Legal

Privacy policy

Poly Syncer is privacy-first by design. This policy explains exactly what we do and, more importantly, do not collect when you use the service.

Last reviewed · Poly Syncer legal review

We are privacy-first. We do not collect emails, names, or KYC data. We do not track behaviour. We do not sell or share data — because we do not collect it. The minimum amount of information that touches our infrastructure is described below, and most of it disappears within seven days.

This template is provided for transparency and is not a substitute for legal counsel. Poly Syncer is a non-custodial copy-trading service for Polymarket. The architecture was designed so that the service can run with as little personal data as technically possible. This policy describes the data the service does and does not handle, the legal bases for processing, the rights of data subjects under regulations such as the EU GDPR and California CCPA, and how to exercise those rights.

1. What we do not collect

The most important section in this policy is the list of things Poly Syncer does not collect. By design, the service does not request, receive, or store:

  1. Email addresses. Sign-up is wallet-based. There is no field for an email anywhere in the product.
  2. Real names, dates of birth, government-issued identifiers, or any other Know-Your-Customer (KYC) data.
  3. Phone numbers, postal addresses, or any contact information beyond the optional inbound message you choose to send through contact.
  4. Behavioural analytics, session replay, heatmaps, mouse tracking, scroll-depth telemetry, or third-party advertising pixels. There is no Google Analytics, no Meta Pixel, and no programmatic ad SDK on the site.
  5. Cross-site tracking identifiers, fingerprints, advertising IDs, or anything that would let us follow a visitor across other websites.
  6. Wallet balances, transaction history, or holdings beyond what is strictly required to evaluate a copy-trade signal in memory at the moment of execution.

The reason we do not sell or share personal data with advertisers, brokers, or any other third party is straightforward: we never received it in the first place.

2. What minimal data we do process

A non-custodial trading service still has to talk to the network and bill paying customers. The data points below are the entirety of what the service processes.

Wallet address

When you connect a wallet, the public address is sent to our backend so the service can listen for the on-chain authorizations you sign and submit the resulting trades. The wallet address is the only identifier associated with your account. It is processed under the legal basis of contractual necessity (GDPR Art. 6(1)(b)) — without it, the service cannot function.

EIP-712 authorizations and trade metadata

When you sign an EIP-712 trade authorization, the signed payload, the leader wallet you copied, and the resulting on-chain transaction hash are stored so we can show you a history of mirrored trades and so we can reconstruct what happened in the event of an incident. These records are stored for as long as the account is active and may be deleted on request, subject to applicable record-keeping obligations described in section 4 of the AML policy.

IP address — for rate-limiting only

Inbound HTTP requests pass through our edge layer, which uses the source IP address to enforce rate limits and to defeat denial-of-service attacks. The IP is held in a volatile rate-limit cache for a rolling 60-minute window and is not joined to wallet addresses, billing identifiers, or any other persistent record. After the 60-minute window, the IP is gone.

Billing data — handled by Stripe

If you pay by card, the card data is collected, processed, and stored by Stripe. Poly Syncer never sees the card number. The only billing artefact retained on our side is a Stripe customer reference and the wallet address it is bound to. If you pay in USDC or USDT, no billing data is collected at all — the on-chain transaction is the receipt.

3. Cookies

Poly Syncer sets a small number of strictly necessary cookies — a session cookie and a theme preference cookie — and no analytics or advertising cookies. The full list, including names, purposes, and durations, is published on the cookie policy page. You can disable cookies at any time through your browser settings; the panel will continue to work, although the theme preference will reset to the default on each visit.

4. Logs and retention

Operational logs (HTTP access logs, error traces, RPC timing samples) are retained for seven (7) days and then deleted automatically by the log pipeline. The seven-day window exists so that the on-call engineer can debug an incident that happened over a weekend; we do not need it for any other purpose.

Trade history records (wallet, leader, payload, transaction hash) are retained for the lifetime of the account so that the user can see what was copied. When an account disconnects all wallets and ceases activity for ninety (90) days, the trade history is anonymised — leader and payload data are kept for aggregate analytics, but the link to the user's wallet is removed.

5. Third parties

Poly Syncer uses the following third-party processors. None of them receive personal data beyond the narrow purposes listed.

  1. Polygon RPC providers (premium endpoints used to read Polymarket state and submit transactions). They see wallet addresses and transaction payloads — the same information that is already public on-chain.
  2. Stripe (card billing). Stripe operates as an independent controller for the card data it processes. See Stripe's privacy notice for details on its handling.
  3. Cloud infrastructure provider (compute, storage, and edge networking). Operates as a processor under a standard data-processing addendum.
  4. Sanctions list providers (OFAC SDN, EU consolidated, UK HMT, UN). The list data flows from the provider to us; no personal data flows back.

We do not use marketing automation tools, customer-data platforms, ad networks, or behavioural analytics vendors. The list above is exhaustive.

6. Your rights

Users in the European Economic Area, the United Kingdom, and Switzerland have rights under the General Data Protection Regulation, including:

  1. The right to access the personal data we process about them.
  2. The right to rectification of inaccurate personal data.
  3. The right to erasure ("right to be forgotten") of personal data, subject to legal record-keeping obligations.
  4. The right to restriction of processing.
  5. The right to data portability, where the processing is based on consent or contract and is carried out by automated means.
  6. The right to object to processing carried out under legitimate interest.
  7. The right to lodge a complaint with a supervisory authority.

Users in California have rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information is collected, the right to delete, the right to correct, and the right to opt out of sale or sharing of personal information. Poly Syncer does not sell or share personal information for cross-context behavioural advertising.

To exercise any of these rights, send a request through the contact page. Because the only persistent identifier we have is a wallet address, requests must be made from that wallet — typically by signing a verification message that proves control of the address.

7. Children

Poly Syncer is not directed at, and is not intended for use by, individuals under the age of eighteen (18). We do not knowingly process personal data of minors. If a parent or guardian becomes aware that a minor has connected a wallet to the service, they may request immediate disconnection and deletion through the contact page.

8. Changes to this policy

This policy is reviewed at least annually and whenever a material change is made to how the service handles data. The "last reviewed" date at the top of the page reflects the most recent revision. Material changes are announced in the changelog.

9. Contact

Privacy questions can be sent through the contact page. Related documents include the cookie policy, the terms of service, the AML and sanctions policy, and the security overview.