1. Data We Collect
We collect only what is necessary to operate the platform. Aegis does not perform KYC (Know Your Customer) identity verification.
Registration data
- Email address and display name: provided during sign-up. Display name is required at registration.
- Password: stored as a cryptographic hash (scrypt derivation — never stored in plaintext or logged).
- OAuth tokens: if you register or log in via a social provider, we store the provider-issued access, refresh, and ID tokens. Your raw provider credentials are never stored.
- Email verification status and session tokens: used to authenticate your identity and maintain session security.
- Consent records: policy type, version, acceptance timestamp, IP address, and user-agent at the time of consent, retained as a legal audit trail.
Data generated when using the bots
- Wallet addresses: on-chain addresses associated with your LP positions. We do not collect, store, or request private keys or seed phrases under any circumstance.
- Exchange API keys: encrypted at rest using AES-256-GCM. We store ciphertext only — the raw key is never persisted in plaintext and is never shown back in the UI after initial submission. Aegis does not request or use withdrawal, transfer, or fiat permissions; you must disable those permissions when creating the key.
- LP positions and pool data: pool addresses, tick ranges, protocols, position token IDs, entry prices, and related configuration.
- Trading data: orders, executions, hedge records, PnL snapshots, strategy configurations, and performance metrics generated by your bots.
- Bot configuration: strategy parameters, buffer sizes, leverage settings, stop-loss levels, and trigger thresholds.
- Telegram chat ID and notification preferences: collected only if you voluntarily enable Telegram alerts. Optional.
- Telemetry: runtime errors, RPC latency, bot performance metrics, and usage patterns — anonymized where possible.
- Web analytics: page views, traffic source/medium, and country at aggregate level. No individual cross-site tracking. No fingerprinting.
2. How We Use Your Data
Your data is used to:
- Authenticate your account and provide platform access.
- Execute and monitor automated strategies on your behalf.
- Display your trading history, positions, and performance.
- Send service alerts and notifications (including Telegram if enabled).
- Diagnose issues and improve the platform via aggregated telemetry.
- Meet applicable legal and regulatory obligations.
3. What We Do Not Do
- No data sales: we do not sell, rent, or trade your personal data to any third party.
- No advertising: we do not share your data with advertisers or ad networks.
- No third-party AI training: your trading data, API keys, strategy configurations, and account information are never used to train machine learning models — by Aegis or any third party.
4. Third Parties with Data Access
We limit third-party access to what is operationally necessary:
- Cloudflare: CDN and DDoS protection for the landing site. Cloudflare sees traffic patterns and IP addresses in transit.
- Cloudflare Turnstile: The
/early-accessform uses Cloudflare Turnstile in invisible mode to distinguish humans from bots. Turnstile processes certain signals (e.g. IP address and browser characteristics) on behalf of Cloudflare for anti-abuse purposes. No personal account data is created with Cloudflare. See the Turnstile Privacy Addendum. - Railway: dashboard, bot API, and PostgreSQL database hosting. Railway has access to the infrastructure where your data is processed and stored.
- Email provider (transactional only): sends account and system notifications. No marketing without explicit consent.
- Telegram: if you enable alerts, your chat ID is transmitted to Telegram’s API to deliver notifications.
We do not grant third parties access beyond what is listed here.
This beta is closed and invite-only. The platform is not directed at a general global audience during this phase, so international data protection frameworks such as GDPR and CCPA are not formally applicable at this stage. Compliance with those frameworks will be analyzed and addressed before any future open public launch.
Data processed through the above providers may be stored or processed outside of Colombia. By using this platform, you acknowledge that your data may be transferred to and processed in other countries. To the extent the law of your jurisdiction requires, Aegis will apply appropriate safeguards for such international transfers.
5. Data Retention
| Data type | Retention period |
|---|---|
| Trading and position data | Active account + 7 years for tax/audit compliance |
| Exchange API keys | Deleted immediately upon revocation |
| Telemetry (detailed) | 90 days, then aggregated and anonymized |
| Backups (not yet implemented — roadmap) | Planned — target 30 days rolling (pending infrastructure) |
| Account data | Active + 30 days after confirmed deletion |
6. Your Rights (Colombian Law 1581/2012)
Under Colombian Law 1581/2012, and to the extent the law of your jurisdiction requires, you have the following rights:
- Access: request a copy of your personal data.
- Rectification: request correction of inaccurate data.
- Deletion: request deletion of your account and associated data, subject to mandatory retention obligations. Accounts with active strategies cannot be deleted until those strategies are archived or paused; deletion does not automatically close open positions. Exchange API keys are revoked from our systems upon deletion.
- Portability: CSV export of trading history is planned and will be available in a future release.
- Opt-out of sale: we do not sell data; this right is satisfied by default.
To exercise these rights, contact [email protected] or use the account settings in the dashboard.
7. Security
- Exchange API keys: AES-256-GCM encryption at rest; encryption key managed separately from encrypted data.
- Passwords: scrypt key derivation — never stored in plaintext.
- Data in transit: TLS on all connections.
- Backups: encrypted backups are planned and will be implemented when infrastructure conditions permit.
- Access controls: platform access restricted to the operator.
- Two-factor authentication (2FA) is not yet available; it is planned for a future release.
8. Cookies
- Landing site: only necessary cookies (language preference). No third-party tracking cookies.
- Dashboard: session cookie for authentication. No third-party tracking cookies.
- We do not use advertising cookies, cross-site tracking pixels, or browser fingerprinting.
9. Contact
For privacy inquiries: [email protected]