STATUS: Draft v0.1 — pending legal review. Not yet active. Bracketed placeholders [LIKE_THIS] must be filled before activation. Source: consolidated from Codex draft docs/legal/drafts/codex-privacy-draft-2026-04-26.md (commit 966efb6). Last drafted: 2026-04-26.

Legaicy — Privacy Policy v0.1 (Working Draft)

This is a working draft prepared for legal review. It is not active. Nothing in this document is legal advice. Bracketed placeholders must be reviewed and filled by counsel before activation. Section additions made on 2026-04-26 (CCPA §M, blockchain disclosure §C) have not been reviewed by counsel.

1. Plain-language summary

Your privacy choices

Legaicy offers two participation modes:

Standard Pseudonymous Mode

Your responses are processed in a pseudonymous form.
We do not store your raw wallet address in our off-chain user database as your primary identity record. Instead, we use a derived internal identifier for app operations.
Your responses may be analyzed, summarized, scored, embedded, aggregated, and combined into AI-generated research outputs.
In this mode, Legaicy does not intentionally provide your raw response text to research clients as an attributable individual response.

Verbatim / Raw Response Mode

If you choose this mode for a question or by default for eligible questions, your raw response text may be stored and later disclosed to research buyers in accordance with the consent terms shown to you.
Your name and direct identity are not disclosed to the client through the verbatim product, but your raw text may still contain information that could identify you or make you more identifiable, especially when combined with context or demographic information.
Because of that increased privacy risk, this mode requires a separate, explicit opt-in.

Important

"Pseudonymous" does not mean "anonymous."
If you interact with public blockchains, your blockchain activity may be publicly visible and independently traceable by others. See §C below.
Do not include names, contact details, wallet addresses, government IDs, health details, financial account numbers, or other sensitive personal information in free-text answers unless Legaicy clearly asks for it and you knowingly choose to provide it.

2. Privacy Notice and Consent to Processing

Effective Date: [DATE] Version: v0.1 Controller: [LEGAL ENTITY NAME], [ADDRESS], [CONTACT EMAIL]

Legaicy is a research platform that allows users to answer questions, participate in panels, and receive compensation. This notice explains what personal information we collect, how we use it, what choices you have, and the additional risks and permissions that apply if you choose to submit raw response text.

By creating an account, connecting a wallet, using the platform, or submitting content, you acknowledge this notice. Where required by law, we will ask for your consent separately.

A. Categories of information we may collect

Depending on how you use Legaicy, we may collect:

Wallet-related identifiers and blockchain interaction data.
A pseudonymous internal user identifier derived from your wallet or authentication flow.
Account, session, device, browser, IP-derived, and security logs.
Subscription, usage, reward, payment, and participation records.
Answers, drafts, scores, summaries, embeddings, themes, and related research metadata.
Optional demographic data you choose to provide.
Optional verification or proof-of-humanity status, if offered.
Support requests, appeals, disputes, and abuse-prevention records.
Consent records, including the version of the notice or prompt you accepted.

We do not ask you to include direct personal identifiers in free-text answers unless explicitly required for a specific feature.

B. Our privacy model

Legaicy uses a pseudonymous-by-default approach.

In ordinary platform use, we aim to separate your free-text research activity from directly identifying account information wherever reasonably possible. In particular:

We may avoid storing your raw wallet address in our off-chain database as the primary user key.
We may store derived identifiers, hashed identifiers, and internal reference IDs.
We may transform answers into summaries, themes, scores, and embeddings for analytics, safety, ranking, aggregation, and research delivery.

However, pseudonymous data may still be personal data under privacy law if it can reasonably be linked back to you.

C. Blockchain visibility and permanence

Legaicy's compensation, subscription, and panel-participation flows touch public blockchains. Using the platform may create permanent, publicly viewable records that exist outside Legaicy's control. You should understand:

Wallet addresses are pseudonymous, not anonymous. A wallet address that you connect to Legaicy is a string of characters that does not, on its face, identify you by name. But it is a stable identifier, and it is published on the blockchain every time it transacts. Patterns of activity, interactions with other wallets, on-chain purchases, and off-chain attestations (e.g., centralized-exchange withdrawals, KYC-linked transfers, ENS records, or social-graph references) can be used by anyone with the right tools to associate a wallet with a real-world identity.
On-chain records are permanent. Anything written to a public blockchain — including subscription payments, LGCY token mints and transfers, ETH payouts, and on-chain panel-completion or claim transactions — cannot be deleted, edited, or recalled by Legaicy or by you. Once a transaction is mined, it is part of the public record indefinitely.
Legaicy cannot delete on-chain data on your behalf. A privacy or deletion request submitted to Legaicy applies only to data Legaicy controls (off-chain databases, internal logs). Records on Ethereum or any other chain Legaicy interacts with are outside our reach. We have no power to redact, hide, or remove them.
Multiple Legaicy actions create on-chain footprints. Subscribing, receiving LGCY for completed panels, claiming ETH payouts via Merkle proofs, joining a Job Board panel, and any future on-chain features will all leave a public, permanent trail tied to your wallet.
Treat wallet activity as public by default. If you would not want a particular fact about you to be discoverable by anyone with a block explorer and patience, do not use the wallet you have connected to Legaicy for that activity. Consider using a wallet dedicated to Legaicy participation, separate from wallets used for other purposes.

We will not — and cannot — promise on-chain anonymity. The off-chain protections described elsewhere in this notice (pseudonymous internal IDs, hashed identifiers, separation of demographic buckets and free text) apply only to data we control.

D. Standard Pseudonymous Mode

If you use Standard Pseudonymous Mode:

Your raw answers may be processed by Legaicy and its service providers for safety review, moderation, quality scoring, anti-fraud review, and generation of derived outputs.
Legaicy may store derived forms of your answers, including summaries, themes, scores, vectors, tags, and aggregate statistics.
Legaicy may provide clients with aggregate, anonymized, de-identified, or pseudonymous research outputs derived from your submissions.
Legaicy will not intentionally provide your raw answer text to clients as a standard deliverable under this mode unless you separately and explicitly opt in.

Legal bases used may include: performance of contract, legitimate interests, compliance obligations, fraud prevention, and consent where required.

E. Verbatim / Raw Response Mode

If you choose Verbatim / Raw Response Mode for a response or for eligible responses by default, you expressly authorize Legaicy to:

store your raw response text;
process and review that text for moderation, quality, fraud, abuse, legal compliance, and product operations;
associate the response with limited contextual metadata needed to deliver the research product;
disclose the raw text to research buyers, partners, or processors as part of the verbatim research product, subject to platform rules and buyer-side terms and controls.

Even if Legaicy removes your direct identity, raw text can reveal or imply who you are. For example, your response may contain unique phrasing, life details, employer references, location hints, names, contact information, or other identifiers. Once raw text is shared with a client, Legaicy may not be able to retrieve, delete, or fully prevent onward retention of copies already delivered, except where required by law.

For that reason, Verbatim / Raw Response Mode is:

optional;
off by default unless you turn it on;
subject to a separate, explicit opt-in;
revocable for future use, but not necessarily reversible for disclosures already made before withdrawal.

F. Special categories and sensitive data

You should not provide sensitive personal information in free text unless it is strictly necessary and you intentionally choose to do so.

Sensitive information may include, depending on applicable law:

racial or ethnic origin,
religious or philosophical beliefs,
political opinions,
union membership,
health or disability information,
biometric or genetic data,
sexual orientation or sex life,
precise geolocation,
government ID numbers,
financial account information,
children's data,
criminal history.

If you voluntarily include sensitive information in a response, especially in Verbatim / Raw Response Mode, you acknowledge that Legaicy may process that information to deliver the feature you chose, subject to applicable law and platform safeguards. Where required, Legaicy will request explicit consent.

G. Demographics and optional profile enrichment

If you choose to provide optional demographic information:

that information is used to improve matching, segmentation, eligibility, incentives, product analytics, and research usefulness;
it may affect platform features, compensation logic, or research targeting;
it may be stored separately from free-text content where operationally feasible;
it remains optional unless clearly labeled as required for a specific feature;
once provided, those demographic buckets may be joined against your past and future answers for future query matching. This changes future matchability, not past LGCY already minted.

You may decline to provide optional demographic data, although some features or opportunities may then be unavailable or less accurate.

H. How we use your information

We may use personal information to:

provide the platform and pay users;
verify eligibility and account access;
detect bots, fraud, abuse, manipulation, duplicate accounts, and low-quality submissions;
score, summarize, classify, embed, and analyze answers;
generate client-facing research outputs;
administer subscriptions, incentives, panels, and waitlists;
maintain security, logs, compliance, and dispute records;
improve product quality and model performance;
comply with legal requests and enforce terms.

We do not sell your direct identity in the ordinary consumer-advertising sense. If any law treats a disclosure, sharing, or availability of certain data as a "sale" or "sharing," Legaicy will provide the rights and notices required by that law. See §M (California Privacy Rights) for details.

I. Disclosure of information

We may disclose information to:

cloud, database, analytics, moderation, AI, security, and infrastructure providers;
payment, rewards, compliance, and anti-fraud vendors;
research buyers receiving aggregate outputs and, where you explicitly opt in, raw verbatim responses;
legal, regulatory, law-enforcement, auditors, and advisers;
successors in connection with a merger, acquisition, financing, or asset transfer.

We disclose only what is reasonably necessary for the stated purpose, subject to legal and contractual controls where available.

Research buyers fund queries through Legaicy's on-chain payment flow. Legaicy does not pre-approve, vet, or authorize buyers. By funding a query, the buyer agrees to Legaicy's Buyer Terms of Service [LINK_TBD], which includes restrictions on how the data may be used.

If a buyer funds a new custom question, that question may be absorbed into the Legaicy corpus after fulfillment and remain queryable later by future buyers. Buyers are purchasing access to answers and research outputs, not exclusive ownership of the question itself unless a separate enterprise agreement explicitly says otherwise.

J. International transfers

Your data may be processed or accessed in countries other than your own. Where required by law, Legaicy will use an appropriate transfer mechanism and safeguards for cross-border processing.

K. Retention

We retain personal information only for as long as reasonably necessary for:

service delivery,
fraud prevention,
compensation and accounting,
dispute handling,
legal compliance,
security,
research integrity,
enforcement of our terms.

Different data types may have different retention periods. Derived analytics, audit logs, consent records, payout records, and legally required records may be retained longer than drafts or inactive session data. Data already delivered to clients may be retained by those clients under their own legal obligations and agreements. On-chain records (see §C) are not subject to Legaicy's retention controls and persist indefinitely on the relevant blockchain.

L. Your rights

Depending on where you live, you may have rights to:

know what personal information we collect and use;
access a copy of your personal information;
correct inaccurate information;
delete or erase certain information;
restrict or object to certain processing;
withdraw consent where processing depends on consent;
receive a portable copy of certain data;
appeal a denial of a privacy request;
lodge a complaint with a supervisory authority or regulator.

Some rights are limited by law, security needs, trade-secret protections, fraud-prevention obligations, research-integrity needs, accounting requirements, or the rights of others. On-chain records are outside Legaicy's control and cannot be deleted on request (see §C).

California residents have additional rights described in §M.

M. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you specific rights with respect to your personal information. This section supplements the rest of this notice and describes how Legaicy applies the CCPA to your data.

Notice at Collection

Legaicy collects the categories of personal information described below at or before the point of collection, for the business purposes described below, and for the retention periods described in §K (Retention). This section serves as Legaicy's Notice at Collection under CCPA §1798.100(a).

Categories of personal information collected (last 12 months)

Mapped to the categories enumerated in Cal. Civ. Code §1798.140:

CCPA category	Examples Legaicy may collect
Identifiers	Wallet address (transient, used at sign-in via wallet-signature challenge), wallet-derived hash, internal user UUID, IP address (used to derive a hash; raw IP is not retained as the primary identifier), session identifiers, device identifiers
Customer records (Cal. Civ. Code §1798.80(e))	Subscription status, payment-related metadata, payout records
Protected classifications under California or federal law	Optional demographic information you voluntarily provide (age range, gender, race/ethnicity bucket, etc.); we collect bucketed values, not exact values
Commercial information	Records of subscription purchases, panel participation, LGCY balances, claim history
Internet or other electronic network activity	Server logs, page views, feature usage, panel-answer events, anti-fraud signals
Geolocation data	Coarse, IP-derived approximate location only; we do not collect precise geolocation
Inferences	Trust level, demographic-completeness score, fraud-risk signals derived from the above
Sensitive personal information (CPRA)	Where you voluntarily include sensitive content in a response, or where sensitive demographic buckets (e.g., precise religion, sexual orientation, biometric data) are provided through a feature requesting them

We do not collect:

Social Security numbers, driver's license numbers, passport numbers, or other government-issued ID numbers, unless legally required and explicitly disclosed at the point of collection.
Financial account or payment-card numbers; subscription payments are made on-chain through your own wallet, not collected by Legaicy.
Precise geolocation.
Biometric identifiers.

Sources of collection

Personal information may come from:

you directly (when you connect a wallet, configure your profile, fill demographic buckets, submit answers, opt in or out, or contact support);
the public blockchains you transact on (when you make on-chain payments, claim payouts, or interact with Legaicy contracts) — see §C;
automatic technical signals (server logs, IP-derived hashes, session metadata);
our service providers (cloud hosting, AI scoring, anti-fraud, analytics) acting on Legaicy's behalf.

Business purposes

We use personal information for the business purposes listed in §H (How we use your information): providing the platform, processing payments and payouts, verifying eligibility, preventing fraud and abuse, scoring answers, generating research outputs for clients, securing the service, complying with legal obligations, and improving product quality.

"Do Not Sell or Share My Personal Information"

Legaicy does not sell personal information in the everyday consumer-advertising sense, and we do not share personal information for cross-context behavioral advertising. We do not run an ad business and we do not exchange personal information for monetary or non-monetary value with third-party advertisers, data brokers, or ad-tech vendors.

If, despite this, any disclosure that we make is treated by law as a "sale" or "share" under the CCPA, you have the right to opt out. To exercise this right, contact us at [PRIVACY EMAIL] with the subject line "Do Not Sell or Share — CCPA". We will process the request within the timeframe required by law.

Right to limit the use of sensitive personal information

Where Legaicy uses sensitive personal information for purposes beyond those permitted under CCPA §7027 (which generally allow uses necessary to provide the service you requested, prevent fraud, ensure security, or perform other narrow business purposes), you have the right to direct Legaicy to limit such use. To exercise this right, contact us at [PRIVACY EMAIL] with the subject line "Limit Use of Sensitive Information — CCPA".

California-specific rights

In addition to the rights described in §L, California residents have the right to:

know what categories and specific pieces of personal information Legaicy has collected;
know the categories of sources, the business or commercial purposes for collecting, and the categories of third parties to whom Legaicy discloses personal information;
delete personal information Legaicy has collected, subject to statutory exceptions;
correct inaccurate personal information;
opt out of "sale" or "sharing" of personal information (see above);
limit the use of sensitive personal information (see above);
not receive discriminatory treatment for exercising any of these rights.

Authorized agents

You may use an authorized agent to submit a CCPA request on your behalf. Legaicy may require:

proof that you have authorized the agent in writing (or, where applicable, a power of attorney executed under California Probate Code §§4000–4465); and
verification of your own identity directly with Legaicy.

Verification

Before fulfilling a request, Legaicy will verify your identity to a degree of certainty proportionate to the sensitivity of the request. This may include wallet-signature challenges, email-based confirmation, or other reasonable verification steps. We will not fulfill a request we cannot verify.

Non-discrimination

Legaicy will not deny services, charge a different price, provide a different level of quality, or retaliate against you for exercising any CCPA right. Differences in features that depend on optional data you choose not to provide (for example, demographic-bonus emissions that require demographic buckets to be filled, or research opportunities that target specific demographic segments) reflect the nature of the feature itself, not retaliation. Counsel review note: whether the demographic-bonus emission mechanic constitutes a "financial incentive program" under CCPA §1798.125(b) — and therefore requires separate notice, value-of-data calculation, and opt-in — is an open question for legal review.

Submitting a request

Email [PRIVACY EMAIL] with the request type in the subject line. Legaicy will acknowledge within 10 business days and respond within 45 days, with one 45-day extension permitted under CCPA when reasonably necessary. If we deny your request, we will explain why and how to appeal.

Children's data

Legaicy is not directed to consumers under 18. We do not knowingly collect personal information from minors and do not knowingly sell or share personal information of consumers under 16.

Metrics

Where required by California Code of Regulations Title 11, Legaicy will publish California-specific metrics on requests received, complied with, and denied.

N. Withdrawing consent

If you previously consented to optional processing, including verbatim/raw-response processing, you may withdraw consent for future processing through the product settings or by contacting us.

Withdrawal does not affect processing that occurred before withdrawal. If raw responses were already disclosed to a client before withdrawal, Legaicy may not be able to claw back copies already delivered, except where legally required or contractually possible. On-chain records (see §C) cannot be withdrawn or deleted by Legaicy under any circumstances.

O. Deletion requests

If you request deletion:

Legaicy will evaluate the request under applicable law;
some information may be deleted, de-identified, or dissociated;
some records may be retained where necessary for fraud prevention, legal compliance, tax/accounting, safety, dispute handling, or contract enforcement;
data already incorporated into aggregate outputs, model features, audit logs, or client-delivered research products may not always be technically or legally removable in full;
on-chain data is outside Legaicy's deletion authority (see §C).

P. Automated processing

Legaicy may use automated tools, including AI systems, to score quality, detect abuse, summarize content, classify answers, rank opportunities, and support research outputs. Human review may also be used for safety, appeals, fraud, compliance, and client-delivery quality control.

Legaicy may also use AI systems to label questions as evergreen, topical, or other, and to determine whether time-sensitive questions should move into a review queue when relevance decays. Topical questions may later be restored or purged after human or DAO review.

Q. Minors

Legaicy is not intended for children under 18. If you believe a minor has provided personal information unlawfully, contact us so we can investigate and take appropriate action.

R. Changes to this notice

We may update this notice from time to time. Material changes may be presented in-product or through other appropriate notice. Where required by law, we will obtain fresh consent.

S. Contact

For privacy requests or questions, contact: [PRIVACY EMAIL] [LEGAL ENTITY NAME] [MAILING ADDRESS]

T. Wallet identity and reputation (ADDED 2026-04-26 — soulbound disclosure)

Your wallet is your identity on Legaicy. EXP, trust level, vesting progress, and earnings are bound to your specific wallet address and cannot be transferred to another wallet. If you lose access to your wallet (lost seed phrase, compromised key, etc.), this data is irretrievable. Legaicy cannot recover or migrate this data on your behalf. Treat your Legaicy wallet as a soulbound professional identity.

This is a structural property of the platform, not a customer-service policy. There is no recovery flow we can offer; the protocol's anti-Sybil guarantees depend on the inability to merge or transfer reputation. Best practices for protecting wallet access (hardware wallets, offline seed-phrase backup, avoiding wallet reuse) are surfaced during onboarding and are the user's responsibility.

U. Re-query consent and saved panels (ADDED 2026-04-28)

Legaicy may allow you to opt in or out of future direct re-querying by research buyers.

If you opt in, and you participate in a buyer-funded panel, that buyer may add you to a buyer-specific saved panel for future direct or named queries.
Saved panels are buyer-specific. One buyer cannot see another buyer's saved panel.
Opting in does not force you to answer every future query. It only allows future direct invitations and eligibility.
If you opt out, you remain eligible for ordinary rotation-based or job-board work but will not appear in buyer saved panels for future direct targeting.

3. Standard Pseudonymous Mode — opt-in text

Standard Pseudonymous Mode Consent / Acknowledgment

I understand that:

Legaicy will process my answers in a pseudonymous form for platform operations, fraud prevention, safety review, quality scoring, analytics, and AI-generated research outputs.
Legaicy may store derived forms of my answers, including summaries, themes, scores, and embeddings.
Legaicy will not intentionally provide my raw answer text to research clients under this standard mode unless I separately and explicitly opt in to a verbatim/raw-response feature.
"Pseudonymous" does not mean fully anonymous, and public blockchain activity may still be visible or traceable outside Legaicy's systems.

Checkbox: [ ] I understand and agree to participate in Standard Pseudonymous Mode.

4. Verbatim / Raw Response Mode — explicit opt-in text

Verbatim / Raw Response Opt-In

By turning this on, I expressly authorize Legaicy to store and process my raw response text and to disclose that raw text to research buyers as part of a verbatim research product.

I understand that:

my raw text may contain information that identifies me or makes me more identifiable, even if my direct identity is not intentionally shown;
Legaicy may review and process the raw text for moderation, fraud prevention, legal compliance, quality scoring, and product operations;
once raw text is disclosed to a client, Legaicy may not be able to retrieve or fully delete copies already delivered;
I should not include names, contact details, wallet addresses, employer names, addresses, account numbers, health details, or other sensitive personal information unless I intentionally choose to do so;
I can withdraw this consent for future disclosures, but withdrawal will not undo uses or disclosures that already occurred.

Checkbox: [ ] I explicitly consent to Legaicy storing and disclosing my raw response text as described above.

5. In-product warning for raw answers

Raw Answer Warning

You are about to submit a raw verbatim answer. This answer may be stored and shared with a research buyer in raw text form. Do not include names, contact info, wallet addresses, employer names, health details, or anything else you do not want read by another party.

Checkbox: [ ] I understand the risk and explicitly consent to this raw-answer submission.

Appendix A — Drafting notes (carry-forward from Codex source draft)

Internal wording-rationale notes. Not part of the published policy. Retained here so counsel can see the framing decisions made during drafting.

Instead of saying:

"wallet is not tracked"

Use:

"we do not store your raw wallet address in our off-chain user database as the primary user record"
"we use a derived internal identifier for app operations"
"public blockchain interactions may still be visible independently of Legaicy"

Instead of saying:

"full pseudonymous"

Use:

"pseudonymous-by-default"
"not anonymous"
"raw text is not intentionally delivered to clients unless separately opted in"

Rationale: "not tracked" and "anonymous" are absolute claims that are difficult to defend and that lawyers typically cut. "Pseudonymous-by-default" and "we do not intentionally" are more accurate to the architecture and more defensible if challenged.

Appendix B — Open items for counsel review

These are flagged for counsel attention, beyond the bracketed placeholders:

Demographic-bonus mechanic vs CCPA §1798.125(b) "financial incentive program." §M Non-discrimination treats the mechanic as a feature-of-service, not an incentive program. Confirm whether this is sustainable under California regs, or whether the mechanic needs a separate financial-incentive notice with value-of-data calculation and opt-in.
GDPR / UK GDPR coverage. This draft includes general international-transfer language (§J) but does not yet include the EEA/UK-specific representative, lawful-basis matrix, DPIA references, or DSAR-procedure timing. Add a §M-equivalent for EEA/UK if Legaicy markets there.
Children's age threshold. Set to 18 throughout. Confirm whether 13 (COPPA) or 16 (GDPR Art. 8) is more appropriate for any market segment Legaicy serves.
"Sale" / "share" determination under CCPA. §M states Legaicy does not sell or share. Confirm that no current vendor relationship (analytics, AI providers, anti-fraud) qualifies as "sale" or "sharing for cross-context behavioral advertising" under CCPA §1798.140(ad)/(ah).
Service-provider contracts. CCPA §1798.140(ag) requires written contracts with specific clauses for any vendor receiving personal information. Verify each vendor contract includes the required CCPA service-provider clauses.
On-chain disclosure (§C). Counsel review of the blockchain-permanence language in §C is requested — particularly the interaction between an EU/UK "right to erasure" claim and the technical impossibility of on-chain deletion.
Permissionless buyer model. Legaicy does not vet or authorize research buyers — anyone with ETH can fund a query. Buyer-side ToS will need to include data-use restrictions (no harassment, no re-identification of individuals, no unlawful purposes, etc.) to push liability to the buyer. Counsel should advise on minimum required clauses for the Buyer ToS, especially around: (1) GDPR controller/processor designation when EU residents are queried, (2) onward-disclosure restrictions, (3) re-identification prohibitions, (4) sanctions/AML considerations for buyer wallet addresses.