Privacy Policy.

01Who we are

Shards is a product of Mindcraft Inc., a Delaware corporation. For the purposes of data protection law, Mindcraft Inc. is the data controller for personal information collected through Shards.

02What we collect

We collect only what we need to fulfill your order, respond to your questions, and operate our website lawfully. Specifically:

• Name — to address you in correspondence and on shipping labels.
• Email address — to send order confirmations, dispatch notices, and reply to questions.
• Shipping address — to ship your kit to you.
• Payment details — processed by Stripe. We never store full card numbers; we receive only a token, a last-four digit reference, and the country of issue.
• Order history — to process refunds, replacements, and to answer "what did I buy?" questions.
• Communication records — if you write to us, we keep the correspondence so we can pick up where we left off.
• Basic website analytics — aggregate, anonymous data about which pages are visited. No individual tracking. See section 7.
• Legacy intake responses — for Legacy commissions only, the answers you provide on our intake form, used solely to prepare your custom written components.

03What we never collect

For the avoidance of doubt, we never collect, receive, store, or process:

• The secret you protect with Shards (the seed phrase, password, or other secret being split).
• Any of the shares that the browser tool generates from your secret.
• The threshold parameters (M-of-N) of your scheme.
• The identities, addresses, or contact details of your holders.
• The mnemonic words or hexadecimal values on your printed shard cards.
• Any backup of your reconstructed secret after it has been put back together.

This is enforced at the architectural level. The browser tool that performs the split and reconstruction makes no network requests during the cryptographic operations. You can verify this through the open-source code or by inspecting network traffic in your browser's developer tools.

04How we use your data

We use the data described in section 2 to:

• Fulfill your order (process payment, assemble your kit, ship it).
• Communicate with you about your order.
• Provide customer support when you contact us.
• Process refunds and replacements.
• Improve our website and product, using aggregate analytics.
• Comply with legal obligations (tax records, accounting).
• Prevent fraud and abuse.

We do not use your data for advertising. We do not sell or rent it to anyone. We do not build behavioural profiles for marketing purposes.

05Legal bases

If you are located in the European Union, the United Kingdom, or another jurisdiction that requires us to identify a legal basis for processing your personal data, our bases are:

• Performance of a contract — processing your order, providing the service you purchased.
• Legitimate interests — operating our website, preventing fraud, improving our product through aggregate analytics.
• Legal obligation — retaining records as required by tax and accounting law.
• Consent — where required by applicable law, such as for non-essential cookies.

06Who we share with

We share data only with service providers strictly necessary to operate Shards. Each is bound by a written agreement to protect your data and use it only for the purposes we specify.

• Stripe — payment processing. Receives card details directly; we never see them.
• Email provider — sends transactional emails (order confirmations, dispatch notices).
• Shipping carriers — USPS and international postal services that deliver your kit.
• Web hosting — operates the thresholdvault.com website infrastructure.
• Accounting and tax — records retained as required by U.S. and Delaware tax law.

We do not share your data with advertising networks, data brokers, or any party not listed above. We will disclose data to law enforcement only when legally compelled to do so — and again, the data we hold is limited to your name, contact details, and order history.

07Cookies and tracking

We use a minimal set of cookies:

• Essential cookies — required for the website to function (cart state, session identification during checkout).
• Aggregate analytics — a privacy-conscious analytics tool that records page visits at an aggregate level. No individual user tracking, no cross-site identifiers, no third-party tracking scripts.

We do not use Google Analytics, Facebook Pixel, or any advertising tracker. We do not require you to accept cookies to browse the site or make a purchase.

08How long we keep data

• Order records — seven years (U.S. tax requirement).
• Communication records — three years from last contact, or until you request deletion.
• Legacy intake responses — two years from commission completion, then deleted automatically.
• Aggregate analytics — indefinitely, but never linked to individual identities.

After the applicable retention period, your data is deleted or anonymised. Some records (tax records, accounting records) we are legally required to keep for the full seven years and cannot delete on request.

09Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Correction — request that we correct inaccurate data.
• Deletion — request that we delete your data, subject to legal retention requirements above.
• Portability — request your data in a machine-readable format.
• Objection — object to certain processing, such as direct marketing (we don't do this, but the right exists in principle).
• Restriction — request that we limit how we process your data.

To exercise any of these rights, write to [email protected]. We respond within thirty days. We do not charge for these requests.

If you believe we are not handling your data appropriately, you have the right to complain to your local data protection authority. For EU residents, this is typically your country's data protection commissioner.

10International transfers

Mindcraft Inc. is based in the United States. If you place an order from outside the United States, your data will be transferred to and processed in the United States. Some of our service providers (such as Stripe) also operate internationally.

For transfers from jurisdictions with stricter data protection laws (such as the European Union or the United Kingdom) to the United States, we rely on Standard Contractual Clauses or equivalent legal mechanisms with our service providers.

11Children

Shards is not directed at children. We do not knowingly collect data from anyone under the age of eighteen. If you believe we have collected data from a minor, contact us and we will delete it.

12Security

We protect the data we do hold using industry-standard measures:

• All data in transit is encrypted using TLS.
• Stored data is encrypted at rest.
• Access to customer data is limited to personnel who need it to do their work.
• Payment data is handled exclusively by Stripe (PCI-DSS Level 1 compliant) and never touches our own systems.
• We follow the principle of data minimisation: if we don't need it, we don't collect it.

The most secure approach to user data is not to have any. The architecture of Shards reflects this. Your secret, your shares, and your scheme details remain in your browser and on your printed materials. We hold only what we need to operate as a business.

13Data breaches

In the unlikely event that personal data we hold is accessed by an unauthorised party, we will notify affected customers within seventy-two hours of becoming aware of the breach, in accordance with applicable law.

Because we do not hold any of your cryptographic material, the worst possible data breach affecting Shards would expose names, email addresses, shipping addresses, and order references. It would not expose any secret you have protected with our product.

14Changes to this policy

We may update this Privacy Policy from time to time. The most current version is always posted at thresholdvault.com/privacy with the "last updated" date at the top. Material changes will be announced by email to customers who have purchased within the previous twelve months.

15Contact

Questions about this Privacy Policy, or about how we handle your data? Write to [email protected]. We answer everything personally, within one business day.