate the waitlist, or until you ask us to delete it — whichever comes first.
• Server logs: subject to our hosting and DNS providers' retention (currently 30 days for Vercel logs; Cloudflare zone analytics aggregate after 30 days).
• Email correspondence: kept while it's useful to the conversation; deletable on request.

When the waitlist is replaced by the live product, we'll either migrate your record (with notice) or delete it, depending on what you prefer.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Delete your data ("right to erasure");
• Object to or restrict processing;
• Portability — receive your data in a structured, common format;
• Withdraw consent at any time (this won't affect lawful processing that already happened).

If you're a California resident, the CCPA gives you additional rights: to know, delete, correct, opt out of "sales" (we don't sell), and not to be discriminated against for exercising those rights.

To make any request, email our privacy team. We'll verify it's you (usually by checking your email matches what we have on file) and respond within 30 days for GDPR requests / 45 days for CCPA requests.

If you live in the EEA, the UK, or Switzerland and you believe we've mishandled your data, you can complain to your local data protection authority. You can also email us first — we'd rather just fix it.

The Billateral site does not set any cookies for analytics, advertising, or tracking. We don't use Google Analytics, Posthog, Plausible, Vercel Analytics, Meta Pixel, X/Twitter Pixel, LinkedIn Insight Tag, Google Ads, FullStory, LogRocket, or Hotjar.

Strictly necessary cookies

Our hosting and DNS providers may set cookies that are essential for the site to function — for example, Cloudflare's __cf_bm cookie for bot detection. Under the EU ePrivacy Directive these are exempt from the consent requirement because they are strictly necessary to deliver the service you asked for.

If we ever add analytics or marketing cookies, we will show a consent banner to EEA/UK visitors and update this policy before doing so.

Billateral is not directed at children. We do not knowingly collect personal data from anyone under 13 (United States) or under 16 (European Economic Area). If you believe a child has submitted information, email our privacy team and we'll delete it.

• Traffic to and from the site is served over HTTPS (TLS 1.3).
• Database storage is encrypted at rest (AES-256, via Neon).
• Access to administrative systems is gated by SSO and 2FA.

No system is perfect. If you discover a vulnerability, report it to our security team. We'll respond promptly and we won't pursue good-faith security research.

If we make material changes, we'll update the effective date at the top of this page and, where required, notify you by email. Today's version is v1.