Privacy Policy

TEM Technologies Co. LLC (hereinafter referred to as "the Company") recognizes the critical importance of protecting user data. For our next-generation Web3 infrastructure, Blsqui, we implement a "Privacy-by-Design" approach using advanced cryptographic separation.

1. Information We Collect

We minimize data collection to the absolute necessity for cryptographic operations:

• Authentication Data: Email addresses used for Magic Link delivery and temporary session identifiers.
• Encrypted Fragments (s2): We store the user's second cryptographic fragment only in an encrypted state. This fragment is locked by the user's private PIN; the Company has zero access to the plaintext fragment.
• Operational Logs: Captures the lifecycle of TSS handshakes, monitoring the progress and completion of protocol rounds. This data is utilized to detect unauthorized access patterns and ensure system integrity.

2. 2-of-2 TSS Data Distribution

Consistent with institutional best practices, a private key never exists in its entirety within our system. Data is physically and mathematically partitioned:

• Fragment s1: Secured in our Frankfurt Identity Vault (FIPS 140-2 Level 3 HSM).
• Fragment s2: Stored on the user's designated Signer Node, protected by AES-256 encryption derived from the User PIN.

3. Volatile Session Management

To optimize the gaming experience without compromising security, Blsqui utilizes a Non-Persistent RAM Cache. Upon PIN verification, a temporary signing authority is held in volatile memory for a strictly limited window (60 minutes). No PIN-derived keys are ever written to persistent disk storage.

4. Third-Party Infrastructure

We utilize audited, enterprise-grade infrastructure providers to host our distributed nodes:

• AWS (Frankfurt Region): For GDPR-compliant identity fragment hosting.
• Supabase: For secure database management and session handling under SOC2 Type 2 compliance.

5. Compliance & User Rights

We comply with the Japanese Act on the Protection of Personal Information (APPI) and GDPR standards. Users maintain the right to access, correct, or delete their registered email and associated encrypted fragments at any time.

6. Contact & Identity

Last Updated: March 13, 2026

What is TSS:

1. The Core Philosophy: "The Phantom Key"

In a normal wallet, a Private Key is a 256-bit number. To sign a transaction, that number must exist in one piece.

In Blsqui, the 256-bit number never exists. When you run Generate2of2Keys, the Go engine performs a Distributed Key Generation (DKG).

Wallet Protocol (blsqui.net) (s1) and Signer Node (blsqui-signer.net) (s2) generate random mathematical values locally.

They exchange "Commitments" (hashes of their math) to ensure no one is cheating.

Through a series of polynomial calculations (Shamir's Secret Sharing logic), they create two "Shares" that together represent a key, but separately are just random noise.

2. The "Handshake" Rounds (The 9-Step Dance)

When the user enters their PIN on our dashboard and clicks "Authorize", the Go engine begins a Signing Protocol. This is usually done in 9 Rounds (or messages).

Phase A: Preparation

Signer Node (s2): Loads the PIN-encrypted fragment, decrypts it into RAM, and creates a "Pre-sign" commitment. It sends this to Wallet Protocol (blsqui.net).

Wallet Protocol (s1): Receives Signer Node(blsqui-signer.net)'s commitment. It also prepares a pre-sign value. It sends its commitment back.

Phase B: The Math Multiplication (Paillier Cryptosystem)

This is the "Secret" part. To sign an ECDSA transaction (for Flow blockchain), the math requires multiplying the fragments.

3. The Go engine uses Homomorphic Encryption.

4. Signer Node (blsqui-signer.net) encrypts a secret value and sends it to Wallet Protocol (blsqui.net).

5. Wallet Protocol (blsqui.net) performs math on the encrypted data (without seeing it!) and sends it back.

6. Crucial Point: Neither server ever sees the other's secret. They are doing math on "shadows."

Phase C: The Birth of the Signature

Signer Node (blsqui-signer.net) combines its local math with Wallet Protocol (blsqui.net)'s partial signature.

The Result: A standard (r, s) ECDSA signature appears. This is the only thing that leaves the server.

The Public Key: It also gives us the PK (Public Key). This is what we send to the Flow Blockchain to create the account.