Privacy Policy

Last updated: 11 July 2026
Plain-English summary: Vala has no user accounts and no database. Your API keys and preferences live in your browser's localStorage, on your device, and are never stored on our servers. Short serverless proxy functions relay the requests you initiate to venues without storing or logging credentials. When you use Ask Vala, a sanitised snapshot of your book — never your keys — is sent to the AI endpoint to generate that one reply.

1. What is processed, where, and why

DataWhere it livesPurpose
Exchange API keys, wallet addresses, agent keysYour browser's localStorage only. Passed transiently through our proxy functions to the venue you connected; never stored or logged server-side.Reading your balances and positions; signing orders you explicitly confirm.
Preferences (venues, watchlists, alerts, KPI layout, columns, agent limits)Your browser's localStorage only.Making Vala work the way you set it up.
Ask Vala queriesYour question plus a sanitised snapshot of your book (position sizes, venue names, agent states — credentials stripped) is sent to our AI endpoint (Anthropic) to generate the reply. Vala stores nothing. Anthropic processes it under its own API terms — commercial API traffic is not used to train its models, though it may be retained briefly for abuse monitoring before deletion.Answering questions about your book.
Waitlist email (if you submit one)Netlify Forms, per Netlify's privacy policy.Contacting you about launch. Deleted on request.
Feedback (👎 notes, /feedback)Netlify Forms + your own browser's localStorage.Fixing the product. Please don't include personal data in feedback text.
Anonymous usage countsGoatCounter (privacy-focused, cookie-less analytics) — page/event counts only; no wallet addresses, no amounts, no cross-site tracking.Understanding which features are used.
Standard server logs (IP, user agent)Netlify hosting infrastructure.Operating and securing the service.

2. What is not done

3. Third parties

Requests you initiate are relayed to the venues you connect (e.g. Hyperliquid, Binance, OKX, Bybit, Deribit, Paradex) and to public data sources (news RSS feeds, DefiLlama). Each processes data under its own policy. The AI endpoint is provided by Anthropic; analytics by GoatCounter; hosting and forms by Netlify.

4. Your rights and your erase button

Because your data lives in your browser, clearing site data for this domain is a complete erasure of your keys, preferences and locally-saved feedback — no request needed. Removing a single venue connection deletes its key from your device immediately. For anything you have sent us (a waitlist email, feedback text), request access, correction or deletion via /feedback in the app, and we will action it. EU/UK users additionally have GDPR rights, including complaint to a supervisory authority.

5. Security

Keys leave your device only transiently, over TLS, to sign and relay the specific request you initiated. The app is a single readable HTML file and each proxy function is one short, auditable file. To report a vulnerability, use /feedback in the app marked "SECURITY", and see security.txt.

6. Changes

Material changes will be posted here with an updated date.

Related: Terms of Service · Docs & security · About Vala