Privacy Policy

Effective date: 2026-04-21 · Version 1.0

1. Introduction

This Privacy Policy explains how the operator of AutoSwap (the "Operator", "we", "us", or "our") collects, uses, retains, and discloses information in connection with your use of the AutoSwap website, user interface, application programming interfaces, smart contracts, documentation, and any related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any provision, you must cease all use of the Services.

This Privacy Policy is designed to be read in conjunction with the Terms of Service. Capitalised terms not defined here bear the meaning given in the Terms of Service.

2. Scope; Non-Custodial Architecture

AutoSwap is a non-custodial platform. We do not collect or retain your private keys, seed phrases, or any credentials that control your Digital Assets. We do not require, accept, or store conventional personal identifiers such as your name, date of birth, government- issued identification number, or residential address in order for you to use the Services. Accordingly, the personal-data footprint of the Services is intentionally minimal.

You acknowledge and agree that the public Blockchain Network on which the Services operate is outside our control and that all on-chain transactions, including your wallet address, transaction history, vault share balances, and any other on-chain activity associated with your wallet, are permanently recorded, publicly accessible, and replicable by any party at any time. The Operator has no ability to erase, modify, restrict access to, or otherwise control blockchain data.

3. Information We Collect

We collect only the following categories of information, each of which is described in more detail below.

3.1 Wallet Address and On-Chain Activity

When you connect a User Wallet to the Services, our front-end interface receives your wallet address. We may use this address to query public blockchain state, query our indexed view of on-chain events, display your holdings and performance in the user interface, and route administrative features to authorised addresses. The wallet address is a pseudonymous identifier; however, in some circumstances a wallet address can be correlated with real-world identity through external data sources not under our control.

3.2 Technical Log Data

Our hosting providers automatically record technical information associated with your HTTP requests, including but not limited to IP address, user-agent string, referrer URL, request path, query parameters, response status, timestamps, and approximate geographic location inferred from IP address. These logs are generated and retained by our hosting providers for operational, security, diagnostic, and abuse-prevention purposes.

3.3 Cookies, Local Storage, and Similar Technologies

The user interface uses browser local storage and may use cookies or similar client-side storage mechanisms to persist your language preference, theme preference, wallet connection state, administrative secret (if you are an administrator), and non-sensitive operational caches. We do not use cookies or local storage for cross-site tracking or targeted advertising. You may clear these at any time through your browser controls; doing so may require you to reconnect your wallet or reconfigure preferences.

3.4 On-Chain Event Data

To populate performance dashboards, history views, and reports, our back-end indexes public events emitted by the AutoSwap smart contracts, including Deposit, Withdraw, WithdrawNonAsset, Rebalance, Compound, CollectFees, PerformanceFeePaid, SystemFeePaid, ReferralFeesAccrued, StrategyUpdated, ReferrerSet, and similar events. This data is already public on the Blockchain Network; we do not create it, and we cannot suppress or remove it from the chain.

3.5 Voluntary Communications

If you contact us through any channel (for example, email, messaging applications, or support forms), we will process the content of your message, any identifiers you voluntarily provide, and any metadata automatically attached to the communication. We process such communications to respond to your inquiry and to maintain records of our correspondence.

3.6 Information We Do Not Collect

We do not collect private keys, seed phrases, wallet passwords, signed transactions prior to submission, government-issued identification, financial-account information, biometric data, precise geolocation, or health information. We do not perform "know-your-customer" verification, identity proofing, or source-of-funds checks as a condition of using the Services.

4. How We Use Information

We use the information we collect exclusively for the following purposes and, to the extent required by applicable law, only on the legal bases specified in Section 6.

  • To operate the Services, including displaying your holdings, facilitating wallet signing of your transactions, rendering the user interface, and delivering performance reports;
  • To diagnose technical issues, prevent abuse, and maintain the security and integrity of the Services;
  • To comply with applicable law, respond to lawful requests from governmental authorities, enforce our Terms of Service, and protect our legal rights;
  • To analyse anonymised or aggregated usage trends for internal product-improvement purposes;
  • To communicate with you about the Services, including changes to terms and policies.

5. Disclosure of Information

We do not sell, rent, or trade personal information. We may disclose information in the following circumstances.

  • Service Providers. We use third-party service providers to host, index, and deliver the Services, including but not limited to cloud hosting providers (for example, Railway and Vercel), RPC providers (for example, Alchemy and other node operators), blockchain data services (for example, block explorers and subgraph indexers), and content-delivery networks. These providers process technical log data and request data incidental to the provision of their services. They operate under their own privacy policies, which govern their processing activities.
  • Legal Compliance. We may disclose information if required by law, subpoena, court order, regulatory request, or similar legal process, or where we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business Transfers. In the event of a merger, acquisition, reorganisation, financing, sale of assets, or bankruptcy, information may be transferred to a successor or acquiring party as part of the transaction.
  • With Your Direction. We may disclose information as you direct, including in connection with any integration you authorise.

6. Legal Bases for Processing (for Users in the EEA or UK)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the General Data Protection Regulation and the UK Data Protection Act 2018:

  • Performance of a Contract (Art. 6(1)(b)): to provide the Services you request under the Terms of Service.
  • Legitimate Interests (Art. 6(1)(f)): to operate, secure, diagnose, and improve the Services, provided your interests and fundamental rights do not override these interests.
  • Legal Obligation (Art. 6(1)(c)): to comply with applicable legal obligations, including anti-money-laundering, sanctions, and court orders.
  • Consent (Art. 6(1)(a)): where we rely on your consent, we will clearly present the request for consent and provide a means to withdraw it.

7. Third-Party Services and Independent Controllers

The Services depend on or interact with numerous third-party products, including but not limited to Uniswap V3, Base, Arbitrum, wallet software, RPC providers, block explorers, centralised-exchange price feeds, hosting providers, and subgraph indexers. Each such third party is an independent data controller with respect to the information it processes. The Operator does not control the collection, use, retention, or disclosure practices of any third party, does not endorse any third party, and makes no representation or warranty regarding any third party. You are encouraged to review the privacy policies of any third party before interacting with its product or service. The Operator disclaims any and all liability arising out of or relating to the privacy practices of any third party.

8. Data Retention

We retain information only for as long as necessary to provide the Services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specifically:

  • Technical log data is retained by our hosting providers in accordance with their respective retention policies, typically ranging from a few days to several months.
  • Indexed on-chain event data is retained indefinitely in our operational caches. Because the underlying data is publicly available on the Blockchain Network, deletion from our caches does not remove the data from the chain.
  • Support communications are retained for as long as reasonably necessary to resolve the matter and, where required, for the statutory period applicable to business records.

Blockchain data is permanent by design. We cannot delete it, and we cannot promise that any other party will delete it.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect the information we process against loss, misuse, unauthorised access, alteration, and disclosure. These measures include transport-layer encryption in transit, access controls, segregated administrative credentials, and logging. No security measure is perfect, however, and we cannot guarantee the security of any information. You are solely responsible for the security of your User Wallet and any credentials associated with it.

10. Your Rights

Subject to applicable law and the non-custodial, on-chain nature of the Services, you may have the following rights in respect of information we process.

  • Access. You may request confirmation of whether we process information relating to you and, where applicable, a copy of such information.
  • Rectification. You may request correction of inaccurate information. We cannot rectify public blockchain data.
  • Erasure. You may request deletion of certain information, subject to exceptions for legal compliance, legitimate interests, and technical feasibility. We cannot delete public blockchain data.
  • Restriction and Objection. You may request restriction of processing or object to processing based on our legitimate interests.
  • Portability. Where applicable, you may request receipt of certain information in a structured, commonly used, machine-readable format.
  • Withdraw Consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Complaint. You may lodge a complaint with your local data-protection authority if you believe our processing infringes applicable law.

To exercise these rights, contact us as set out in Section 14. We may request information reasonably necessary to verify your identity in relation to the wallet address concerned, for example by requesting a cryptographic signature from the address.

11. California and US State Privacy Disclosures

If you are a resident of California or another US state with comparable privacy legislation, you may have additional rights, including the right to know, delete, correct, or limit the use or disclosure of personal information, subject to applicable exceptions. We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act, and we do not engage in targeted advertising. To exercise applicable rights, contact us as set out in Section 14.

12. International Transfers

The Services are hosted by providers that may process data in multiple jurisdictions, which may include jurisdictions with different data-protection standards from your own. By using the Services, you acknowledge that your information may be transferred to and processed in such jurisdictions. Where required, we rely upon standard contractual clauses or other transfer mechanisms recognised under applicable law.

13. Children's Privacy

The Services are not directed at or intended for children under eighteen (18) years of age, and we do not knowingly collect information from such children. If you believe that a child has provided us with information, please contact us so that we may take appropriate action.

14. Contact

Questions or requests regarding this Privacy Policy may be directed to the administrative address listed on the Services' contact page or, where separate business arrangements exist, to the Operator's representative named therein.

15. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. Revisions are effective upon publication at this page or a successor location. Where a revision is material, we will use commercially reasonable efforts to provide advance notice through the user interface. Your continued use of the Services following publication constitutes acceptance of the revised Privacy Policy.