Privacy Policy

Last updated: 2026-07-01

1. Data controller

The data controller is the independent operator of the AlphaClone service, based in Spain. We are committed to EU GDPR (Regulation (EU) 2016/679) and Spanish LOPDGDD (Ley Orgánica 3/2018).

2. Data we store

The data we collect and store, linked to your wallet address, is strictly limited to what is necessary to provide the Service:

  • Wallet address — public, identifies the account (legal basis: contract performance)
  • SIWE signature session — JWT in httpOnly cookie, valid 7 days (legal basis: contract)
  • Telegram chat ID — only if you opt in (legal basis: explicit consent)
  • Email address — only if you opt in (legal basis: explicit consent)
  • Watchlist — list of wallets you starred (legal basis: contract, watchlist feature)
  • Copy execution config — the wallets you chose to mirror and a trade-only key generated server-side and encrypted at rest with AES-256-GCM (Hyperliquid agent key, or Polymarket session-signer key + your deposit-wallet address). It can place orders but never withdraw (legal basis: contract, Copy feature)
  • Activity logs — request timestamps, IP-derived country (for geo-block enforcement only; IP NOT stored persistently)

3. Data we DON'T store

  • Master-wallet private keys (technically impossible — we never receive them)
  • Bank account / IBAN / credit card details
  • Real identity, KYC documents, government IDs
  • IP address persistently
  • Browser fingerprint
  • Third-party tracking cookies

4. On-chain data

Some data linked to your wallet exists permanently on public blockchains and is outside our control:

  • Any voluntary donation transactions you send to the public donation address
  • Agent-wallet approvals on Hyperliquid, and deposit-wallet / session-signer authorisations on Polymarket, if you enable auto-copy

These cannot be deleted by us. You can revoke ongoing authorisations by signing a cancel/revoke transaction from your wallet.

5. Storage location

Data is stored on a self-hosted VPS located in Spain (data centre provider: Contabo GmbH, EU). No data is transferred outside the European Economic Area.

6. Retention

Notifications and watchlist data are retained until the user deletes them via the Account > Privacy > "Delete my data" flow, or after 1 year of inactivity (no SIWE login).

Activity logs are retained for 90 days for security audit purposes.

7. Your GDPR rights

You have the right to:

  • Access — request a copy of all data we hold linked to your wallet
  • Rectification — correct wrong data (e.g. typo in Telegram ID)
  • Erasure — delete all backend data (Account > Privacy > Delete my data). Note: on-chain state cannot be deleted by us
  • Portability — export your data in machine-readable JSON
  • Withdraw consent — for opt-in notifications, by clearing the channel field in Account
  • Lodge a complaint — with the Spanish AEPD (Agencia Española de Protección de Datos): aepd.es

8. Security

We employ industry-standard security measures including TLS for transport, JWT for session tokens, AES-256-GCM for agent-wallet key encryption at rest (auto-copy feature), and principle of least privilege on infrastructure access.

In the event of a data breach affecting personal data (Telegram IDs, emails), affected users will be notified within 72 hours and the AEPD will be informed in accordance with Article 33 GDPR.

9. Cookies

We use a single first-party httpOnly cookie hyperedge_session to maintain your SIWE-authenticated session. No analytics, advertising, or third-party cookies are used.

10. Contact

For privacy-related requests (access, deletion, rectification, or questions), contact the operator at the email displayed in the GitHub repository's README. We aim to respond within 30 days.

For privacy requests (access, deletion, rectification) or questions, contact the operator. Governed by Spanish and EU data-protection law (GDPR).