Privacy Policy
1. What is processed, where, and why
| Data | Where it lives | Purpose |
|---|---|---|
| Exchange API keys, wallet addresses, agent keys | Your browser's localStorage only. Passed transiently through our proxy functions to the venue you connected; never stored or logged server-side. | Reading your balances and positions; signing orders you explicitly confirm. |
| Preferences (venues, watchlists, alerts, KPI layout, columns, agent limits) | Your browser's localStorage only. | Making Vala work the way you set it up. |
| Ask Vala queries | Your question plus a sanitised snapshot of your book (position sizes, venue names, agent states — credentials stripped) is sent to our AI endpoint (Anthropic) to generate the reply. Vala stores nothing. Anthropic processes it under its own API terms — commercial API traffic is not used to train its models, though it may be retained briefly for abuse monitoring before deletion. | Answering questions about your book. |
| Waitlist email (if you submit one) | Netlify Forms, per Netlify's privacy policy. | Contacting you about launch. Deleted on request. |
| Feedback (👎 notes, /feedback) | Netlify Forms + your own browser's localStorage. | Fixing the product. Please don't include personal data in feedback text. |
| Anonymous usage counts | GoatCounter (privacy-focused, cookie-less analytics) — page/event counts only; no wallet addresses, no amounts, no cross-site tracking. | Understanding which features are used. |
| Standard server logs (IP, user agent) | Netlify hosting infrastructure. | Operating and securing the service. |
2. What is not done
- No accounts, no server-side key store, no database of users.
- No sale or sharing of personal data for advertising; no ad trackers; no fingerprinting.
- Vala cannot access, move or withdraw your funds — no connected credential carries that permission.
3. Third parties
Requests you initiate are relayed to the venues you connect (e.g. Hyperliquid, Binance, OKX, Bybit, Deribit, Paradex) and to public data sources (news RSS feeds, DefiLlama). Each processes data under its own policy. The AI endpoint is provided by Anthropic; analytics by GoatCounter; hosting and forms by Netlify.
4. Your rights and your erase button
Because your data lives in your browser, clearing site data for this domain is a complete erasure of your keys, preferences and locally-saved feedback — no request needed. Removing a single venue connection deletes its key from your device immediately. For anything you have sent us (a waitlist email, feedback text), request access, correction or deletion via /feedback in the app, and we will action it. EU/UK users additionally have GDPR rights, including complaint to a supervisory authority.
5. Security
Keys leave your device only transiently, over TLS, to sign and relay the specific request you initiated. The app is a single readable HTML file and each proxy function is one short, auditable file. To report a vulnerability, use /feedback in the app marked "SECURITY", and see security.txt.
6. Changes
Material changes will be posted here with an updated date.