Legal

Privacy Policy

Last updated: July 2026

This policy explains what personal data we process when you use openflow.network, why we process it, and what rights you have. We do not require accounts, names, or email addresses to use the site.

1. Data we process

The table below lists each category of data, its source, purpose, and the legal basis we rely on under GDPR. We do not use data for advertising or profiling, and we do not knowingly process data of children.

DataPurposeLegal basis (GDPR)
Wallet address + order parameters (side, size, price, expiry, schedule)Store standing limit/DCA instructions and execute them when triggered; display open ordersPerformance of a contract (Art. 6(1)(b)) — pending counsel confirmation
Wallet address + swap detailsRecord the swap; attribute protocol and integrator feesPerformance of a contract; legitimate interests (fee accounting)
IP addressRate limiting (10 req/s per IP), abuse prevention, securityLegitimate interests (Art. 6(1)(f))
Usage analytics (page views, referrer, device class, coarse geography)Aggregate site usage understanding via Vercel AnalyticsLegitimate interests or consent — pending counsel determination on ePrivacy
Wallet address entered on the portfolio pageShow open orders associated with that addressLegitimate interests

2. Wallet data and blockchain transparency

Wallet addresses can be personal data where they can be linked to you. Open limit orders are queryable by wallet address on the portfolio page — anyone who knows your address can see associated open orders. Do not place orders from a wallet whose association with your identity you wish to keep private. Trades executed on public blockchains are publicly visible independent of OpenFlow.

3. Cookies and analytics

We use Vercel Analytics, which is designed to work without cookies and without persistent cross-site identifiers. It collects page views and technical metadata to derive aggregate statistics. The site does not set advertising or cross-site tracking cookies. Whether Vercel Analytics requires opt-in consent under ePrivacy rules in marketed EU member states is pending counsel determination — a consent mechanism will be implemented if required.

4. Processors and recipients

We use the following service providers: Vercel (web hosting and analytics), Amazon Web Services (backend compute, container registry, secrets management), Supabase (managed Postgres database), and public Solana RPC providers or Helius (blockchain read/submit). Each acts under contract as a processor where applicable. We may disclose data if required by law or in a corporate transaction. We do not sell personal data.

5. International transfers

Our providers may process data in the United States and other countries. Where GDPR applies, transfers rely on adequacy decisions or Standard Contractual Clauses — the specific mechanism per provider will be confirmed once data-processing agreements are in place.

6. Retention

Open limit and DCA orders are retained until executed, cancelled, or expired. Executed and cancelled order and swap records are retained for the period required for fee accounting and applicable audit obligations (specific periods to be set with counsel). IP-based rate-limit counters are transient. Analytics data is retained in aggregate form per Vercel's retention policy. A formal retention schedule and deletion mechanism are pending implementation.

7. Your rights

Depending on where you live, you may have rights to access, rectify, erase, restrict, or object to processing, to data portability, and to withdraw consent. We cannot erase data recorded on public blockchains. You may also complain to your data-protection authority.

8. Contact

To exercise your rights or ask questions, use our support page and include the wallet address concerned. We may ask you to prove control of the wallet before acting on a request.

9. Security

Backend secrets are stored in a managed secrets service and access to production systems is restricted. No internet service is perfectly secure; use of the site is at your own risk.

10. Changes

We will post changes on this page with an updated effective date and, for material changes, provide additional notice where required by law.

11. Controller identity

The data controller is the OpenFlow operating entity (pending formation — see the Imprint page). Until the entity is formed, use the support page for privacy enquiries.

Terms of ServiceRisk Disclosures