Privacy Policy

Collected automatically when you use the Service:

• Wallet address you sign in with. Stored as your primary account identifier.
• Session token issued after a successful sign-in signature, stored as an HttpOnly cookie on your browser. Used to keep you signed in for up to 30 days.
• Request logs for operational, security, and rate-limiting purposes: timestamp, HTTP path, status code, and (for rate-limit keying) the source IP.
• Payment metadata for any Solana Pay transaction you initiate: reference keypair (server- generated, one-time), plan, amount, transaction signature once confirmed, and confirmation timestamp.
• Signal delivery records: per signal, which of your delivery channels received it and whether delivery succeeded. Used for troubleshooting and abuse detection.

Collected only when you provide it:

• Telegram user id and username when you use the /link flow with our bot to receive premium DMs.
• Webhook URL + generated secret. The URL is stored as you provide it. The secret is generated server-side and shown to you once; we retain it so we can sign outgoing HMAC headers.
• API key hashes. We never retain the plaintext key; only a SHA-256 hash for lookup on subsequent requests.
• Custom wallet addresses you add to your personal Alpha pool, with any label you attach.
• Support ticket content you submit, including anything you paste into a ticket.
• Affiliate slug you choose and any referral attribution created when a new user signs in after clicking your link.
• Optional profile fields (email, handle) if you choose to set them in your dashboard. We do not ask for these by default.

• We do not ask for your real name or a government ID.
• We do not require an email, phone number, or KYC document to use the Service.
• We do not track you across the web. There is no third-party analytics, advertising pixel, or behavioural tracker embedded in the Service.
• We do not store the plaintext of API keys or webhook verification tokens on your side.
• We do not see or store the private keys of any wallet you use. All signing happens in your wallet.

• Deliver the Service: route signals to your chosen channels, authenticate your requests, confirm payments, pay affiliate commissions.
• Prevent abuse: rate-limit authentication attempts, enforce seat caps, flag suspicious affiliate referral patterns.
• Debug and improve: diagnose failures in the signal pipeline, investigate support tickets, measure aggregate signal quality.
• Communicate with you only through channels you have explicitly configured (Telegram DM if you linked your account, in-ticket replies, and the renewal reminders via Telegram).

Running the Service requires cooperation from a small number of infrastructure providers. We share only the data required for each integration to function.

• Helius / Chainstack (Solana RPC). We query public-blockchain data for signal detection and for confirming your payments. No personal data about you is sent to the RPC, only public on-chain addresses and transaction signatures.
• Telegram. If you link your Telegram account, we send signal DMs to your Telegram user id via the Bot API. Telegram's own policies apply to the DMs.
• Solana network. Your payments are public on-chain transfers; the transaction signature and the reference pubkey are permanent, world-readable records.
• Your webhook endpoint. When you configure a webhook, we POST signal payloads to the URL you supplied; the request is signed with the HMAC secret you received at setup. You are responsible for what your endpoint does with the data.

We do not sell, rent, or trade your data. We do not share your data with advertisers.

• sigmate_session: HttpOnly cookie containing your signed session token. Set on sign-in, cleared on sign-out, 30-day maximum lifetime. Required for the Service to keep you logged in across page loads.
• sigmate.ref: localStorage key holding an affiliate slug captured from ?ref= URLs. Cleared immediately after your first sign-in (or after you click sign-in, whichever comes first).

We do not use cookies for analytics, advertising, or cross-site tracking.

• Account records (users, subscriptions, affiliate profile) are retained for as long as your account exists, plus a reasonable period afterwards for audit, dispute resolution, and tax records (typically 7 years).
• Signal delivery records are retained for 90 days, then aggregated into anonymized statistics and deleted.
• Support tickets are retained for 2 years from last activity, then deleted.
• Raw server request logs are retained for 30 days for security and debugging.

• Access: all data we hold about you is derivable from your wallet address. Open a support ticket and we will provide a machine-readable export within 30 days.
• Correction: you can edit affiliate slug, labels, Telegram link, webhook URL, and email directly in the dashboard.
• Deletion: open a support ticket requesting deletion. We will purge your account and all personally-linked records within 30 days, subject to lawful retention obligations (e.g. tax records of payments already made). Note that on-chain transactions you made cannot be removed from the Solana blockchain.
• Opt out of communications: unlink your Telegram delivery channel in your dashboard to stop all bot DMs other than critical service notices.
• Depending on your jurisdiction you may have additional rights (GDPR/CCPA) including the right to object to processing or to lodge a complaint with a supervisory authority. We will honor any valid request.

We use HTTPS for all traffic, HMAC-SHA256 for outbound webhook signatures, SHA-256 hashing for API key storage, HttpOnly SameSite=Lax cookies for sessions, Bearer-token authentication for the API, and rate limiting on sensitive endpoints. Treasury keys are operated by the founding team. No system is invulnerable; if you suspect a security issue, reach us via the support ticket system and we will respond promptly.

Sigmate infrastructure may be hosted in multiple jurisdictions. By using the Service you consent to the transfer of your data to those locations for processing.

The Service is not directed at individuals under 18. If you believe a minor has provided us data, contact us and we will delete it.

We will update this policy as the Service evolves. Material changes will be reflected in the "Last updated" date at the top, and where we can reach you through a configured delivery channel we will notify you directly.

Data questions or deletion requests: support tickets (signed-in) or community chat at @sigmate_chat.