Privacy Policy | AUQIX • AUQIX

AUQIX — Privacy Policy (DRAFT v0.1)

STATUS: Initial structural draft prepared by Product Management. NOT LEGALLY REVIEWED. All clauses marked [TODO-LAWYER: ...] require validation by qualified counsel before any public use. Drafted to be LGPD-compliant (Brazil) and GDPR-ready (EU) — final classification depends on user base composition and legal review.

ESTADO: Rascunho estrutural inicial. NÃO REVISADO JURIDICAMENTE. Cláusulas com [TODO-LAWYER: ...] requerem validação. Redigido para conformidade LGPD e preparação para GDPR.

Effective Date / Data de Vigência: [TODO-LAWYER] Last Updated / Última Atualização: [TODO-LAWYER]

0. Preamble / Preâmbulo

This Privacy Policy ("Policy") describes how AUQIX ("we", "us", "our") collects, uses, stores, shares and protects information from Users ("you", "your") of the Service at auqix.com. This Policy is incorporated by reference into our Terms of Service.

[TODO-LAWYER: confirm controller designation. Under LGPD art. 5, X, AUQIX is the controller of personal data of its Users. Under GDPR art. 4(7), same designation applies if EU Users are admitted.]

Esta Política de Privacidade descreve como a AUQIX coleta, usa, armazena, compartilha e protege informações dos Usuários do Serviço em auqix.com. Esta Política é incorporada por referência aos Termos de Serviço.

1. Data Controller / Controlador de Dados

Controller / Controlador: [TODO-LAWYER: insert AUQIX legal entity name and registration] Address / Endereço: [TODO-LAWYER] Contact / Contato DPO: privacy@auqix.com

[TODO-LAWYER: confirm DPO designation requirement under LGPD art. 41. For small operations, DPO-as-a-service is acceptable. If founder serves as DPO during MVP, document this explicitly.]

2. Data We Collect / Dados Que Coletamos

2.1 Information You Provide

Data	Source	Purpose	LGPD Legal Basis	GDPR Legal Basis
Wallet address (Solana pubkey)	SIWS signin	Account identification, on-chain transactions	Contract performance (art. 7, V)	Contract (art. 6(1)(b))
Email address (optional)	Onboarding form	Transactional notifications, recovery	Contract / Consent (art. 7, I)	Contract / Consent
Telegram username (optional)	Settings	Optional notifications, OTP for security actions	Consent (art. 7, I)	Consent
Withdrawal wallet address	Onboarding	Sending funds back to User	Contract performance	Contract
Referral code	Signup URL parameter	Crediting referrer, anti-fraud	Contract / Legitimate interest (art. 7, IX)	Contract / Legitimate interest

[TODO-LAWYER: review LGPD legal bases and confirm consent vs contract distinction; ensure consent flows are unambiguous and revocable per art. 8 §5]

2.2 Information We Collect Automatically

Data	Source	Purpose	Legal Basis
IP address	All requests	Security, abuse prevention, geo-blocking	Legitimate interest (LGPD art. 7, IX)
Device / browser metadata	All requests	Compatibility, security, anti-fraud	Legitimate interest
Locale (pt-BR / en)	Browser Accept-Language	UI internationalization	Contract performance
Session cookies	Login	Authentication state (HttpOnly, Secure, SameSite=Lax)	Contract performance
Referral cookie (30d)	`?ref=` link	Credit referrer at signup	Contract performance

We do NOT use third-party advertising cookies or tracking pixels. Analytics are provided by Plausible (cookieless, EU-hosted, GDPR-compliant by design).

2.3 Information from Public Blockchains

The Solana blockchain is public. The following are visible to anyone via block explorers:

Your Sub-wallet address and balance;
Transaction history of the Sub-wallet;
Liquidity positions on Orca and swap routes on Jupiter.

AUQIX correlates these public on-chain records with your Account for the purpose of dashboard display, billing and audit logging.

2.4 Information We Do NOT Collect

We do NOT collect government IDs, passport numbers, CPF, SSN or any KYC documents in the MVP phase. [TODO-LAWYER: confirm policy on KYC trigger thresholds; see lawyer-brief.md §3.7]
We do NOT collect payment card numbers — payments are processed exclusively via on-chain USDC/USDT direct-debit from your Sub-wallet (no third-party payment processor).
We do NOT collect biometric data.

3. How We Use Your Data / Como Usamos Seus Dados

We use the data above to:

Authenticate you and operate your Account (SIWS, JWT issuance);
Execute the Bot strategy on your Sub-wallet;
Process subscription and performance fees;
Send transactional notifications (welcome, payment confirmation, security alerts, trade summaries);
Provide customer support;
Detect and prevent fraud (referral abuse, multi-accounting);
Comply with legal obligations (tax reporting, court orders, regulatory requests);
Improve the Service (aggregated, anonymized analytics);
Send marketing communications only with explicit opt-in consent, with easy unsubscribe in every message.

[TODO-LAWYER: confirm secondary uses under LGPD art. 9 (clear, specific consent) and GDPR art. 6(4) (purpose limitation)]

4. Third Parties / Terceiros

We share data with the following processors and partners, each governed by data processing agreements:

Partner	Role	Data shared	Location	Safeguards
Privy	Sub-wallet custody (HSM/MPC) + signature for direct-debit billing	Wallet metadata, Sub-wallet pubkey, signing requests	US (AWS)	SOC 2 Type II, DPA `[TODO-LAWYER]`
Supabase	Database hosting	All Account data (encrypted at rest)	US-East	DPA, Standard Contractual Clauses `[TODO-LAWYER]`
Vercel	Frontend hosting / CDN	IP, headers, in-transit data	Global CDN, primary US	DPA `[TODO-LAWYER]`
Resend	Transactional email	Email address, message content	US	DPA `[TODO-LAWYER]`
Plausible	Privacy-friendly analytics	Aggregated, anonymized page views	EU (Germany)	GDPR-compliant by design, no DPA needed for non-personal aggregation
Cloudflare	DDoS protection, edge	IP, headers	Global	DPA `[TODO-LAWYER]`
Sentry (planned)	Error monitoring	Error stacks, anonymized IP	`[TODO-LAWYER]`	DPA `[TODO-LAWYER]`

[TODO-LAWYER: confirm DPA execution with each processor before launch; for transfers outside Brazil under LGPD art. 33, identify the applicable legal basis (II — Standard Contractual Clauses, V — Consent, VII — Contract execution)]

4.1 No Sale of Personal Data

We do not sell your personal data to third parties. We do not engage in advertising-targeting based on your data.

4.2 Legal Disclosure

We may disclose data to:

Law enforcement, courts or regulators, in response to valid legal process;
Other Users, only as necessary for referral program execution (referee/referrer linkage shown without PII of referees);
Successors in a corporate transaction (subject to this Policy).

5. Data Retention / Retenção de Dados

Data	Retention period	Reason
Account data (wallet, email, settings)	Active + 5 years after cancellation	Audit, tax compliance (LGPD art. 7, II)
Transaction history	Active + 5 years	Audit, tax compliance
Fee ledger (perf fee, subscriptions)	Active + 7 years	Tax obligations BR (Receita Federal)
IP and access logs	6 months	Security, abuse investigation
Support tickets	Active + 2 years	Service improvement, dispute resolution
Marketing consent records	Until revoked + 5 years (proof of consent)	LGPD art. 8 §5

After retention expires, data is anonymized or hard-deleted per industry best practices.

[TODO-LAWYER: confirm retention periods against LGPD art. 16 and any sector-specific obligations (Receita Federal IN 1.888/2019 — 5 years documentation requirement)]

6. Your Rights / Seus Direitos

6.1 LGPD (Brazil)

Under LGPD art. 18, you have the right to:

Access (art. 18, II) — request a copy of your data;
Correction (art. 18, III) — fix inaccurate data;
Anonymization, blocking or deletion (art. 18, IV/VI) — when data is unnecessary, excessive or processed in non-compliance;
Portability (art. 18, V) — receive data in a portable, machine-readable format;
Information about sharing (art. 18, VII) — know which third parties have received your data;
Information about consequences of denial (art. 18, VIII);
Revocation of consent (art. 18, IX).

To exercise these rights, contact privacy@auqix.com. We will respond within 15 days as required by LGPD.

If you are an EU resident [TODO-LAWYER: pending decision on EU User admission under MiCA], you additionally have:

Right to object (art. 21);
Right to restrict processing (art. 18);
Right to lodge a complaint with your national supervisory authority.

6.3 How to Exercise Rights

Email privacy@auqix.com with subject line "LGPD Request" or "GDPR Request".
Provide proof of wallet ownership (SIWS signature).
We may request additional verification before processing the request.

6.4 Self-service

Many rights can be exercised directly in the dashboard:

Access: dashboard exports all your data as CSV/JSON.
Correction: edit email/Telegram in Settings.
Revoke consent: toggle notifications off.

7. Security / Segurança

We implement industry-standard technical and organizational measures, including:

Encryption in transit (TLS 1.3);
Encryption at rest (Supabase, S3 backups);
Row-Level Security (RLS) per tenant in Supabase;
HSM-based custody of Sub-wallet keys via Privy (SOC 2 Type II);
Allowlist of programs and destinations enforced at the signing layer;
Independent on-chain monitor checking balances every 5 minutes;
Immutable audit log of all Sub-wallet events;
Per-tenant rate limits to detect anomalies;
Regular security reviews and dependency scans.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security. In case of a data breach, we will notify affected Users and the ANPD (Brazilian National Data Protection Authority) within 72 hours as required by LGPD [TODO-LAWYER: confirm ANPD notification threshold and procedure under LGPD art. 48].

8. Children's Privacy / Privacidade Infantil

The Service is not directed to persons under 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will delete it promptly.

[TODO-LAWYER: confirm age threshold under ECA (Estatuto da Criança e do Adolescente) and LGPD art. 14 (special protection for children/adolescents)]

9. International Data Transfers / Transferências Internacionais

Your data is stored primarily in the United States (Supabase US-East, Privy AWS US, Resend US). Under LGPD art. 33, international transfer is permitted under the following legal bases:

Standard Contractual Clauses (art. 33, II) — executed with each processor;
Specific consent (art. 33, V) — when applicable;
Contractual necessity (art. 33, VIII) — execution of contract with the User.

[TODO-LAWYER: confirm specific legal basis; ANPD has not yet issued a list of countries with "adequate" level of protection (art. 34). US is generally not on equivalent EU lists post-Schrems II, so SCC is the safest base.]

EU Users (if admitted): transfers comply with GDPR Chapter V (Standard Contractual Clauses 2021 version, Schrems II safeguards).

10. Cookies / Cookies

We use the following cookies:

Cookie	Type	Purpose	Duration
`auqix_session`	Essential	Authentication after SIWS	Session (HttpOnly, Secure)
`auqix_ref`	Functional	Track referral source	30 days
`auqix_locale`	Functional	Remember language preference	1 year

We do NOT use advertising cookies, third-party tracking cookies, or cross-site tracking technologies.

Plausible Analytics is cookieless and uses no client-side identifiers.

No cookie banner is shown because we do not use non-essential cookies that would require explicit consent under ePrivacy or LGPD art. 7.

[TODO-LAWYER: confirm cookie policy is sufficient under ANPD's Cookies guide (May 2023) and EU ePrivacy Directive]

11. Marketing Communications / Comunicações de Marketing

We send marketing emails only with explicit opt-in consent, captured separately from the Terms of Service acceptance. You can opt-out at any time via:

Unsubscribe link in every marketing email;
Settings toggle in the dashboard;
Email request to privacy@auqix.com.

Transactional emails (payment confirmation, security alerts, ToS updates) are sent regardless of marketing opt-in status, as they are necessary for contract execution.

12. Changes to This Policy / Alterações nesta Política

We may update this Policy from time to time. Material changes will be announced via:

Email notification (if you provided email) at least 14 days before effective;
In-app banner;
"Last Updated" date at the top of this Policy.

Continued use after the effective date constitutes acceptance. If you disagree, cancel your Account before the effective date (current cycle is not refunded — see Terms of Service §5.3).

13. Specific Disclosures / Disclosures Específicos

13.1 California Residents (CCPA — pre-emptive)

[TODO-LAWYER: not currently applicable as US Users are restricted. Include this section if US admission happens in Q4 2026 roadmap.]

13.2 Sensitive Personal Information

We do not process sensitive personal information as defined in LGPD art. 5, II (racial/ethnic origin, religious conviction, political opinion, union membership, health data, sexual life, genetic/biometric data).

14. Data Protection Officer (DPO) / Encarregado

Encarregado pelo Tratamento de Dados Pessoais (LGPD art. 41):

Name: [TODO-LAWYER: insert DPO name — founder during MVP, external DPO-as-a-service when AUM > $500K]
Contact: privacy@auqix.com
Channel for ANPD: same as above

The DPO is the point of contact for:

Data subject rights requests;
ANPD communications;
Internal data protection compliance.

15. Contact / Contato

AUQIX — [TODO-LAWYER: insert legal entity name and address]

Privacy contact: privacy@auqix.com
DPO: as above
ANPD: in case of unresolved complaint, you may contact the ANPD via https://www.gov.br/anpd

16. Language / Idioma

This Policy is drafted in English. A Portuguese reference translation is provided for User convenience. In case of conflict, the English version prevails. [TODO-LAWYER: assess enforceability under CDC for BR users]

END OF DRAFT v0.1 — All [TODO-LAWYER: ...] markers must be resolved before publication. Sections 4 (Third Parties), 5 (Retention), 9 (International Transfers) and 14 (DPO) are the highest-priority items for legal review.