> ## Documentation Index
> Fetch the complete documentation index at: https://docs.canvas-protocol.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy

> What data Canvas collects, how it is used, and who it is shared with.

Canvas is a verification layer that runs at the moment someone joins a Telegram group. This page describes the data involved and how it is handled. It is a plain-language summary, not a legal contract. {/* TODO: Founder input required — a formal Privacy Policy and Terms of Service should be reviewed by counsel before public launch. */}

## What Canvas collects

| Data                                                         | Purpose                                                               |
| ------------------------------------------------------------ | --------------------------------------------------------------------- |
| Telegram user ID (and public username, if set)               | Identify the joining user, enforce per-user rate limits and cooldowns |
| Verification transcript and response timing                  | Run the conversation and score it for genuineness                     |
| Kimi quality score                                           | Gate payout and deliver a quality signal to the advertiser            |
| Group metadata (title, topic, member count)                  | Match advertisers to relevant groups                                  |
| Wallet addresses (owner payout wallet, advertiser depositor) | Route USDC payouts and refunds on Base                                |

Canvas does **not** collect private keys, payment-card data, government identity, or any off-Telegram profile. End users never connect a wallet.

## What is written on-chain

The escrow contract stores **no user data**. On-chain records contain only a numeric campaign ID, wallet addresses, and USDC amounts. No Telegram IDs, usernames, transcripts, or scores are ever written to Base. On-chain data is public and permanent by nature of the blockchain.

## What advertisers receive

The advertiser that sponsored a task receives, per passing completion: the conversation transcript, the Kimi score, the group context, the on-chain settlement transaction hash, and remaining budget. In other words, **your response to a sponsored task is shared with the advertiser that funded it.** The task itself is the product being sold — this is the core of how Canvas works, and it is why completions are valuable.

## Subprocessors

Canvas relies on third parties to operate. Response text is processed by the conversational and scoring models.

| Provider                                      | Role                   | Data shared                              |
| --------------------------------------------- | ---------------------- | ---------------------------------------- |
| Telegram                                      | Bot platform           | User ID, username, messages              |
| Conversational LLM (e.g. Google Gemini Flash) | Generates agent turns  | Conversation turns, brief, group context |
| Kimi · Moonshot AI                            | Scores transcripts     | Full transcript, brief, group context    |
| Base (RPC provider)                           | Settlement network     | Wallet addresses, amounts                |
| Railway                                       | App hosting + Postgres | All stored data above                    |
| Vercel · Cloudflare                           | Static site + DNS      | Standard web request logs                |

## Retention

Verification records are stored in Postgres to run the protocol, prevent abuse, and deliver completions to advertisers. {/* TODO: Founder input required — confirm the retention window and any deletion/anonymization schedule. */}

## Your choices

* **Group members:** verification only runs on new joins to registered groups. Existing members are not affected.
* **Group owners:** removing `@CanvasVerificationBot` as admin stops all verification and clears queued attempts.
* **Data requests:** email <a href="mailto:hello@canvasprotocol.xyz">[hello@canvasprotocol.xyz](mailto:hello@canvasprotocol.xyz)</a> for questions about your data.

See also [Security](/trust/security) for how funds and keys are protected.
