Seneschal is an anonymous, open-source operator of an Ethereum block builder plus a small bundle of paid data services (Private Watch, premium liquidation feeds, agent-payable single-fact endpoints). The natural person behind it operates pseudonymously as Rotwang9000. There is no registered company.
The lawful basis for processing your data is performance of a contract under Article 6(1)(b) UK GDPR / EU GDPR: when you pay for a Private Watch, top up credit, or run a historical scan we hold what we need to deliver that. A secondary basis of legitimate interest covers transient processing such as IP-based rate limiting on the free derive-viewkey endpoint.
@OrknetP on Telegram is the operator’s private channel for messages about the service, including privacy queries.
| Data | Why | Where | Retention |
|---|---|---|---|
| Monero / Zcash address you ask us to watch | So the poller can match incoming transactions on the chain. | Encrypted SQLite at rest (server-side), TLS in transit. | Deleted when the watch is cancelled, runs out of credit, or hits the 90-day maximum lifetime. Hard-deleted within 30 days of any of those events. |
| View key (XMR secret view key / ZEC Unified Full Viewing Key) | Required to detect inbound transactions; read-only, cannot spend. | Encrypted at rest with AES-256-GCM using an operator-held master key; never written to logs. | Same as the watch row. On cancellation the ciphertext is overwritten and the row deleted. |
| Webhook URL | Where to POST signed events when funds land. | Plain text in SQLite (it’s an HTTP(S) endpoint, not a secret). | Same as the watch row. |
| Watch token / webhook secret (random) | Authenticate management calls and let you verify webhook bodies via HMAC-SHA256. | SHA-256 hash only in SQLite; the cleartext is shown once at creation and never persisted server-side. | Same as the watch row. |
| Payer wallet address (your USDC sender) | Visible on the Base blockchain as part of the on-chain payment; we don’t store an off-chain copy. | Public chain (not us). | Forever on-chain. Not joined to a personal identity by us. |
| BIP-39 seed phrase | Only on /v1/private/derive-viewkey, which transforms it into a viewing key and discards. | Memory only. Never written to disk, never logged. The free derive endpoint is a transient calculator. | Zero — discarded the moment the response is returned. |
| IP address | Rate-limit the free derive endpoint (6/min/IP). Block obvious abuse on paid endpoints. | Process memory of the Fastify rate-limit plugin. | Sliding 1-minute window for derive; 30-day journald log retention for the access log. |
| Webhook delivery logs | Diagnostics so a failed delivery can be reported back to the watch owner. | journald + structured Pino logs on the same host. | 30 days, then rotated out. |
| Aggregated counters (number of watches, total credit, …) | Powers stats.seneschal.space. Aggregates only — no per-watch detail. | SQLite snapshots refreshed periodically. | Indefinitely as aggregate numbers — never re-derivable into personal data. |
panel.seneschal.space loads JavaScript modules from esm.sh (a JS CDN); that CDN sees your IP for the duration of the script fetch but receives no other data from us about you. We do not embed Google, Cloudflare Analytics, Plausible, Matomo, or any other analytics product.We do not set any cookies on any subdomain. panel.seneschal.space writes your watch identifiers (watchId, watchToken, webhookSecret) to your browser’s localStorage so you can come back later, top up, or cancel. This is treated as strictly necessary storage under PECR / ePrivacy because without it the panel cannot function for you across reloads — but it is your browser’s storage, not ours, and nothing in it is ever sent to us automatically. You can clear it from the browser’s site-data tool at any time; the panel also offers an Export button so you can keep a JSON backup before clearing.
api.cdp.coinbase.com, operated by Coinbase). Verifies and settles your USDC payments on Base. Sees the payer address (you), the recipient address (us), the amount, and your signature, and screens the payer address against sanctions / high-risk lists (Know-Your-Transaction). Does not see your view key, address, or webhook URL.We do not sell, rent, lease, or barter your data. We have no advertising partners. We have no “data analytics” partners. We do not enrich your data against third-party data brokers.
Our server lives in the EU (Netherlands). Coinbase’s CDP facilitator is operated from the United States; transferring payment metadata to it falls under Article 49(1)(b) UK GDPR (transfer necessary for performance of a contract) and is limited to the payer/recipient/amount/signature tuple needed to verify the payment.
Because you do not give us identifying information, the practical mechanism for most rights is your watchId + watchToken. With those you can:
GET /v1/private/watch/<watchId> with x-watch-token to see every field we hold for that watch.DELETE /v1/private/watch/<watchId> with x-watch-token. The row is hard-deleted within 30 days; the credit balance is forfeited per Terms §6.If you have lost your watchToken we genuinely cannot identify you to satisfy a request — the token is hashed before storage. Reach out via Telegram and we will explain what evidence (e.g. a signature from the payer wallet) might let us help anyway.
None. There is no profiling. The poller is a deterministic balance-diff job; nothing it does qualifies as automated decision-making under Article 22 UK GDPR.
The service is not directed at children under 16 and is not appropriate for them. We do not knowingly process data about children.
Any change is published on this page with a new effective date at the top. Material changes will also be noted in SYSTEM_BIBLE.md on GitHub (the public canonical changelog).