The agreements that govern how you use VOLT and how we handle your data. Written to be readable by the people who actually have to sign them.
Last updated: 10/05/2026
Terms of Service
These Terms govern your use of VOLT (the "Service"), a Bitcoin blockchain forensics platform operated by Volt Analytics sp. z o.o. ("Volt", "we"), a company incorporated in Poland with its registered office at Kaczencowa 1/21, 20-543 Lublin, Poland, entered into the National Court Register under KRS [TO BE FILLED AFTER REGISTRATION], NIP [TO BE FILLED AFTER REGISTRATION], REGON [TO BE FILLED AFTER REGISTRATION].
By creating an account or using the Service, the entity you represent ("Customer", "you") agrees to these Terms. The Service is for business use only and is not offered to consumers.
If you do not agree, do not use the Service.
1. The Service
VOLT provides tools for analyzing Bitcoin and Lightning Network transactions, clustering addresses, and producing compliance, forensic, and investigative output ("Volt Output"). You may use the Service only for lawful business purposes such as AML/CFT compliance, sanctions screening, fraud investigation, and law-enforcement work.
The Service is an analytical tool. It does not provide compliance decisions, regulatory determinations, legal advice, or investigative conclusions — those are for you and your qualified professionals to make.
Volt does not monitor or control how Customers use the Service or the Volt Output they receive. Customers are responsible for their own configuration, queries, and decisions.
We may change, improve, or withdraw features at any time. Beta features are provided as-is.
2. Accounts
You are responsible for all activity under your account. You must:
keep your login credentials (including magic-link emails, API keys, and session tokens) confidential and not share them;
protect the email address associated with the account — anyone who can read your email can sign in;
notify us promptly if you suspect unauthorized access.
3. What You May Not Do
You must not, and must not allow anyone using your account to:
use the Service in breach of any law (data protection, sanctions, export control, anti-discrimination, anti-stalking, and so on);
use the Service to stalk, harass, dox, or harm any person;
use the Service to target journalists, human-rights defenders, lawyers, whistleblowers, or political opponents in connection with their protected activities;
conduct or support mass surveillance in the absence of a specific, narrowly targeted, legally authorized investigation;
target individuals based on race, ethnicity, nationality, religion, political opinion, trade-union membership, sexual orientation, or gender identity, except where strictly necessary and lawful for a specific investigation;
use Volt Output as the sole basis for an automated decision producing legal or similarly significant effects on a person (account freezing, reporting, arrest) without meaningful human review;
reverse-engineer, decompile, or try to derive the source code, heuristics, or clustering logic of the Service;
scrape Volt Output other than through the documented API within agreed rate limits;
use Volt Output to train or build any model, dataset, or product that competes with the Service;
access the Service from, or on behalf of, a person located in or controlled from a jurisdiction under comprehensive sanctions administered by the EU, the UN, the US, or the UK, or provide Volt Output to a sanctioned person;
use the Service in violation of any applicable export control law, or re-export Volt Output or Documentation to any destination or person to which export is restricted under applicable law.
4. Accuracy — Read This Carefully
Volt Output is probabilistic. The Service uses heuristics, statistical inference, and third-party data to cluster addresses and attribute wallets to entities and services — including Lightning Network node operators, channel initiators, and rebalancing or liquidity providers (e.g., LSPs such as LNBig, ACINQ, Boltz, Loop, Deezy) — and to analyze Lightning Network activity. It will contain errors, false positives, and false negatives. It may also be incomplete, delayed, or missing relevant data — there is no guarantee that the Service covers any particular address, transaction, entity, time period, or indicator.
Volt Output is not evidence. We make no representation that Volt Output is admissible as evidence, sufficient for a prosecution or regulatory action, or accurate in any particular case.
You must verify independently before acting on Volt Output. You are solely responsible for any decision you take based on Volt Output — including freezing an account, denying a customer, filing a report, or seeking an arrest warrant.
The Lightning Network is an off-chain network. Most LN payments are not recorded on any public ledger and cannot be reconstructed by on-chain analysis. Any LN-related output is especially uncertain.
5. Your Data
You own the data you put into the Service ("Customer Data"). You grant us the rights we need to host and process it in order to run the Service for you.
Where we process personal data on your behalf under GDPR, our Data Processing Addendum applies. We will sign a DPA on request — just email hello@volt.legal.
We may generate anonymous, aggregated statistics from use of the Service for our own purposes.
6. Fees
You pay the fees set out in your Order Form or subscription. Fees are prepaid and non-refundable. Overdue amounts accrue statutory interest under Polish commercial law. We may suspend the Service for non-payment after 10 business days' notice.
7. Our Stuff
We own the Service, the software behind it, our heuristics, our clustering logic, and Volt Output. You get the limited right to use them during your subscription. Nothing more.
8. Confidentiality
Each side keeps the other's non-public business information confidential and uses it only to perform this contract. Survives termination for three years.
9. Warranty and Disclaimer
We warrant that the Service will materially work as described in our documentation. If it doesn't, we'll fix it or refund you for the broken period. That's your only remedy.
Otherwise the Service and Volt Output are provided "as is". We disclaim all other warranties — including merchantability, fitness for a particular purpose, accuracy, and uninterrupted operation. We do not warrant that Volt Output will correctly identify or attribute any address, transaction, entity, or activity.
10. Liability
We are not liable for indirect, consequential, or special damages, lost profits, lost data, or lost business.
Our total liability to you is capped at the fees you have paid to us in the 12 months preceding the event giving rise to the claim. The parties may agree to a different liability limit in the Order Form for a specific Subscription.
These limits do not apply to: (a) death or personal injury caused by our negligence, (b) our fraud or willful misconduct, (c) your payment obligations, or (d) anything else that can't be limited under applicable law.
11. You Indemnify Us
You will defend and indemnify us against third-party claims arising from your misuse of the Service, your breach of these Terms, or decisions you or anyone else make based on Volt Output.
12. Term and Termination
Your subscription runs for the period in your Order Form and renews automatically unless either side gives 30 days' notice of non-renewal.
Either side may terminate for material, uncured breach on 30 days' notice, or immediately for insolvency.
We may terminate or suspend immediately if continued service would put us in breach of law (including sanctions or export control) or if you become a sanctioned person.
On termination, access ends and we handle your personal data per the DPA (if any) or per our standard retention — return or delete on written request within 30 days.
13. Governing Law and Disputes
These Terms are governed by Polish law. Disputes go to the courts competent for our registered office in Lublin, Poland.
14. Misc
Entire agreement: these Terms, the Order Form, the DPA (if any), and the Privacy Policy are the whole deal.
Changes: we may update these Terms by posting a new version. Material changes take effect at your next renewal.
Assignment: you may not assign without our consent. We may assign to a successor in a merger or acquisition.
Notices: to us, hello@volt.legal and our registered office; to you, the email on your account.
Language: English controls. Translations are for convenience.
Severability: if a clause is unenforceable, the rest stays in effect.
Force majeure: neither side is liable for delays caused by events outside its reasonable control (other than payment).
Volt Analytics sp. z o.o. · Kaczencowa 1/21, 20-543 Lublin, Poland · KRS [TO BE FILLED AFTER REGISTRATION] · hello@volt.legal
Last updated: 10/05/2026
Privacy Policy
This policy explains how Volt Analytics sp. z o.o. ("we") handles personal data when you visit volt.legal or use the VOLT service.
VOLT is a B2B tool for Bitcoin blockchain forensics. It is not aimed at consumers or children.
1. Who We Are
Controller: Volt Analytics sp. z o.o., Kaczencowa 1/21, 20-543 Lublin, Poland, KRS [TO BE FILLED AFTER REGISTRATION], NIP [TO BE FILLED AFTER REGISTRATION]. Contact for privacy matters:hello@volt.legal
2. What We Collect
If you just visit the website: your IP address, browser information, and basic usage information logged by our server.
If you create an account or use VOLT: your name, email address, the name of your organization, the authentication information we need to log you in (magic-link tokens, session cookies), the queries and case-file content you create in the app, and basic logs of your activity.
If you contact us or buy a subscription: your message, billing details (handled by our payment provider), and related correspondence.
Public blockchain data: we process publicly available Bitcoin and Lightning Network data. Blockchain data is pseudonymous and may become personal data when combined with other information — for example, when a user labels an address in a case file. Where such data becomes personal data, it is subject to this policy.
We do not intentionally collect special-category data (health, political views, and so on) and you shouldn't submit any. If you do, responsibility for lawful basis remains with you.
3. Why We Process It, and On What Legal Basis
Purpose
Legal basis (GDPR Art. 6)
Running the website and responding to inquiries
Art. 6(1)(f) — our legitimate interest in presenting and offering the service
Providing the service to our customers and their users
Art. 6(1)(b) — contract performance
Billing, tax, and accounting records
Art. 6(1)(c) — legal obligation
Security, fraud prevention, and access control
Art. 6(1)(f) — legitimate interest in protecting the service
Improving the service and running it reliably
Art. 6(1)(f) — legitimate interest
Complying with law and responding to valid legal requests
Art. 6(1)(c) — legal obligation
B2B marketing (if you opt in or are a professional contact)
Art. 6(1)(f) — legitimate interest in B2B marketing, subject to opt-out
our professional advisors under confidentiality, where needed;
competent authorities when we are legally required to disclose (e.g., a valid court order).
We don't sell personal data to anyone. We don't share it with advertisers.
Where any provider is outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914). Some providers (e.g., our email delivery provider) may be subject to United States law — including laws such as the CLOUD Act that can grant US authorities access to data held by US-established companies, even when that data is stored in the EU. We apply contractual and technical safeguards to limit this exposure; where configurable, we prefer EU data-residency options offered by our providers.
5. How Long We Keep It
Contact messages: up to 12 months from our last contact.
Account and billing records: during your subscription plus 5 years after (Polish accounting and limitation rules).
Activity logs: up to 12 months.
Case-file content and graphs you create in VOLT: until you delete them, or up to 30 days after your subscription ends if you don't export them first.
6. Your Rights
Under the GDPR you can ask us to:
tell you what personal data we hold about you (access);
correct it (rectification);
delete it (erasure);
restrict how we use it;
give it to you in a portable format;
stop processing based on legitimate interest (objection);
stop sending you marketing.
Email hello@volt.legal to exercise any of these rights. We'll respond within one month.
If you are unhappy with our response, you can complain to the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. You can also complain to the authority in your EU country of residence.
7. Profiling and Automated Decisions
VOLT produces attributions, cluster memberships, and analytical outputs (e.g., identification of a wallet as belonging to a Lightning Network node or rebalancing service) that may count as profiling under the GDPR. We do not make automated decisions about you. VOLT is a decision-support tool — a human analyst reviews its output. If our customers build automated decisions on top of VOLT, that's on them.
8. Cookies
We use cookies that are strictly necessary for the site to work (session cookies, authentication cookies, CSRF tokens, and your cookie-consent choice). These don't need your consent under Polish law.
9. Security
We take reasonable technical and organizational steps to protect personal data — including TLS on all public endpoints, SSH-key-only server access, firewalling, access controls, and database redundancy. We are an early-stage company; the measures we have in place are proportionate to that. If you need detailed security commitments (backups, encryption at rest, penetration testing, and so on), let us know and we'll discuss what we can contractually commit to.
We have no perfect system. No one does.
10. Changes
We may update this policy. The "Last updated" date at the top shows when we last did. If the change is important, we'll let you know by email.
11. Contact
Volt Analytics sp. z o.o. · Kaczencowa 1/21, 20-543 Lublin, Poland · hello@volt.legal
Last updated: 10/05/2026
Data Processing Addendum
This DPA forms part of the Terms of Service between Volt Analytics sp. z o.o. ("Volt", "Processor") and the Customer ("Controller") and applies where Volt processes personal data on behalf of the Controller under Regulation (EU) 2016/679 ("GDPR").
If there's a conflict between this DPA and the Terms of Service about processing of personal data, this DPA wins.
This DPA is provided on request. If your organization needs Volt to sign a DPA before you start using the Service, email hello@volt.legal and we'll countersign this document or work from your template.
1. What This Covers
Volt acts as processor when it processes personal data the Controller submits to VOLT through the service (queries, case-file content, uploads, API inputs).
Volt acts as an independent controller when it processes personal data for its own purposes — including account data of the Controller's users (name, email, organization), billing data, security logs, and public blockchain data processed for the general operation of the service. That processing is described in Volt's Privacy Policy and is outside the scope of this DPA.
2. Processing Instructions
Volt will process personal data only on the Controller's documented instructions. The Terms of Service, this DPA, the Order Form, and the Controller's configuration and use of VOLT are those instructions. If Volt thinks an instruction breaks data protection law, it will tell the Controller.
3. What Is Being Processed (Art. 28(3) GDPR)
Subject matter: provision of blockchain forensics and compliance analytics.
Duration: for the term of the Terms of Service plus any applicable retention.
Nature and purpose: hosting, storage, analysis, display, and export of Controller-submitted data as part of the service.
Categories of data subjects: the Controller's users, and any individuals whose data is contained in the Controller's queries, case files, or uploads (which may include customers of the Controller, investigation targets, counterparties, and others).
Categories of personal data: names and business emails of users; any data the Controller chooses to submit, which may include identifiers, contact details, transaction data, blockchain addresses, IP addresses, and free-text notes. Volt does not pre-select categories — it is entirely on the Controller.
Special categories / criminal-conviction data: VOLT is not designed for the processing of special categories of personal data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR), unless submitted by the Controller with a valid legal basis. The Controller is solely responsible for ensuring that any such processing has an independent lawful basis and appropriate safeguards. Any such data is still covered by this DPA.
Pseudonymous identifiers: the Controller understands that Bitcoin addresses, transaction hashes, and Lightning Network identifiers may become personal data when combined with other information, and takes that into account in its own compliance.
4. Confidentiality
Volt makes sure that people who handle personal data are bound by confidentiality.
5. Security
Volt has the technical and organizational measures described in Annex II. These measures match the current scale of the service and of an early-stage company. They will evolve.
6. Subprocessors
The Controller authorizes Volt to use the subprocessors listed in Annex III. If Volt wants to add or change a subprocessor, it will give the Controller at least 30 days' notice (email or on a status page with subscription). If the Controller objects on reasonable data-protection grounds, the parties talk; if they can't agree, the Controller can terminate the affected service with a pro-rata refund.
Volt stays liable for its subprocessors.
7. International Transfers
Where Volt transfers personal data outside the EEA to a country without an adequacy decision, it uses the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (controller-to-processor) and/or Module 3 (processor-to-processor), incorporated by reference.
Governing law for the SCCs: Polish law. Forum: Polish courts.
8. Helping with Data-Subject Requests and Obligations
Volt will help the Controller, to the extent possible, respond to data-subject requests and meet obligations under Articles 32–36 GDPR (security, breach notification, DPIAs). Volt won't respond to data-subject requests directly unless required by law — it will forward them to the Controller.
9. Breach Notification
If Volt becomes aware of a personal data breach affecting the Controller's data, Volt will tell the Controller without undue delay, and will share what it knows and what it is doing about it.
10. Audits
Volt will give the Controller enough information to show compliance with Article 28 GDPR — including any third-party certifications or reports Volt has.
If that is not enough, the Controller can audit on-site, no more than once every 12 months (unless there's been a confirmed breach or a regulator requires it), with 30 days' notice, during business hours, at its own cost, by someone bound by confidentiality and who is not a Volt competitor.
11. Return / Deletion
On termination of the Terms of Service, the Controller has 30 days to tell Volt in writing to return or delete its personal data. Absent instructions, Volt deletes in line with its standard retention. Backup copies are overwritten in the normal rotation.
12. Liability
The liability limits in the Terms of Service apply to this DPA.
Annex I — The Processing
Set out in Section 3 above.
Annex II — Technical and Organizational Measures
Volt is an early-stage company operated by a small team. The measures below describe the current state as of the date of the Agreement. They will evolve as the service grows. The Controller accepts them as they are.
Hosting
Dedicated server at Hetzner Online GmbH, in an ISO/IEC 27001-certified data center in the European Union (FINLAND). Physical security, power, cooling, and physical access control are Hetzner's.
Hardware RAID-1 mirroring for disk redundancy.
Access
SSH public-key authentication only. No password SSH.
Root is not accessible over the network. Admin actions use a non-root account with sudo.
Admin consoles of third-party providers (Hetzner, domain, email) use MFA where available.
User authentication via magic-link emails with single-use, time-limited tokens. Session tokens are HttpOnly, Secure cookies.
Database listens on localhost only.
Encryption
In transit: TLS 1.2+ on all public endpoints.
At rest: not currently implemented. Server disks and the PostgreSQL data volume are not encrypted at the disk level. Primary mitigation is the physical security of the Hetzner data center (ISO/IEC 27001 certified, controlled physical access to racks). At-rest encryption of data volumes and of backups is on the roadmap.
Secrets: application secrets (database passwords, API keys, signing keys) are stored on the server filesystem with restricted Unix permissions (readable only by the service account) and are not committed to the version-controlled code repository.
Network
Host-based firewall; only HTTPS, SSH (restricted where feasible), and Bitcoin/Lightning peer-to-peer ports are exposed.
Admin interfaces and databases are not exposed to the public internet.
Backups and recovery
No automated backup is currently configured. RAID-1 mirroring protects against single-disk failure but is not a backup — it does not protect against accidental deletion, data corruption, ransomware, software bugs, or the loss of the entire server or data center.
Automated offsite backups (encrypted pg_dump to a separate storage provider, with documented retention and periodic restore testing) are on the roadmap and will be implemented before the onboarding of any customer whose contract requires specific backup commitments.
No hot-standby redundancy in a second data center.
No formal RTO/RPO objectives have been defined.
Application
Dependencies tracked under version control; vulnerabilities monitored via GitHub.
No third-party penetration testing to date. Will be commissioned when a customer contractually requires it.
Logging
Server, web, and database logs retained on the production host for approximately 30 days.
No SIEM or centralized log aggregation.
People
Operated by the founder, bound by Polish company-law duties and confidentiality. Future personnel will be contracted with confidentiality and data-protection terms.
Incident response
Informal procedure; documented runbook in development. Breach notification is governed by Section 9 regardless.