Privacy Policy.

Overview

This Privacy Policy describes how Synthetics Inc (“Azal”, “we”, “us”) collects, uses, retains, discloses, and protects information when you interact with azal.ai, the trading terminal, the Discord and Telegram bots, the public API, or any other surface we operate.

We collect the information needed to operate, secure, and improve the service. Because the platform routes real funds to third-party venues and is a target for abuse and fraud, we keep activity and security records for every visitor, including before you sign in.

By accessing the service you accept the collection and use described in this policy. The notice shown on your first visit is your acknowledgement that you have read — or had the opportunity to read — these disclosures.

Information We Collect Automatically

When you connect to any Azal surface — the landing page, a legal page, the terminal, or an API endpoint — we collect the following without requiring you to sign in:

• Device & network information. Your IP address and the approximate location derived from it (country, region, and city); network and connection characteristics; and your browser, operating system, and device characteristics. We use device and browser characteristics to recognise your device across visits and to detect abuse.
• Activity & usage information. The pages and features you use, the requests you make, referring pages, timestamps, and similar diagnostic information. We may also record session activity, including on-page interactions, to operate, secure, and troubleshoot the service.
• Marketing attribution. Where you arrived from, including campaign, referral, and similar parameters.
• Cookies & local storage. We use cookies and browser storage to maintain your session, remember your preferences, recognise returning visitors, and secure the service.
• Reports your browser sends. Security (content-policy) reports and client-side error reports that help us keep the service working and safe.

This information is associated with your visitor or account record and is accessible to authorised personnel for operational, security, support, and product purposes.

Information We Collect When You Sign In

When you authenticate and claim a username, we begin attributing your activity to a persistent account. Additional information includes:

• Account identity. Your account identifier, the sign-in method you used (such as email, social, wallet, or passkey) and its associated identifier, and any linked Discord, Telegram, or X identities.
• Wallet addresses. Both any platform-provided wallet and any external wallet you connect.
• Profile & preferences. Your username, avatar, tier and permission flags, and the settings you configure (notifications, trading defaults, watchlists, follow sets, blocked users, and similar).
• Activity history. A record of the pages, devices, and networks associated with your account, used for security and abuse prevention.
• Azal Copilot. The messages you send, the assistant’s responses, related market and portfolio context surfaced by Copilot tools, and Copilot memory, stored under your account. We also keep aggregate quality signals to measure and improve answers.

We may link activity across different devices, browsers, and sessions that appear to belong to the same person, so that your account reflects a single, consistent record.

Trading & On-Chain Data

When you place an order through Azal, we capture data tied to the trade lifecycle:

• Order & signing data. The order parameters and the signature your wallet produced, submitted to the venue and retained in our audit records so a future support request can reconstruct exactly what you signed and when.
• Builder attribution. Orders routed through Azal carry our builder code; the resulting rebate is aggregated for our internal reporting.
• Custodial-wallet keys (opt-in only). If you opt into the custodial trading wallet, we generate a key on your behalf and store it encrypted at rest. It is decrypted in-process only at the moment a signature is required, and is never logged.
• Position & settlement state. The lifecycle of your orders and positions, settlement events observed on-chain, and the resulting profit and loss.
• Deposits & withdrawals. Addresses and on-chain transaction events.

All on-chain transactions you sign are public on the underlying blockchain. Anyone can read them; the wallet you trade from is pseudonymous, not private. Linking that wallet to your real identity is your decision.

Cookies, Sessions & Local Storage

We use a small number of cookies and browser-storage entries to run the service: session cookies set by our authentication provider after you sign in; a server-signed access cookie where applicable; an anonymous visitor identifier used to associate your pre-sign-in activity with your account once you authenticate; and the preference and session keys described in § 2. You can clear these via your account settings or by clearing site data in your browser.

How We Use Information

• Operate the service. Route orders, display positions, send notifications, and render the product.
• Secure the service. Abuse mitigation, rate limiting, fraud and sanctions screening, multi-account detection, and incident response.
• Comply with law. Respond to lawful requests, court orders, sanctions obligations, and regulator inquiries.
• Improve the service. Understand how the product is used so we can prioritise and refine it.
• Communicate with you. Trade and settlement events, alerts you opted into, security notices, and policy updates.
• Aggregate analytics. De-identified, aggregated metrics reported internally and to investors.

Legal Bases (UK / EU users)

Where the UK GDPR, EU GDPR, or an analogous regime applies, we rely on the following legal bases:

• Contract — processing necessary to deliver the service you asked for.
• Legal obligation — sanctions and AML obligations and retention of trading records.
• Legitimate interests — preventing abuse, securing the platform, and improving the product, balanced against your interests.
• Consent — where required, for example certain non-essential cookies and marketing communications.

Sharing & Third-Party Recipients

We do not sell personal data. We share information with the following categories of recipient, only as necessary:

• Infrastructure & hosting providers that run our compute, storage, and databases.
• Identity & authentication providers.
• Trading venues and blockchain infrastructure used to route and settle your orders.
• Security, fraud-prevention, and network-intelligence providers that help us assess IP and network reputation and deliver operational alerts.
• Analytics & observability providers that help us monitor performance and errors.
• AI model providers that process Copilot requests to generate responses. We do not send wallet private keys or custody secrets to these providers.
• Communication surfaces (Discord, Telegram) where you interact with us through them.
• Law enforcement & regulators in response to lawful requests or where necessary to protect rights, property, or safety.
• Successors in a merger, acquisition, financing, or similar transaction, subject to confidentiality protections.

A current list of the specific providers we use is available on request.

Retention

We retain account, security, and trading records for as long as needed to operate the service, prevent and investigate abuse, comply with legal and accounting obligations, and resolve disputes — in some cases indefinitely. Less critical operational data is retained for shorter periods, and server logs and backups cycle on our providers’ rolling windows. When you ask us to delete data, we honour the request in primary storage and it propagates to backups as they cycle, except where we are required or permitted to retain it.

Your Rights

Depending on your jurisdiction (UK GDPR, EU GDPR, California CCPA / CPRA, Virginia VCDPA, and similar) you may have the right to access, correct, delete, restrict, or object to the processing of your data, to data portability, to withdraw consent, and to opt out of sale or sharing (we do not sell personal data). Some data must be retained for security, compliance, or trade and accounting reasons even after an account-closure request; a legal erasure request is reviewed separately.

To exercise any of these rights, email privacy@azal.ai from the email associated with your account. We aim to respond within 30 days. You may also lodge a complaint with your local supervisory authority (for example, the ICO in the UK).

International Transfers

Synthetics Inc is incorporated in Delaware, USA, and our infrastructure runs principally in US-based regions. If you access the service from outside the United States, your data will be transferred to, stored in, and processed in jurisdictions whose data-protection laws may differ from those of your home country. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

Security

We implement controls proportionate to the financial surface we operate, including TLS-only transport with HSTS, per-route security headers, HTTP-only secure session cookies, CSRF protection on mutating endpoints, encryption of custodial keys at rest, gated and audited admin access, and rate limiting and abuse detection across the gateway and public APIs.

No system is perfectly secure. If you believe you have discovered a vulnerability, please email security@azal.ai rather than disclosing publicly.

Children

The service is not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, email privacy@azal.ai and we will delete it.

Changes & Contact

We may update this Privacy Policy. Material changes will be announced with reasonable advance notice via our announcement channel and / or an email to the address on file, and the effective date at the top of this page will be updated.

Synthetics Inc · Delaware, USA.

Privacy requests: privacy@azal.ai.
Security disclosures: security@azal.ai.
General legal: legal@azal.ai.