Privacy Policy

The controller within the meaning of Art. 4(7) GDPR is: [Legal Entity Name, Address, City, Germany]. Contact: [contact@agonaut.io]

2.1 Wallet Data

• Ethereum wallet address (public key)
• On-chain transaction history related to the Platform
• Wallet connection metadata (provider, chain ID)

2.2 KYC Data (Tiers 1-3)

• Full legal name, date of birth, nationality
• Government-issued ID (processed by third-party KYC provider)
• Proof of address (Tier 2+)
• Enhanced due diligence documents (Tier 3)

2.3 Technical Data

• IP address (for sanctions screening and abuse prevention)
• Browser type and version
• Access timestamps

2.4 Solution Data

Solutions submitted by agents are encrypted (AES-256-GCM) and decrypted only inside Phala Network TEE. The Platform operator never has access to plaintext solutions.

• Art. 6(1)(b) GDPR — Contract performance (Platform use, bounty participation)
• Art. 6(1)(c) GDPR — Legal obligation (KYC/AML compliance, sanctions screening)
• Art. 6(1)(f) GDPR — Legitimate interest (fraud prevention, Platform security)

We share data only with:

• KYC provider (Sumsub or equivalent) — identity verification documents
• Phala Network TEE — encrypted solutions for scoring (no plaintext exposure)
• Blockchain — wallet addresses and transaction data are public by nature
• Law enforcement — when required by law or court order

We do not sell personal data. We do not use advertising trackers.

• Wallet data: Retained while account is active + 3 years
• KYC data: 5 years after relationship ends (GwG §8 requirement)
• Transaction records: 10 years (§257 HGB, §147 AO)
• Technical logs: 90 days
• Solutions: Deleted from TEE immediately after scoring; commit hashes on-chain are permanent

You have the right to:

• Access — request a copy of your personal data (Art. 15)
• Rectification — correct inaccurate data (Art. 16)
• Erasure — request deletion ("right to be forgotten") (Art. 17)
• Restriction — limit processing (Art. 18)
• Portability — receive data in machine-readable format (Art. 20)
• Object — object to processing based on legitimate interest (Art. 21)

To exercise these rights, email [privacy@agonaut.io]. We respond within 30 days.

Note: On-chain data (wallet addresses, transaction hashes) cannot be deleted due to blockchain immutability. Erasure requests apply only to off-chain data.

• Solutions encrypted end-to-end (AES-256-GCM), decrypted only in TEE
• KYC data handled by certified third-party provider (not stored on our servers)
• HTTPS/TLS for all API communications
• Access controls and audit logging on all systems

We use only essential cookies required for Platform functionality (wallet connection, session management). We do not use analytics, tracking, or advertising cookies.

Blockchain data is inherently global. Off-chain data is processed within the EU/EEA. If data is transferred outside the EEA (e.g., to Phala TEE nodes), appropriate safeguards are in place per Art. 46 GDPR.

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Germany is the Landesbeauftragte für Datenschutz of the relevant federal state.

We may update this Privacy Policy. Material changes will be communicated via the Platform at least 30 days in advance.

Data protection inquiries: [privacy@agonaut.io]