Skip to main content
AegisAegis
Beta launching soonWe'll enable access to the app during the beta.

Data Treatment Policy

Last updated: 2026-06-28

1. Data Controller

Aegis Bot is operated independently as a web service by an individual operator (no incorporated legal entity). For the purpose of Colombian Law 1581/2012, the data controller is the individual operating this service. To exercise your data rights, contact: [email protected]

This policy is issued in compliance with Colombian Law 1581 of 2012 (Habeas Data) and Regulatory Decree 1377 of 2013, which regulate the protection of personal data.

3. Data We Collect

Aegis does not perform KYC (Know Your Customer) identity verification. No government-issued identification documents are collected.

3.1 Registration data

The following data is collected when you create an account:

  • Name and email address: provided during sign-up.
  • Password: stored exclusively as a cryptographic hash (scrypt derivation function — plaintext passwords are never stored or logged).
  • OAuth tokens: if you register or log in via a social provider, Aegis stores the provider-issued access token, refresh token, and ID token for that account. Your raw credentials for the external provider are never stored.
  • Email verification status and session tokens: used to authenticate your identity and maintain session security.
  • Consent records: policy type, policy version, acceptance timestamp, IP address, and user-agent string at the moment of consent, retained as a legal audit trail.

3.2 Data generated when using the bots

The following data is collected and processed when you connect exchange accounts and use the hedging service:

  • Wallet addresses: on-chain addresses associated with your monitored LP positions.
  • Exchange API keys: encrypted at rest using AES-256-GCM before storage; only ciphertext is persisted; plaintext is never stored or displayed after initial submission. Aegis does not request or use withdrawal, transfer, or fiat permissions — you must disable those permissions when creating the key (see Section 4 and the Terms of Service).
  • LP positions and pool data: pool addresses, tick ranges, protocols, position token IDs, entry prices, and related configuration.
  • Orders, executions, and hedge records: orders placed by the bots, execution results, PnL snapshots, and hedge activity logs associated with your connected accounts.
  • Bot configuration: strategy parameters, buffer sizes, leverage settings, stop-loss levels, and trigger thresholds you define.
  • Telegram chat ID and notification preferences: collected only if you voluntarily enable Telegram alerts. Optional.
  • IP address and user-agent: recorded at the time of session creation and consent events.

4. Purposes of Processing

Your personal data is processed for the following purposes:

  • To create and manage your account.
  • To authenticate your identity and maintain session security.
  • To record your consent to the applicable policies, as required by Colombian law.
  • To provide the hedging bot service and its associated features.
  • To send transactional notifications (email verification, security alerts) when applicable.
  • To comply with legal obligations.

5. Data Retention

Account data is retained for as long as your account is active. Consent records are retained indefinitely as an auditable legal record. If you request account deletion, operational data will be removed subject to any active strategy constraints; consent records may be retained as required by applicable law.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We may share data with the following categories of third-party processors:

  • Hosting and application runtime (Railway): the dashboard, bot API, and PostgreSQL database are hosted on Railway. Railway has access to the infrastructure where your data is processed and stored.
  • CDN and DDoS protection (Cloudflare): the landing site is served through Cloudflare Pages. Cloudflare sees traffic patterns and IP addresses in transit.
  • Anti-bot verification (Cloudflare Turnstile): the /early-access form uses Cloudflare Turnstile in invisible mode. As a Cloudflare sub-processor, Turnstile processes certain signals (e.g. IP address and browser characteristics) to distinguish humans from bots. No personal account data is sent to Cloudflare. See the Cloudflare Turnstile Privacy Addendum.
  • PostgreSQL database hosting (Railway): the database is hosted on Railway infrastructure. Encrypted backups are planned (TASK-062, pending).
  • Email delivery: transactional emails (account verification, security alerts) are sent via a third-party email provider. No marketing emails without explicit consent.
  • Telegram: if you enable Telegram alerts, your chat ID is transmitted to Telegram’s API to deliver notifications.
  • Regulatory authorities: when required by applicable law.

All third-party processors are contractually bound to handle data in compliance with applicable privacy regulations.

International Data Transfers

This beta is closed and invite-only. Access is restricted to invited participants; the platform is not directed at a general global audience during this phase. Accordingly, international data protection frameworks such as GDPR and CCPA are not formally applicable at this stage. Compliance with those and equivalent international frameworks will be analyzed and addressed before any future open public launch. The general acknowledgment below applies for the duration of the closed beta:

Your personal data may be processed on infrastructure located outside of Colombia. By using this platform, you acknowledge that your data may be transferred to and processed in countries that may not provide the same level of data protection as Colombia. In such cases, Aegis will use appropriate safeguards and, to the extent the law of your jurisdiction requires, comply with applicable international transfer requirements.

7. Your Rights

Under Colombian Law 1581/2012 and Decree 1377/2013 you have the right to:

  • Know, update, and rectify your personal data.
  • Request deletion of your data (subject to legal retention requirements).
  • Revoke authorization for data processing.
  • Access a copy of your personal data.

To exercise these rights, contact: [email protected]

8. Inquiries and Complaints Procedure

To exercise any of the rights listed in Section 7 (know, update, rectify, delete, or revoke authorization), send a written request to [email protected]. Your request must identify you as the data subject or as an authorized representative, specify the right you wish to exercise, and include the data or situation you are referring to.

Response timelines under Law 1581/2012 and Decree 1377/2013:

  • Inquiries (consultas): a response will be provided within a maximum of 10 business days from the date the request is received. If it is not possible to respond within that period, you will be informed of the reasons for the delay and the new estimated date, which may not exceed 5 additional business days.
  • Complaints (reclamos): the complaint will be handled within a maximum of 15 business days from the date the complete complaint is received. If it is not possible to respond within that period, you will be informed of the reasons and the new estimated date, which may not exceed 8 additional business days.

If your request is not resolved to your satisfaction, you have the right to escalate to the Superintendencia de Industria y Comercio (SIC) — the Colombian supervisory authority for personal data protection — after exhausting the direct procedure described above.

For security vulnerability reports, use the same contact address: [email protected] (there is no separate security inbox at this time).

Note on data-controller identification: Aegis is currently operating as a closed beta (invite-only). The data controller is the individual operator whose contact channel is [email protected]. The operator does NOT publish their legal name, national ID, or domicile during any phase of the beta — whether closed or any eventual open beta. During the entire beta (free, no billing), [email protected] is the designated contact channel for data protection and privacy matters (without excluding other published channels: [email protected] for legal matters, [email protected] for general inquiries). Full legal identification of the individual data controller will be provided only if and when the service initiates commercial operation / billing, subject to legal review at that time.

9. Security

We implement technical and organizational measures to protect your data. Encrypted backups are planned and will be implemented when infrastructure conditions permit. Two-factor authentication (2FA) is not yet available; it is planned for a future release. Exposure of data through misconfiguration is a known risk category that we actively monitor and mitigate.

10. Changes to This Policy

We may update this policy periodically. Material changes will be notified via the platform or by email. Continued use after notification constitutes acceptance.

11. Governing Law

This policy is governed by Colombian law. Any dispute will be subject to the jurisdiction of Colombian courts.