Privacy Policy

We collect only what we need to run the auction, count ads honestly, pay developers, and prevent fraud:

• Account data. If you create an account, the name and email you provide, and — for developers who choose to withdraw — the blockchain wallet address you supply for payouts.
• An opaque developer identifier. A pseudonymous ID that lets us attribute impressions and earnings to your account. It is not your code, your prompts, or your identity.
• A random session identifier. A fresh, random ID generated for each ad display so an impression can be confirmed and a click can be matched, then de-duplicated. It is not linkable to anything else.
• Ad-event data. Which campaign was shown, how long it was visible, whether it met the minimum visible time, whether it was clicked, and the timestamps — the data needed to bill an impression and credit your ledger.
• On-chain transaction data. For deposits and payouts, the transaction hash, the sending/receiving wallet address, and the USDC amount. This information is, by the nature of public blockchains, already public.
• Limited technical data. Information such as an IP address may be processed transiently to apply rate limits and detect abuse. We do not use it to build a profile of you.

The extension is built so that user content cannot leave your machine. We do not collect, and the system has nowhere to store:

• your source code or any file contents;
• your prompts or your AI assistant’s responses;
• file names, paths, selections, or project structure;
• repository metadata, commit history, or branch names; or
• your browsing activity outside the Service.

The complete set of fields the extension is permitted to transmit is defined in code (the developer ID and session ID and the ad-event confirmations above). There is no field capable of carrying your code, prompts, or file contents.

We use the data above to:

• run the ad auction and serve sponsored messages when you have ads enabled;
• count qualifying impressions and clicks and credit your earnings ledger;
• detect and prevent fraud, abuse, and policy violations;
• process on-chain deposits and payouts; and
• operate, secure, support, and improve the Service, and communicate with you about your account.

Ads are not targeted using your personal data. Ad copy is generic and carries no information about you.

If you are in the European Economic Area or the United Kingdom, we rely on these legal bases: performance of our contract with you (to run the Service and pay earnings); your consent (to display ads, which you give by enabling them and can withdraw at any time by disabling them); and our legitimate interests (to secure the Service and prevent fraud), balanced against your rights.

We do not sell your personal information. We share data only as needed to run the Service:

• Service providers that host our infrastructure and database and help us operate the Service, under confidentiality and data-processing obligations;
• Public blockchains. Deposits and payouts are recorded on a public network (Base Sepolia) and are visible to anyone by design;
• Advertisers receive only aggregate, anonymized impression and click counts — never your identity; and
• Legal and safety disclosures where required by law, to enforce our Terms, or to protect rights, safety, and the integrity of the Service. We may also transfer data as part of a merger, acquisition, or sale of assets.

We keep account and transaction records while your account is active and afterwards for as long as needed to meet legal, accounting, audit, and fraud-prevention obligations, after which we delete or anonymize them. Aggregated or anonymized data that can no longer identify you may be kept indefinitely. On-chain records are permanent and outside our control.

Depending on where you live (including under the GDPR/UK GDPR and U.S. state laws such as the CCPA/CPRA), you may have the right to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. You can:

• Turn ads off at any time in the extension, which stops new ad impressions from being recorded;
• Request access or deletion of your account data by emailing privacy@thinking.ad.

We will not discriminate against you for exercising these rights. We do not sell or “share” personal information for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws. Note that we cannot alter or remove data already written to a public blockchain, and we may retain records we are legally required to keep.

We use encryption in transit, access controls, and rate limiting, and we minimize what we collect in the first place — the strongest protection is that sensitive content never leaves your machine. Still, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The Service is not directed to children under 18 and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact privacy@thinking.ad and we will delete it.

We may process and store information in countries other than yours, including the United States. Where required, we use appropriate safeguards for cross-border transfers.

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice. Your continued use of the Service after the update takes effect constitutes acceptance.

Questions or privacy requests: privacy@thinking.ad
Thinking Labs (the operator of thinking.ad), [registered business address — complete before launch]