// legal · privacy policy · v1.0.0
Privacy Policy
This Privacy Policy explains what personal information AutoXOnboard collects, how we use and share it, and your rights as a New York resident and Platform user. It applies to all data collected through autoxonboard.app, the onboarding flow, and all associated services.
Effective date:
May 18, 2026 · v1.0.0 · New York
🔑
Key facts upfront. We collect personal information to operate the Platform, including wallet addresses, vehicle data, and photos. Some of this data is written permanently to the public XRP Ledger and IPFS — it cannot be deleted. We do not sell your personal information. We share it only as described in this Policy and as required by law, including with the NY DMV for lien filings.
AutoXOnboard operates a decentralized finance (DeFi) platform that tokenizes motor vehicles as XLS-20 NFTs on the XRP Ledger to facilitate peer-to-peer collateral-backed lending. In doing so, we collect, process, and in some cases permanently publish personal information associated with your identity, your vehicle, and your financial transactions.
This Policy is designed to comply with the New York SHIELD Act (General Business Law § 899-aa et seq.), the federal Gramm-Leach-Bliley Act (GLBA) to the extent applicable, and applicable federal privacy principles. We treat all user data with the care and security appropriate to its sensitivity.
By using the Platform you acknowledge that you have read this Privacy Policy and consent to the data practices described herein, including the permanent public publication of certain data on the XRP Ledger as described in § 04.
AutoXOnboard Inc. is the data controller responsible for personal information collected through the Platform. We are incorporated and operate in the State of New York. Our designated privacy contact is listed in § 16 of this Policy.
Where the Platform facilitates transactions between Borrowers and Lenders, each Lender who receives personal information about a Borrower (such as wallet address and loan details via the XRPL) is an independent data controller with respect to that information and is solely responsible for their own compliance with applicable privacy law.
We collect the following categories of personal information when you use the Platform:
Category
Specific data collected
Source
Identity & wallet
XRPL wallet address, Xaman session token, XRP balance (read-only), NFTs held
Xaman wallet connection
Vehicle data
VIN, year, make, model, trim, mileage, color, condition, title state, lienholder status, salvage history
Borrower submission; NHTSA API
Photos
Vehicle photographs (exterior, interior, odometer) uploaded during onboarding
Borrower upload → IPFS
Financial data
Loan amount, LTV ratio, interest rate, repayment history, XRP transaction hashes, loan status
Platform + XRPL ledger
Oracle & appraisal
Oracle-generated appraisal value, KBB/NADA/JD Power data inputs, salvage adjustment applied
Oracle system
DMV & lien records
NY Certificate of Title reference, lien filing records, MV-900 submission data, lien release records
Borrower; NY DMV
Usage & technical
IP address, browser type, device type, pages visited, session timestamps, clickstream data, error logs
Automatic collection
Communications
Emails, support messages, dispute correspondence sent to AutoXOnboard
Direct from user
Insurance data
Proof of insurance documents, policy number, insurer name, loss payee designation, policy expiration
Borrower submission
Data we do not collect. AutoXOnboard does not collect or store: government-issued ID numbers (SSN, driver's license, passport); credit scores or credit reports; financial account numbers or routing numbers; seed phrases, private keys, or wallet recovery codes. We will never ask you to provide these.
🔗
This data cannot be deleted. The XRP Ledger is a permanent, immutable, publicly accessible blockchain. Any data written to XRPL — including your wallet address, NFT metadata, transaction amounts, and escrow records — is visible to anyone in the world and cannot be removed, modified, or made private. Before completing any on-chain transaction, understand that the associated data will exist publicly and permanently.
Data permanently written to the XRP Ledger includes:
→Your XRPL wallet address (pseudonymous — not directly tied to your legal name on-chain, but linkable through Platform records).
→The Collateral NFT token ID and its metadata, including VIN, appraised value (USD and XRP equivalent), loan amount, and IPFS photo reference hash.
→Transaction records: loan disbursement, repayment amounts, escrow creation and release, NFT transfers — all permanently visible on the public ledger.
→The issuer address (AutoXOnboard's XRPL account) and the Lender's wallet address associated with each loan.
Data stored on IPFS includes:
→Your vehicle photographs (exterior, interior, odometer) uploaded during onboarding, stored under a content-addressed hash pinned to IPFS nodes.
→NFT metadata JSON referencing VIN, appraisal, condition notes, and photo hashes.
⚠️
IPFS data may persist indefinitely. Even if AutoXOnboard ceases operating or removes its IPFS pins, data stored on IPFS may continue to be served by third-party nodes that have pinned or cached the content. We cannot guarantee deletion of IPFS-stored data. Do not include any sensitive personal information in vehicle photos or condition notes.
Pseudonymity vs. anonymity. Your XRPL wallet address is pseudonymous — it does not contain your name by itself, but AutoXOnboard's internal records link your wallet address to your onboarding data (vehicle, photos, communications). Law enforcement requests or legal process may require us to disclose this linkage. Additionally, blockchain analytics tools operated by third parties may independently link wallet addresses to real-world identities.
We use personal information only for the following purposes:
01Platform operation: Processing vehicle onboarding, running Oracle appraisals, minting Collateral NFTs, managing Smart Escrow, facilitating loan matching, and processing repayments.
02NY DMV lien filing: Submitting lien notices (MV-900), processing lien releases, and maintaining lien records as required by NY VTL Article 46.
03Identity verification & fraud prevention: Verifying vehicle ownership, cross-referencing VINs with NHTSA and NCIC databases, detecting fraudulent submissions or duplicate pledges.
04Legal compliance: Complying with AML/KYC obligations, OFAC sanctions screening, law enforcement requests, regulatory inquiries, and any court orders.
05Communications: Sending transaction confirmations, loan status updates, lien filing notices, insurance compliance reminders, and responses to your inquiries.
06Security & platform integrity: Detecting and preventing unauthorized access, abuse, or manipulation of the Platform or its smart contracts.
07Analytics & improvement: Aggregated, anonymized usage analytics to understand how users interact with the Platform and improve its features and performance.
08Dispute resolution: Maintaining records necessary to resolve disputes between Borrowers and Lenders, or between Users and AutoXOnboard.
We do not use your personal information for targeted advertising, behavioral profiling for marketing, or sale to data brokers.
We share personal information only in the following circumstances:
→With Lenders (loan-specific data): When a Borrower's loan is funded, the Lender receives the Borrower's XRPL wallet address, vehicle details, NFT token ID, loan terms, and insurance proof — the minimum necessary for the Lender to manage the loan and enforce the Security Interest if needed.
→With the NY DMV: Vehicle data (VIN, owner information, lienholder details) is shared with the NY Department of Motor Vehicles as required to file and release lien records under VTL Article 46 and the ELT Program.
→With service providers: Trusted third-party vendors who help us operate the Platform, including IPFS pinning services, cloud infrastructure, Oracle data providers (KBB, NADA, JD Power), NHTSA VIN lookup API, and ELT service providers. All are bound by data processing agreements limiting their use of your data.
→With law enforcement and regulators: We will disclose personal information to government authorities, law enforcement agencies, regulators (including the NY DFS, OFAC, and FinCEN), or courts when required by applicable law, court order, or legal process — including in connection with fraud investigations, AML obligations, or sanctions compliance.
→In a business transfer: If AutoXOnboard undergoes a merger, acquisition, or sale of substantially all assets, user data may be transferred to the successor entity, subject to the same privacy protections described in this Policy. You will be notified of any such transfer.
→With your consent: We may share your data for any other purpose with your explicit prior consent.
We do not sell personal information to third parties, data brokers, or advertisers under any circumstances.
As part of the Platform's core function, certain vehicle and lien information is shared with the New York Department of Motor Vehicles. This sharing is required by law and is not optional. Specifically:
→Lien filing (MV-900 / ELT): The Borrower's name as it appears on the Certificate of Title, the vehicle VIN, year, make, and model, and the Lender's name and address as lienholder are transmitted to the NY DMV to perfect the Security Interest per VTL § 2118.
→Lien release: Upon full loan repayment, the Lender's lien satisfaction is reported to the NY DMV via paper MV-901 or ELT electronic release, causing a new or updated Certificate of Title to reflect the lien's discharge.
→Salvage history: Any disclosed salvage or rebuilt salvage status, as required by VTL §§ 417-a and 429, is included in lien-related documentation submitted to the DMV.
→Default-related disclosure: In the event of loan default and NFT transfer to the Lender, we may provide the Lender with all vehicle documentation on file to support title enforcement proceedings. The Lender may independently submit documents to the DMV as part of legal enforcement.
The NY DMV's handling of information submitted to it is governed by NY DMV's own privacy policies and applicable state law, which AutoXOnboard does not control.
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. The following schedule applies:
Data type
Retention period
Reason
On-chain XRPL data
Permanent — cannot be deleted
Blockchain immutability
IPFS photo data
Indefinite — may persist beyond AutoXOnboard's control
IPFS network persistence
Loan & lien records
7 years after loan closure
NY commercial record law
Vehicle onboarding data
7 years after loan closure
Fraud prevention; legal disputes
DMV lien filings
7 years after lien release
NY DMV compliance
AML / KYC records
5 years after last transaction
Bank Secrecy Act (31 U.S.C. § 5318)
Account / wallet data
Duration of account + 3 years
Dispute resolution
Support communications
3 years after closure
Dispute resolution
Usage & technical logs
12 months rolling
Security monitoring
After applicable retention periods, off-chain data is securely deleted or anonymized in accordance with the NY SHIELD Act's data disposal requirements (General Business Law § 899-aa(h)).
The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, General Business Law § 899-aa et seq.) requires any person or business that owns or licenses computerized data including private information of New York residents to implement and maintain reasonable safeguards to protect that data. AutoXOnboard complies with this obligation through the following measures:
→Technical safeguards: Encryption of personal data in transit (TLS 1.3+) and at rest; access controls limiting employee access to personal data on a need-to-know basis; regular security assessments; and monitoring for unauthorized access.
→Physical safeguards: Secure, access-controlled server infrastructure hosted with SOC 2-compliant cloud providers; secure destruction of physical records containing personal information.
→Administrative safeguards: Employee privacy and security training; designated privacy and security personnel; vendor due diligence and data processing agreements; incident response plan.
→Data minimization: We collect only the personal information necessary for Platform operation and do not retain it beyond the periods described in § 08.
Breach notification. Under the NY SHIELD Act, if AutoXOnboard discovers a security breach involving private information of New York residents, we will notify affected individuals in the most expedient time possible and without unreasonable delay, as required by GBL § 899-aa(8). Notification will include a description of the breach, the type of information involved, and steps being taken to address it.
⚠️
No system is perfectly secure. Despite our safeguards, no data transmission over the internet or storage system is 100% secure. The permanent, public nature of on-chain XRPL data (§ 04) means that blockchain-level data cannot be secured or made private after it is published. AutoXOnboard is not liable for unauthorized access to publicly published on-chain data.
As a user and New York resident, you have the following rights with respect to your personal information. To exercise any right, contact us at [email protected]. We will respond within 30 days.
📋
Right to know
Request a summary of the categories and specific pieces of personal information we hold about you, the sources from which it was collected, and the purposes for which it is used.
NY GBL § 899-aa
✏️
Right to correct
Request correction of inaccurate off-chain personal information we hold about you. Note: on-chain XRPL data and IPFS metadata cannot be corrected or altered after publication.
Good-faith practice
🗑️
Right to delete
Request deletion of off-chain personal information we hold, subject to legal retention obligations (§ 08). We cannot delete data published to the XRPL or IPFS. Deletion requests may be denied where data is needed for ongoing legal obligations.
NY GBL § 899-aa(h)
📤
Right to portability
Request a copy of your off-chain personal data in a structured, machine-readable format (JSON or CSV) to the extent technically feasible.
Good-faith practice
🚫
Right to opt out of sale
We do not sell your personal information. No opt-out is required, but you may contact us to confirm your data has never been sold.
NY GBL § 899-aa
📣
Right to complain
If you believe we have mishandled your personal information, you may file a complaint with the NY Attorney General's office at ag.ny.gov or contact us directly at
[email protected].
NY AG enforcement
ℹ️
Limitations on deletion rights. On-chain XRPL data (wallet addresses, NFT metadata, transaction records) and IPFS-stored vehicle photos are technically impossible to delete once published. Legal retention obligations under the Bank Secrecy Act and NY commercial record laws require us to retain loan, lien, and AML-related records for up to 7 years regardless of deletion requests.
The Platform is intended solely for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected personal information from a person under 18, we will delete that information from our off-chain systems as promptly as practicable and terminate the associated account. If you believe a minor has submitted information through the Platform, please contact us immediately at [email protected].
The Platform uses a minimal set of cookies and similar tracking technologies necessary for operation:
→Session cookies (essential): Used to maintain your authenticated session after connecting your Xaman wallet. These are deleted when you close your browser and cannot be disabled without breaking Platform functionality.
→Security cookies: Used for CSRF protection and fraud prevention. Strictly necessary for Platform security.
→Analytics (optional): Where used, analytics tools collect anonymized usage data (page views, session duration, error rates) to help us improve the Platform. No personally identifiable information is shared with analytics providers. You may opt out by contacting us or using browser-level opt-out tools.
We do not use advertising cookies, cross-site tracking pixels, or third-party behavioral advertising technologies. We do not participate in any ad networks or data broker ecosystems.
The Platform integrates with the following third-party services, each of which has its own privacy practices:
→Xaman (XUMM) by XRPL Labs: Wallet authentication and transaction signing. When you connect Xaman, XRPL Labs processes your wallet session per their own privacy policy at xaman.app/privacy. AutoXOnboard does not receive your private keys or seed phrase.
→IPFS / Pinning Services: Vehicle photos and NFT metadata are stored on the InterPlanetary File System. IPFS is a public, distributed network — data stored there is accessible to anyone with the content hash. AutoXOnboard uses a pinning service to ensure availability; that provider's privacy policy governs its handling of infrastructure data.
→Oracle providers (KBB, NADA, JD Power): Vehicle VIN and condition data is submitted to these providers' APIs to generate appraisal data. Each provider's privacy policy governs their use of query data.
→NHTSA VIN Lookup API: Vehicle VINs are queried against the National Highway Traffic Safety Administration's public database. NHTSA is a federal agency; its privacy practices are governed by the federal Privacy Act.
→NY DMV ELT Service Provider: Once AutoXOnboard enrolls in the ELT program, an approved third-party ELT service provider will transmit lien data between AutoXOnboard and the NY DMV. That provider is bound by the NY DMV ELT Program Terms (Form ELT-6).
→Cloud infrastructure provider: AutoXOnboard's web application and off-chain data are hosted on a SOC 2-compliant cloud platform. The provider processes personal data only as a data processor under our instruction and is bound by a data processing agreement.
AutoXOnboard is not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you interact with through the Platform.
AutoXOnboard is based in New York and primarily processes data in the United States. However, because the XRP Ledger is a decentralized global network, on-chain data published to XRPL is accessible and replicated by validator nodes worldwide. This constitutes an inherent international transfer of any on-chain data and cannot be prevented or reversed.
Off-chain personal data processed by AutoXOnboard and its service providers is handled in the United States. If you access the Platform from outside the United States, you understand that your data will be transferred to and processed in the U.S., which may have different data protection laws than your jurisdiction. By using the Platform, you consent to this transfer.
AutoXOnboard does not currently operate in the European Economic Area (EEA) and does not represent that it is compliant with the EU General Data Protection Regulation (GDPR). If you are an EEA resident, use of the Platform is at your own risk and regulatory responsibility.
AutoXOnboard may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or Platform features. When we make material changes, we will update the version number and effective date at the top of this Policy and notify you via the Platform interface and, where practicable, by email or Xaman notification, at least 14 days before changes take effect.
Prior versions of this Privacy Policy are archived at autoxonboard.app/privacy/history. Your continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.
To exercise your rights under § 10, report a privacy concern, request your data, or ask questions about this Policy, please contact our Privacy Team:
We will verify your identity before processing any data access, correction, or deletion request. Requests may be submitted by email with sufficient identifying information to confirm your association with the Platform (e.g., the XRPL wallet address used to access your account).
// document integrity · v1.0.0
SHA-256: c4d9a2f7…1e830b44
AutoXOnboard
AutoXOnboard Inc. · New York
Privacy Policy · v1.0.0
Effective May 18, 2026
NY SHIELD Act · XRPL Mainnet