Skip to main content
This Privacy Policy explains how SaucerSwap Labs, Inc., a Delaware corporation (“SaucerSwap Labs,” “we,” “our,” or “us”) collects, uses, discloses, and retains information when you access or use our websites, interfaces, mobile applications, application programming interfaces (“APIs”), developer tools, Orderbook Services (as defined in the Terms), market-data services, WebSocket feeds, support channels, bug-bounty or security-reporting channels, embedded or partner interfaces that link to this Policy, and related services (collectively, the “Services”). This Privacy Policy is incorporated into the SaucerSwap Terms of Service. Capitalized terms not defined here have the meanings given in the Terms. If this Policy conflicts with the Terms, this Policy controls with respect to personal information, personal data, privacy rights, and data processing. The Terms control with respect to contractual service access, risk allocation, and non-privacy matters. “Personal information,” “personal data,” and similar terms mean information that identifies, relates to, describes, can reasonably be linked to, or is otherwise regulated as information about a person, wallet, device, household, or user under applicable privacy or data-protection law.

1. Scope

This Privacy Policy applies to information we process in connection with the Services, including pre-acceptance visits, wallet-connection pages, legal acceptance flows, beta, testnet, staging, production, API, market-maker, embedded, partner, and third-party-hosted interface instances that link to or include this Policy. This Policy does not apply to third-party wallets, app stores, RPC providers, mirror nodes, explorers, indexers, cloud providers, token issuers, stablecoin issuers, market makers, liquidity providers, bridges, analytics providers, community platforms, or other Third-Party Services when those parties act as independent controllers or independent businesses. It applies to those parties only where they process information for us as our service provider, processor, or contractor. Public blockchains, Hedera network records, consensus timestamps, Hedera Consensus Service (“HCS”) references where used, mirror nodes, explorers, wallets, counterparties, and third-party indexers may independently process and retain information. Some wallet, order, transaction, HCS-reference, mirror-node, explorer, indexer, and public-chain data may be public, immutable, independently retained, or outside our control. Wallet addresses, Hedera account IDs, public keys, order hashes, transaction IDs, HCS references, signed authentication messages, signed orders, and similar pseudonymous identifiers are personal information when they identify, relate to, describe, or can reasonably be linked to a person, wallet, device, household, or user. For users in the European Economic Area, United Kingdom, or Switzerland, we treat pseudonymous wallet addresses and account identifiers that can be linked to an individual as personal data by default. Before you complete legal acceptance, we may process IP address, user agent, approximate location derived from IP address, wallet connection state, cookie or local storage state, device and browser signals, and similar information to display the Services, show the legal acceptance flow, apply geoblocking and sanctions controls, detect abuse, and record whether acceptance was completed.

2. Information We Collect

We may collect the categories of information below. We may collect wallet addresses, Hedera account IDs, public keys, API client identifiers, session identifiers, legal acceptance or privacy acknowledgment event identifiers, Terms version, Privacy Policy version, V3 Orderbook Risk Notice version, document hash or text hash, acceptance timestamp, IP-derived approximate location or jurisdiction signal at acceptance, user agent at acceptance, support identifiers, Discord or community handles you provide to us, email addresses you provide to us, and other information you submit through support, legal, security, bug-bounty, incident-response, business, or feedback channels.

B. Device, Network, Usage, And App Information

We may collect IP address, user agent, browser type, device type, operating system, approximate location derived from IP address, referring pages, pages viewed, links clicked, timestamps, language settings, cookie identifiers, analytics identifiers, app instance identifiers, crash data, performance data, and other information about how you access or use the Services. If we make a mobile application available, we do not intentionally request GPS or other precise device geolocation unless we provide a separate notice and obtain any permission or consent required by law. We do not use mobile advertising identifiers for cross-context behavioral advertising unless we first provide required platform and legal controls.

C. Authentication, Session, API, And Security Information

We may collect wallet-auth challenges, signed authentication messages, verification results, JSON Web Tokens (“JWTs”) or other session tokens, API keys, API key metadata, API client identifiers, rate-limit counters, request and response metadata, endpoint paths, timestamps, error codes, access logs, security logs, abuse-prevention signals, and related authentication or authorization records. In persistent logs, analytics systems, and support systems under our control, we store API keys, JWTs, session tokens, and similar secrets only in hashed, truncated, encrypted, redacted, or metadata-only form and do not intentionally use raw secrets for analytics.

D. Orderbook, Trading, And Strategy Information

If you use Orderbook Services, we may collect and process signed order payloads, signatures, signature mode or prefix metadata, order hashes, order identifiers, orderbook IDs, pair IDs, token addresses, token association information, order type, side, price, amount, fee, fee cap, deadline, time-in-force, maker or taker fields, order status, fills, cancellations, expirations, rejections, failures, corrections, Settlement references, transaction IDs, consensus timestamps, HCS or network references, mirror-node or indexer references, order history, related lifecycle events, and inferences about trading or order strategy that can be derived from your orders, API usage, or interaction patterns. Order payloads and lifecycle records may remain in controlled off-chain systems after a terminal order state where retention is needed for order history, reconciliation, legal acceptance evidence, security, abuse prevention, disputes, audits, regulatory cooperation, or legal claims.

E. Market Data, WebSocket, Reliability, And Error Telemetry

We may collect WebSocket or Socket.IO connection metadata, subscriptions, orderbook snapshots, market-data requests, quote requests, route requests, status requests, lifecycle events, latency data, service health data, database or queue diagnostics, reconciliation logs, crash logs, Sentry or comparable error telemetry, incident-response records, and related operational data.

F. Compliance, Sanctions, Fraud, Abuse, And Automated-Risk Signals

We may collect or generate sanctions-screening signals, wallet-risk signals, fraud signals, abuse signals, market-manipulation indicators, wash-trading indicators, spoofing or layering indicators, API-abuse signals, geolocation or geoblocking signals, cybercrime or theft indicators, compliance-review records, investigation records, and legal-process records. These signals may be created by us or by compliance, sanctions-screening, blockchain-analytics, geolocation, geoblocking, fraud-prevention, security, or infrastructure providers. We may use device, network, wallet, and behavior signals to detect abuse, sanctions evasion, fraud, bot activity, or security risk. We do not use device fingerprinting or similar techniques for cross-context behavioral advertising unless we provide required notice and controls before doing so.

G. Cookies, Analytics, And Similar Technologies

We and our service providers may use cookies, local storage, pixels, SDKs, and similar technologies to operate the Services, remember settings, store local preferences, maintain legal acceptance or privacy acknowledgment state, authenticate sessions, secure accounts, detect abuse, improve reliability, measure usage, and support analytics or communications. Strictly necessary cookies, local storage, and similar technologies are used to provide, secure, or remember requested Services. Non-essential analytics, measurement, advertising, marketing, or similar technologies, if used, are subject to consent, opt-out, or other controls where required by applicable law. Where consent is required, we provide notice before use, do not treat consent as a condition of using strictly necessary Services, and provide a way to withdraw consent that is no more difficult than giving consent. You may also limit cookies or local storage through browser or device settings, but disabling necessary storage may prevent wallet connection, legal acceptance, session authentication, security controls, or other Services from working. We may collect, preserve, use, or disclose information in connection with subpoenas, court orders, warrants, legal process, regulator requests, law-enforcement requests, sanctions authority requests, tax requests, government inquiries, audits, disputes, or legal claims. Where legally permitted and appropriate, we may notify affected users or publish transparency information, but we may be prohibited from doing so.

3. Sources Of Information

We collect information:
  • directly from you when you use the Services, connect a wallet, sign messages, place or cancel orders, use APIs, contact us, submit requests, or provide materials;
  • automatically from your device, browser, wallet, API client, or network connection;
  • from public blockchains, Hedera network records, consensus timestamps, HCS references where used, mirror nodes, explorers, indexers, wallets, RPC providers, and other public or semi-public infrastructure;
  • from service providers, analytics providers, error-log providers, security providers, infrastructure providers, compliance providers, sanctions-screening providers, blockchain-analytics providers, geolocation providers, geoblocking providers, and legal or regulatory sources; and
  • from counterparties, market participants, bug-bounty participants, security researchers, community channels, or other third parties where permitted and relevant to the Services.
If we receive wallet, transaction, order, or risk information about a person who is not a direct user, we process that information only where we have a lawful basis and provide notices required by applicable law, taking into account whether direct notice is impossible, disproportionate, or would undermine security, compliance, or legal obligations.

4. How We Use Information

We may use information for the following purposes:
  • provide, operate, maintain, secure, and improve the Services;
  • authenticate wallets, users, sessions, API clients, and API keys;
  • present and record legal acceptance, privacy acknowledgment, Risk Notice acknowledgment, document versions, document hashes, and jurisdiction or location signals needed for acceptance and compliance evidence;
  • build, verify, admit, save, match, route, relay, display, cancel, expire, correct, support Settlement, attempt operational recovery or reconciliation of controlled off-chain records or service state, and reconcile orders;
  • derive, use, and retain trading or order strategy inferences from orders, API usage, or interaction patterns for security, abuse prevention, market-integrity risk controls, compliance, reliability, product improvement, and Service operation;
  • operate order history, market data, WebSocket feeds, APIs, rate limits, developer support, service health monitoring, reliability monitoring, debugging, incident response, and abuse prevention;
  • provide support, respond to inquiries, process feedback, administer bug-bounty or security-reporting programs, and communicate service notices;
  • detect, investigate, prevent, and respond to fraud, sanctions evasion, money laundering, terrorist financing, cybercrime, theft, market manipulation, wash trading, spoofing, layering, orderbook disruption, API abuse, and other unlawful or prohibited activity;
  • enforce the Terms, protect legal rights, preserve legal defenses, resolve disputes, perform audits, and manage compliance obligations;
  • respond to subpoenas, court orders, legal process, regulator requests, law-enforcement requests, sanctions authority requests, and other government requests;
  • comply with applicable law, sanctions obligations, tax or accounting obligations, regulatory obligations, and audit obligations;
  • protect users, SaucerSwap Labs, the Protocol, the Services, infrastructure providers, third parties, and the public;
  • create aggregate, de-identified, or anonymized analytics, reliability, security, and product-improvement information; and
  • perform analytics, measure performance, improve user experience, and develop new or improved services.
Operational recovery or reconciliation may affect controlled off-chain records, displays, API responses, or order-history views. It does not modify public blockchain records or guarantee reversal, correction, recovery, cancellation, or Settlement. Where applicable law gives you a right to object to processing based on legitimate interests, including GDPR Article 21 rights, you may object by contacting [email protected]. This Privacy Policy describes data practices only. It does not expand the Services, create a separate service-level agreement, guarantee data accuracy or availability, create a duty to monitor, detect, prevent, correct, disclose, reverse, reimburse, or notify users of trading or system issues, or create any custody, brokerage, agency, fiduciary, advisory, best-execution, fair-access, market-integrity, or regulated-intermediary duty. Where GDPR, UK GDPR, Swiss data-protection law, or similar law applies, we do not rely on your acceptance of this Privacy Policy as consent for core Services processing. We process personal data under the legal bases below, depending on the processing activity and jurisdiction.
  • Wallet authentication, session issuance, requested API access, order submission, order status, order history, and support you request: primary basis is contract necessity where the processing is objectively necessary to provide the requested Services; additional bases may include legitimate interests in security, reliability, fraud prevention, and legal claims.
  • Legal acceptance, Risk Notice acknowledgment, Privacy Policy acknowledgment, versioning, document hashes, acceptance timestamp, wallet address, IP-derived approximate location, and user agent at acceptance: primary basis is legitimate interests in maintaining enforceable acceptance evidence and legal claims; legal obligation applies where applicable law requires recordkeeping.
  • Security, abuse prevention, sanctions-risk controls, geoblocking, fraud prevention, market-integrity risk controls, debugging, reliability, and incident response: primary basis is legitimate interests; legal obligation applies where applicable sanctions, security, regulatory, or legal-process rules require processing.
  • Trading or order strategy inferences used for security, abuse prevention, market-integrity risk controls, compliance, reliability, product improvement, and Service operation: primary basis is legitimate interests; legal obligation applies where applicable law requires processing; consent applies where required for a specific non-essential processing activity.
  • Legal process, regulatory cooperation, audits, disputes, tax or accounting, sanctions obligations, and legal claims: primary basis is legal obligation where applicable law requires processing and legitimate interests where processing is needed to establish, exercise, or defend legal claims.
  • Non-essential analytics, measurement, marketing communications, advertising technologies, or sensitive-data processing where required by law: primary basis is consent, unless applicable law permits another basis and required notices and controls are provided.
Before relying on legitimate interests for material production processing in the EEA, UK, or Switzerland, we assess the relevant legitimate interest, necessity, balancing factors, safeguards, and user rights. We do not rely on vital interests or public-task/public-interest legal bases for ordinary security, fraud-prevention, or incident-response processing. We do not intentionally collect special-category data under GDPR Article 9. If you provide special-category data to us, or if processing special-category data becomes necessary for legal claims, substantial public interest, explicit consent, or another permitted basis, we process it only where a valid Article 9 condition and other required safeguards apply. Automated and assisted screening may affect access to the Services. We may use automated tools to classify wallet-risk, sanctions, restricted-jurisdiction, geolocation/geoblocking, fraud, abuse, API-abuse, and market-integrity signals. The logic may consider wallet or account identifiers, transaction and order patterns, IP-derived approximate location, device and network signals, sanctions or restricted-party data, blockchain analytics, and abuse or security signals. The consequences may include blocked access, delayed orders, rejected orders, rate-limited API access, disabled API keys, denied protected endpoints, or manual review. Where applicable law gives you rights related to automated decision-making or profiling, including GDPR Article 22 rights, you may request human review, contest the decision, express your point of view, and obtain information about the decision by contacting [email protected]. We aim to respond within one month for GDPR-scope requests, subject to permitted extensions. Where EU or UK law requires appointment of an EU or UK representative for a covered Service, we will identify that representative in this Policy or a linked privacy notice before intentionally offering that covered Service in the relevant scope. If a representative has not been identified for a covered jurisdiction where one is legally required, protected access may be restricted until the required notice is provided. If we appoint a Data Protection Officer, we will identify the DPO’s contact details in this Policy or a linked notice. Where EU, UK, or Swiss data-protection law applies, you may have the right to lodge a complaint with a supervisory authority.

6. How We Disclose Information

We may disclose information to:
  • cloud, hosting, database, logging, analytics, error-monitoring, security, infrastructure, CDN, wallet-connectivity, RPC, mirror-node, indexer, API, and communications providers;
  • compliance, sanctions-screening, blockchain-analytics, fraud-prevention, geolocation, geoblocking, and security vendors;
  • legal counsel, auditors, insurers, accountants, consultants, bug-bounty administrators, security researchers, and incident-response providers;
  • courts, regulators, law enforcement, sanctions authorities, tax authorities, self-regulatory organizations, government agencies, and other authorities;
  • affiliates, personnel, authorized contractors, and service providers who need access for operations, security, compliance, investigation, reconciliation, legal, or support purposes;
  • counterparties, market participants, market makers, liquidity providers, API counterparties, or infrastructure providers only where transaction or order state is public, operationally necessary, or needed for reconciliation, compliance, investigation, security, dispute resolution, or operation of the Services;
  • affiliates, successors, acquirers, or business partners in connection with a merger, financing, corporate transaction, restructuring, sale of assets, or similar transaction, with notice where required by law; and
  • other persons with your direction or consent.
We require service providers and processors that process personal information for us to use written terms designed to restrict their processing to our instructions or permitted purposes, require confidentiality and security measures, restrict retention, use, sale, sharing, or disclosure except as permitted, assist with rights requests, security, deletion, audits, and compliance where applicable, and meet Article 28 processor requirements where GDPR or UK GDPR applies. We maintain or require contractual, technical, operational, access-control, logging, confidentiality, and misuse-prevention controls for non-public order and trading information. Non-public signed order payloads, order intent, API strategy data, or wallet-linked trading history may be disclosed only where public, directed by you, legally required, operationally necessary for the requested Service, or needed for reconciliation, compliance, investigation, security, dispute resolution, or operation of the Services, and subject to applicable confidentiality, access, and misuse restrictions. As of the Last modified date above, we do not sell personal information for money, do not share personal information for cross-context behavioral advertising, and do not process personal information for targeted advertising. We do not knowingly sell or share personal information of users under 16 or use it for targeted advertising unless applicable law permits it and the required opt-in or parental consent has been obtained. If we begin any sale, sharing, targeted advertising, or use of advertising technologies that requires opt-out controls, we will provide required notices and controls, including a “Do Not Sell or Share My Personal Information” or equivalent mechanism in the website footer, privacy settings, cookie controls, or another legally compliant location before enabling that processing. We honor legally recognized opt-out preference signals, including Global Privacy Control, for users in jurisdictions where those signals must be honored. We do not sell, share, or process personal information for targeted advertising after receiving a valid opt-out preference signal, except as permitted by applicable law. Where legally permitted and appropriate, we may notify affected users about legal process or government requests, but we may be prohibited from doing so or may delay notice to preserve security, compliance, investigations, or legal rights.

7. Public Networks And Deletion Limits

Some wallet, order, transaction, HCS-reference, mirror-node, explorer, indexer, Settlement, and public-chain data may be public, immutable, independently retained, or outside our control. We cannot delete, alter, or prevent third parties from processing public blockchain records, HCS references where used, consensus timestamps, mirror-node data, explorer copies, third-party indexer copies, wallet records, RPC records, counterparty records, regulator records, or analytics-provider records that are outside our control. Disconnecting a wallet, clearing browser storage, deleting local settings, revoking a cookie, or submitting a deletion request does not delete public-chain records, HCS references where used, third-party copies, or records we retain where retention is required or permitted for legal obligations, legal claims, security, abuse prevention, fraud prevention, sanctions compliance, regulatory cooperation, disputes, audits, backups, or other grounds recognized by applicable law. Legal acceptance records, Risk Notice acknowledgment records, Privacy Policy acknowledgment records, document version records, document hashes, acceptance timestamps, wallet addresses, IP-derived approximate location at acceptance, and related user-agent evidence may be retained even after a deletion request where retention is needed to establish, exercise, or defend legal claims, comply with legal obligations, prove acceptance, prevent abuse, or satisfy regulatory, audit, sanctions, or dispute obligations. When we honor a deletion request, we will delete, de-identify, or restrict personal information in controlled off-chain systems where required and feasible, including support records, account or API metadata, legal acceptance metadata, order-history views, analytics identifiers, and operational logs, subject to legally permitted retention. We will also instruct processors and service providers to delete, de-identify, or restrict personal information where required by applicable law and feasible. Deletion from controlled off-chain systems may not remove public-chain records, HCS references where used, third-party records, historical backups before overwrite, or information retained in legally restricted archives. Restricted archives are limited-access records preserved for legal, security, compliance, audit, dispute, investigation, backup, or legal-defense purposes. We restrict use of those archives to the purpose for which they are retained and delete, de-identify, or overwrite them when the retention basis expires or the backup cycle completes.

8. Retention

We retain information for as long as necessary or appropriate for the purposes described in this Privacy Policy, including to provide and secure the Services, reconcile orders, maintain order history, debug incidents, prevent abuse, comply with law, respond to legal process, cooperate with regulators or law enforcement, resolve disputes, perform audits, maintain backups, enforce the Terms, and establish or defend legal claims. Retention periods depend on the category of information, sensitivity, operational need, legal need, security risk, volume, relationship to public-chain data, and applicable law. We generally retain session and JWT logs for up to 90 days; API and WebSocket request logs for up to 12 months; order lifecycle, Settlement-support, and legal acceptance or privacy acknowledgment records for up to 7 years after the later of terminal order state, last protected access, API key deactivation, account closure, dispute closure, or legal hold release; security, sanctions, abuse, investigation, legal-process, and dispute records for up to 7 years after closure; support and bug-bounty records for up to 3 years; and backups until overwritten in the ordinary backup cycle, generally within 90 days. “Last protected access” means the last time a wallet, account, API key, session, or client accessed a protected Orderbook Service, API, market-maker program, gated interface, or other access path requiring current legal acceptance. Session logs, API logs, and reliability records may be promoted to longer incident, security, investigation, or dispute retention if they become relevant to a security incident, abuse investigation, legal process, regulatory request, sanctions review, dispute, or legal claim. We may retain longer where necessary for legal claims, sanctions, audits, investigations, regulatory requests, legal holds, or legal process. We periodically review retained records, restrict access where retention is still required, and delete, de-identify, aggregate, or overwrite records when retention is no longer necessary and deletion is technically feasible.

9. Security

We use technical, administrative, and organizational measures designed to protect information, including access controls, role-based permissions, logging, confidentiality obligations, encryption in transit where supported, encryption or protected storage at rest where appropriate, secret redaction or hashing in persistent systems, vulnerability management, incident-response processes, service-provider diligence, and misuse-prevention controls for non-public order and trading information. No system is completely secure. We do not guarantee that information will be secure, uninterrupted, or free from unauthorized access, loss, misuse, alteration, or disclosure. You are responsible for securing your wallet, private keys, seed phrases, devices, accounts, and credentials. If we become aware of a personal-data breach or security incident that triggers notification obligations, we will notify affected individuals, regulators, processors, controllers, or other required parties as required by applicable law, including within applicable statutory timelines. Security researchers and users may report vulnerabilities or suspected data incidents by contacting [email protected] with “Security” in the subject line or through any published bug-bounty or security-reporting channel.

10. Your Choices And Privacy Rights

Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to, or receive a portable copy of personal information; withdraw consent; opt out of sale, sharing, targeted advertising, certain profiling, or certain automated decision-making; limit certain uses of sensitive personal information; appeal a rights-request denial; receive non-discriminatory treatment for exercising rights; file a complaint with a regulator; or lodge a complaint with a supervisory authority. You may contact us at [email protected] to exercise rights. If processing is based on consent, you may withdraw consent through the same interface where available, through cookie or privacy controls where available, by using unsubscribe links for marketing communications, or by contacting us. Withdrawal does not affect processing that occurred before withdrawal or processing based on another legal basis. We may need to verify your identity and authority before responding. Verification may include confirming control of an email address, wallet address, API client, signed message, request details, or other information reasonably related to the request. We will not require you to create a new account solely to submit a request, and we will not use verification procedures that are unreasonable or designed to prevent exercise of rights. We generally respond to GDPR, UK GDPR, and Swiss requests within one month, subject to permitted extensions. We generally respond to California and other U.S. state privacy requests within 45 days, subject to permitted extensions. If we deny a request where an appeal right applies, we will explain how to appeal. You may appeal by replying to our denial or contacting [email protected] with “Privacy Appeal” in the subject line. We aim to respond to appeals within 60 days or the timeframe required by applicable law. We may deny or limit requests where permitted by law, including where information is public-chain data, outside our control, necessary for legal obligations, legal claims, security, abuse prevention, sanctions compliance, fraud prevention, order reconciliation, legal acceptance evidence, compliance, dispute, audit, backup, or other legally recognized retention grounds. We do not discriminate against you for exercising privacy rights. We will not deny Services, charge different prices, provide a different quality of Services, or retaliate because you exercised a privacy right, except where the difference is reasonably related to the value of the data or permitted by law.

11. California And U.S. State Notice At Collection

Residents of California and certain other U.S. states may have additional rights under applicable privacy laws, including the right to know or access categories and specific pieces of personal information, delete personal information, correct inaccurate personal information, opt out of sale, sharing, targeted advertising, certain profiling, or certain automated decision-making, limit certain uses of sensitive personal information, receive non-discriminatory treatment, and appeal certain decisions. For the 12 months before the Last modified date above, the categories of personal information we may have collected are described below. Sources, purposes, disclosures, and retention are described in Sections 2 through 8. We do not sell personal information for money. As of the Last modified date above, we do not share personal information for cross-context behavioral advertising and do not process personal information for targeted advertising. We disclose personal information for business purposes to the categories of recipients described in Section 6.
  • Identifiers: wallet address, Hedera account ID, public key, API client ID, session ID, legal acceptance event ID, email or handle you provide. Purposes include authentication, legal acceptance, support, security, compliance, dispute handling, and Service operation. Retention is described in Section 8.
  • Internet or electronic network activity: IP address, user agent, endpoint logs, WebSocket logs, usage events, cookie or local storage identifiers, app or analytics identifiers. Purposes include Service operation, security, analytics, abuse prevention, reliability, and legal acceptance. Retention is described in Section 8.
  • Commercial and transaction information: orders, order status, fills, cancellations, expirations, fees, Settlement references, transaction IDs, API usage, and order history. Purposes include Orderbook operation, Settlement support, order history, reconciliation, security, disputes, and compliance. Retention is described in Section 8.
  • Approximate geolocation: approximate location derived from IP address or acceptance location signal. Purposes include geoblocking, sanctions, abuse prevention, security, and legal compliance. We do not intentionally request precise geolocation unless separate notice and required controls are provided.
  • Inferences and risk signals: wallet-risk, fraud, abuse, sanctions, market-manipulation, reliability, compliance, or strategy inferences. Purposes include security, sanctions, fraud and abuse prevention, market-integrity risk controls, legal compliance, and Service reliability.
  • Sensitive personal information where applicable: precise geolocation if ever collected, government ID, biometric information, criminal-history information, special-category data, or other sensitive data only if you provide it or where required for legally permitted compliance, security, support, legal process, fraud prevention, or similar purposes. We do not use sensitive personal information to infer characteristics except where permitted by law.
If we use sensitive personal information in a way that gives you a right to limit its use or disclosure, we will provide a “Limit the Use of My Sensitive Personal Information” or equivalent mechanism. If we begin any sale, sharing, targeted advertising, or use of advertising technologies that requires opt-out controls, we will provide a “Do Not Sell or Share My Personal Information” or equivalent mechanism in the website footer, privacy settings, cookie controls, or another legally compliant location before enabling that processing. We honor recognized opt-out preference signals, including Global Privacy Control, for users in applicable jurisdictions. If we have actual knowledge that a user is under 16, we will not sell or share that user’s personal information or use it for targeted advertising unless applicable law permits it and the required opt-in or parental consent has been obtained. Authorized agents may submit requests where permitted by law. We may require signed authorization, proof of authority, identity verification, and direct confirmation from the user where permitted by law. We may use automated or assisted tools to classify wallet-risk, sanctions, restricted-jurisdiction, geolocation/geoblocking, fraud, abuse, API-abuse, and market-integrity signals. The consequences may include blocked access, delayed orders, rejected orders, rate-limited API access, disabled API keys, denied protected endpoints, or manual review. The main factors may include wallet or account identifiers, transaction and order patterns, IP-derived approximate location, device and network signals, sanctions or restricted-party data, blockchain analytics, and abuse or security signals. Where applicable law gives you rights related to automated decision-making or profiling, you may request human review, contest the decision, express your point of view, and obtain information about the decision by contacting [email protected]. This Section is intended to cover applicable U.S. state privacy laws, including California, Colorado, Connecticut, Virginia, Texas, Montana, Oregon, Delaware, Iowa, Indiana, Tennessee, and other state laws where they apply. State-specific rights may vary.

12. International Transfers

We are based in the United States and may process information in the United States and other countries. Those countries may have data protection laws different from those in your jurisdiction and may allow government, law-enforcement, national-security, or regulatory access under local law. Where required for transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we use appropriate transfer mechanisms. For processor transfers, these may include the European Commission Standard Contractual Clauses controller-to-processor module, the UK International Data Transfer Addendum or International Data Transfer Agreement, the Swiss addendum or Swiss-law adaptations, and transfer impact assessments where required. For controller-to-controller transfers, these may include the applicable controller-to-controller Standard Contractual Clauses module and related safeguards. Where a provider participates in the EU-U.S., UK Extension, or Swiss-U.S. Data Privacy Framework and we rely on that participation, we verify that the certification appears current before onboarding and periodically thereafter. Transfer impact assessments support SCC-based transfers; they are not treated as a standalone transfer mechanism. Public blockchain and Hedera network infrastructure, HCS consensus records, mirror nodes, explorers, RPC providers, wallets, validators, and other network participants may be operated from or accessible in multiple jurisdictions. Transfers inherent in your use of public or third-party network infrastructure may be outside our control. Users in countries with data localization, transfer, or cross-border processing rules may have additional rights or restrictions. We assess and apply those rules where they apply to our controlled processing. You may request information about, or a copy of, applicable transfer safeguards by contacting [email protected].

13. Children

The Services are not intended for children or minors. You may not use the Services if you are under 18. We do not knowingly collect personal information from children under 13, under 16 for GDPR-scope users unless a lower member-state age applies, or under the minimum age of digital consent in the applicable jurisdiction. We rely on eligibility representations, legal acceptance controls, and other reasonable measures appropriate to the Services to help prevent underage use, but those measures are not perfect. If we learn that we collected personal information from a child in violation of applicable law, we will take reasonable steps to delete or restrict that information promptly. Any retention of such information will occur only if required by law or approved for a specific legal, safety, or compliance reason. If you believe a child has provided personal information to us, contact us at [email protected].

14. Third-Party Services

The Services may link to or interoperate with Third-Party Services. Third-Party Services have their own privacy practices. We are not responsible for those practices. You should review the privacy policies and terms of Third-Party Services before using them. When you connect or use a wallet, the wallet provider may receive information about your interaction with the Services, including site URL, session context, transaction data, wallet address, and signed messages. Wallet provider data practices are outside our control. When you submit transactions, orders, or network calls, RPC providers, mirror nodes, indexers, explorers, public networks, and validators may receive transaction data, wallet addresses, metadata, and network calls. This processing may occur independently of SaucerSwap Labs and may be public, immutable, or globally accessible. If you interact with us through Discord, Telegram, X, email, support forms, bug-bounty platforms, app stores, wallets, or other community or support channels, we may process your handle, profile information visible in that channel, message contents, attachments, timestamps, moderation signals, support history, security-report details, and related operational metadata. Those channels may be operated by third parties with their own privacy practices, and public or shared-channel messages may be visible to others. SaucerSwap Labs personnel, moderators, contractors, or service providers may monitor, screenshot, log, preserve, or use community-channel messages for support, moderation, compliance, investigation, security, market-integrity risk controls, dispute handling, or legal purposes where permitted by law and platform rules. Current third-party provider categories may include hosting and cloud infrastructure, analytics and measurement, error monitoring, security, compliance and sanctions screening, blockchain analytics, geolocation or geoblocking, RPC and network infrastructure, mirror nodes and indexers, wallets, communications, support, bug-bounty administration, professional advisers, and community platforms. Where applicable law requires named provider or sub-processor information, we provide it through a linked notice, privacy or legal page, contract notice, or request process.

15. Changes To This Privacy Policy

We may update this Privacy Policy from time to time. We will update the “Last modified” date when we do. Material privacy changes include changes that materially affect categories of personal information collected, purposes of processing, legal bases, retention periods, recipient categories, sale, sharing, targeted advertising, profiling, automated decision-making, international transfer mechanisms, privacy rights, or other processing that a reasonable user would consider important. For material privacy changes, we will provide additional notice, re-notification, renewed acknowledgment, or consent where required by applicable law. For purely editorial, formatting, clarification, or non-material updates, we may post the updated Policy without separate re-notification where applicable law permits it. Where consent is required for new or changed processing, we will obtain consent before beginning that processing and will provide a way to withdraw consent. If you withdraw consent or do not provide required consent, the affected non-essential processing will not occur, but core Services may continue where another legal basis applies. We may maintain prior versions, version identifiers, document hashes, or acceptance records to identify which Policy version applied at a given time. Where required or appropriate, we may provide access to prior versions through a “Previous versions” notice, legal page, request process, or acceptance record.

16. Contact

If you have questions or requests, contact: SaucerSwap Labs, Inc. Attn: Legal 63 Federal Street, Unit #349 Portland, ME 04101 Email: [email protected] Privacy rights, legal, and security requests may be sent to [email protected]. For security reports, include “Security” in the subject line or use any published bug-bounty or security-reporting channel. As of the Last modified date above, SaucerSwap Labs has not identified a Data Protection Officer in this Policy. If a DPO is appointed or required for a covered Service, we will identify the DPO’s contact details in this Policy or a linked notice. If an EU or UK representative is required for a covered Service, we will identify the representative’s contact details in this Policy or a linked notice before intentionally offering that covered Service in the relevant scope.