Privacy Policy

This Privacy Policy describes how the Aegis maintainers ("we", "us") handle information when you access the Aegis web interface at aegisz.xyz and the associated backend services (together, the "Service").

It does not cover the Squads Protocol, the Cloak Protocol, Solana validators or RPC providers, wallet providers, or any other third party you interact with through Aegis. Each such party operates under its own privacy policy and is independently responsible for information you share with it.

For privacy questions or to exercise the rights described in Section 09, contact raffxweb3@gmail.com.

We have built Aegis to need very little about you. We do not:

• ask for your name, email address, postal address, phone number, government identifier, or any KYC information;
• run third-party analytics, advertising, behavioural tracking, or session-replay technology on the Service;
• attach persistent identifiers, fingerprints, or marketing cookies to your wallet activity;
• log your IP address in our application code by default (see Section 06 for what infrastructure providers may observe as part of normal HTTP traffic);
• record your private keys, seed phrases, or full wallet signatures beyond the short-lived session described in Section 04;
• sell, rent, or share information with data brokers, ad networks, or marketing partners.

To make the product work, the Aegis backend stores a small amount of off-chain data. This data is scoped to a vault, visible to its signers, and, for opt-in features only, to auditors that signers have explicitly authorised.

• Sub-vault display names chosen by signers (e.g., "Payroll", "Marketing");
• Encrypted transaction memos. Memos are encrypted in your browser using keys derived from a signer's wallet signature; we never see the plaintext;
• Stealth invoice metadata: one-time stealth address, amount, expiry, claim status, and (for bearer invoices) the bearer link nonce;
• Recurring payment schedules: recipient, cadence, next-run timestamp, and execution history;
• Audit access log entries. Each time an authorised auditor reads scoped vault data, we append a row recording who read what and when, so the read itself is auditable;
• Spending limit configuration entered by signers (caps, windows, counters);
• Public account references: vault and signer public keys, which are also visible on-chain.

To avoid forcing you to sign a message on every action, we use a short-lived session cookie:

• on first sign-in, your wallet signs a single random challenge issued by the backend;
• the backend verifies the signature, then issues an httpOnly, Secure, SameSite session cookie valid for approximately thirty (30) minutes;
• subsequent requests within that window are authenticated by the cookie alone, so you do not have to re-sign every action.

The signed challenge is verified and discarded; we do not retain wallet signatures in logs or storage. The cookie expires automatically and is invalidated when you sign out or when your wallet disconnects.

All on-chain activity, including vault creation, multisig approvals, license issuance, deposits, withdrawals, and transaction metadata recorded on-chain, is written to the Solana public ledger. Public ledger data is permanent and outside our control.

The privacy properties offered by Aegis derive from the cryptographic design of the Cloak Protocol (zero-knowledge proofs and shield-pool unlinkability), not from any database or access control we operate. You should assume that anything written on-chain may be observed and analysed by anyone, indefinitely.

We rely on the following categories of third-party providers, each of which may receive technical information necessary to fulfil requests, including, in the normal course, your IP address as part of HTTP traffic:

• Hosting and database: our application and Postgres database run on commercial cloud infrastructure;
• Solana RPC providers (such as Shyft, Helius, and public RPC endpoints) for reading state and submitting on-chain transactions;
• Cloak relay at api.devnet.cloak.ag, which we proxy in order to support browser-based proof generation;
• Wallet providers (such as Phantom, Solflare, and Backpack), injected by your browser via the wallet adapter standard.

Each provider has its own privacy policy. We have no contractual control over what these providers log or how they use that data.

We use a single first-party session cookie, described in Section 04, for authentication. We do not use marketing cookies, analytics cookies, or third-party tracking pixels. We do not load third-party tracking scripts on the Service. We do not respond to Do Not Track signals because we do not perform tracking that they would limit.

We retain off-chain data for as long as it is needed to provide the Service, and otherwise as follows:

• sub-vault display names, encrypted memos, invoice metadata, recurring schedules, and spending limits are retained for the lifetime of the vault that uses the Service;
• audit access log entries are retained for the lifetime of the vault, to preserve their evidentiary value;
• session cookies expire after approximately thirty (30) minutes of inactivity and are invalidated on sign-out;
• we may delete devnet data without prior notice during program upgrades, infrastructure migrations, or in response to abuse.

You may request deletion of off-chain data associated with vaults you control by contacting us (see Section 11). On-chain data is permanent and cannot be deleted by us.

Depending on where you live, you may have rights under data-protection laws such as the EU and UK General Data Protection Regulation, the California Consumer Privacy Act, or the Brazilian Lei Geral de Proteção de Dados. Because we collect almost no personal data tied to your identity, several of these rights apply only to limited categories of information.

By contacting us, you may:

• ask what off-chain data we hold about a vault that you control;
• request correction or deletion of that off-chain data;
• request a copy in a portable format;
• object to or restrict our processing;
• withdraw any consent you have previously given, where consent is the legal basis for processing.

We respond within a reasonable time and at no cost, except where requests are manifestly unfounded or excessive. Identity verification is performed by asking you to sign a fresh challenge using the wallet associated with the vault.

We apply standard technical safeguards: TLS in transit; encryption at rest where supported by our hosting provider; httpOnly, Secure, and SameSite session cookies; principle-of-least-privilege access controls; and regular dependency updates.

No system is fully secure. Aegis is on devnet and pre-audit; you must not entrust real value or sensitive personal data to the Service. If you believe you have discovered a security vulnerability, please report it to raffxweb3@gmail.com and give us a reasonable opportunity to investigate before disclosing.

The Service is not directed at, and we do not knowingly collect information from, anyone under the age of eighteen (18). If you believe a minor has provided information through the Service, please contact us so that we can take appropriate action.

The Service is operated from, and our infrastructure providers may process data in, jurisdictions outside your country of residence. By using the Service, you understand that your information may be processed in countries whose data-protection laws differ from those of your jurisdiction.

We may update this Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page; where reasonably possible, we will surface the change in the Service or notify you in another reasonable manner. Your continued use of the Service after the change takes effect constitutes acceptance of the updated Policy.

For privacy questions, requests to exercise your rights, or security reports, contact: raffxweb3@gmail.com.