Privacy Policy

Last updated: February 12, 2025

Effective Date: February 12, 2025

1. Introduction

Welcome to Sindex AI ("Company," "we," "us," or "our"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you access or use our website at sindex.io, our mobile applications (available on Android via Google Play and iOS via the Apple App Store), our Telegram bot, and all related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service worldwide and is designed to comply with applicable privacy and data protection laws, including but not limited to:

• The General Data Protection Regulation (GDPR) — for users in the European Economic Area (EEA);
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — for California residents;
• Google Play Developer Policy;
• Apple App Store Review Guidelines and Apple Developer Program License Agreement;
• Other applicable regional and international data protection laws.

By using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

We collect information in several ways, depending on how you interact with the Service:

2.1 Information You Provide Directly

Data Category	Specific Data	Purpose
Account Data	Email address, first name, last name, password (hashed), profile picture	Account creation and management
Social Login Data	Google ID, Apple ID, Facebook ID, Twitter ID, associated email, name, and profile picture from the provider	Authentication via social login
Phone Number	Phone number (if provided for additional verification)	Optional phone verification and recovery
Portfolio Data	Portfolio holdings (coin symbols, amounts, purchase prices), portfolio names	Portfolio tracking and analysis
Exchange API Keys	API key and secret (encrypted at rest) for supported exchanges like Binance	Portfolio sync and balance reading
Strategy Data	Custom trading strategy configurations, backtest parameters and results, strategy signal history	Algo Forge strategy building and backtesting
AI Conversations	Text and voice messages sent to the AI Chat Assistant, conversation history, and AI-generated strategies	Providing AI assistant functionality and conversation history
Preferences	Theme preference, language, timezone, favorite symbols/coins, favorite channels, notification preferences	Personalizing your experience
Support Data	Information you provide when contacting us for support or feedback	Responding to inquiries and resolving issues

2.2 Information Collected Automatically

Data Category	Specific Data	Purpose
Device Information	Device type, operating system (Android/iOS), app version, device identifier, platform	App compatibility, debugging, and analytics
Network Data	IP address, browser type and version (for web access), user agent	Security, fraud prevention, and session management
Session Data	Login timestamps, last active time, session device name, session IP address	Account security and session management
Push Notification Tokens	Firebase Cloud Messaging (FCM) device tokens	Delivering push notifications
Usage Data	Features accessed, screens viewed, interaction patterns, AI credit usage, backtest frequency	Improving the Service, analytics, and usage tracking
Crash Data	Crash logs, error reports, stack traces (via Firebase Crashlytics)	Bug fixing and improving app stability
Install Attribution	Install source (utm_source), campaign, medium, referrer URL, install timestamp	Marketing analytics and campaign measurement

2.3 Payment and Transaction Data

When you make purchases through the Service, we collect:

• Transaction records: Order IDs, payment IDs, transaction amounts, currency, billing cycle, payment method, status, and timestamps;
• Payment tokens and receipt data: As provided by Google Play, Apple App Store, or other payment processors;
• Cryptocurrency payment data: Payment addresses and transaction references (when applicable);
• RevenueCat ID: Cross-platform subscription management identifier.

Important: We do not store your credit card numbers, bank account details, or full payment card information. All payment processing for in-app purchases is handled by Google Play, Apple App Store, or other third-party payment processors. We only receive transaction confirmations and receipts.

2.4 Information We Do NOT Collect

We want to be clear about what we do not collect:

• ❌ We do not collect or store your cryptocurrency wallet private keys or seed phrases;
• ❌ We do not collect credit card numbers or full payment card information;
• ❌ We do not collect precise GPS location data;
• ❌ We do not access your device contacts, photos, or files;
• ❌ We do not record or store your voice data beyond the transcription process (audio is not retained after transcription);
• ❌ We do not sell your personal data to third parties.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Core Functionality

• Creating and managing your account;
• Providing access to features including trading signals, market data, AI chat, Algo Forge, and portfolio management;
• Processing subscriptions and in-app purchases;
• Delivering push notifications for signals, alerts, and system messages;
• Syncing your portfolio with connected exchange accounts;
• Storing and displaying your AI chat conversation history;
• Managing your custom strategies and backtest results;
• Personalizing content and features based on your preferences.

3.2 Security and Fraud Prevention

• Authenticating your identity and managing sessions;
• Detecting and preventing fraudulent activities, abuse, and unauthorized access;
• Enforcing login attempt limits and account lockout protections;
• Verifying payment transactions and preventing duplicate purchases;
• Maintaining two-factor authentication (2FA) and backup codes.

3.3 Communication

• Sending service-related emails (account verification, password resets, security alerts);
• Responding to your support inquiries and feedback;
• Sending promotional communications (with your consent, where required by law);
• Notifying you of changes to our Terms, Privacy Policy, or Service.

3.4 Analytics and Improvement

• Analyzing usage patterns to improve the Service;
• Diagnosing technical issues and fixing bugs (via crash reports);
• Understanding which features are most popular and valuable;
• Measuring the effectiveness of marketing campaigns and install sources;
• Conducting aggregate, anonymized research and analysis.

3.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes;
• Responding to lawful requests from law enforcement or regulatory authorities;
• Protecting our rights, property, and safety, and those of our users.

4. Legal Basis for Processing (GDPR Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you have subscribed to, including account management, payment processing, and feature delivery.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate interests in improving the Service, preventing fraud, ensuring security, and conducting analytics — provided these interests do not override your fundamental rights.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent, such as for sending marketing communications, using non-essential cookies, or processing certain optional data. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws and regulations.

5. How We Share Your Information

We do not sell your personal data to third parties. We may share your information only in the following circumstances:

5.1 Service Providers and Third-Party Processors

We share data with trusted third-party service providers who assist us in operating the Service. These providers process data only on our behalf and in accordance with our instructions:

Provider	Data Shared	Purpose
Google Firebase	Device tokens, crash data, usage analytics, authentication data	Authentication, push notifications, crash reporting, analytics
Google Play / Apple	Purchase tokens, receipt data, subscription status	Payment processing and subscription verification
RevenueCat	User ID, subscription status, purchase history	Cross-platform subscription management
OpenAI / AI Providers	AI chat messages, voice transcription audio (temporarily)	AI-powered chat and voice transcription features
Cryptocurrency Exchanges	API keys (used to read-only fetch data from the exchange)	Portfolio syncing
Telegram	Telegram user ID (for users who use the Telegram bot)	Telegram bot service functionality

5.2 Legal and Regulatory Disclosures

We may disclose your information if required to do so by law or if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, court order, or subpoena;
• Protect and defend the rights or property of Sindex AI;
• Prevent or investigate possible wrongdoing, fraud, or security issues;
• Protect the personal safety of users or the public.

5.3 Business Transfers

If Sindex AI is involved in a merger, acquisition, reorganization, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via in-app notification and/or email before your personal data is transferred and becomes subject to a different privacy policy.

5.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This may include general usage statistics, market trend analyses, and research data.

6. Data Security

We implement industry-standard technical and organizational security measures to protect your personal data, including:

• Encryption: Passwords are hashed using bcrypt. Exchange API keys are encrypted at rest. Data in transit is protected using TLS/HTTPS encryption.
• Access Controls: Server access is restricted to authorized personnel. Database access is controlled and monitored.
• Authentication Security: JWT-based authentication with token refresh, login attempt rate limiting, automatic account lockout after failed attempts, two-factor authentication support (TOTP-based), and backup recovery codes.
• Session Management: Active session tracking with the ability to view and revoke sessions from other devices.
• Secure Storage: Sensitive data on your device is stored using Flutter Secure Storage (Keychain on iOS, Keystore on Android).
• Infrastructure: Our servers are hosted in secure data centers with appropriate physical and environmental protections.

While we strive to protect your personal data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security but will promptly notify affected users and relevant authorities in the event of a data breach, as required by applicable law.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.

Data Type	Retention Period
Account data	Until account deletion is requested, plus a reasonable period for processing
Transaction records	Up to 7 years (or as required by applicable financial and tax regulations)
AI conversation data	Until you delete them, or upon account deletion
Strategy and backtest data	Until you delete them, or upon account deletion
Crash and analytics data	Up to 90 days (Firebase defaults)
Session data	Until session expiration or logout
Install attribution data	Up to 2 years
Expired notifications	Automatically cleaned up periodically

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

8. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EEA/UK Users)

• Right of Access (Art. 15): Request a copy of your personal data we hold.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data. You can update your profile directly in the app.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). You can delete your account through the app settings.
• Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing (Art. 18): Request restriction of processing of your personal data under certain circumstances.
• Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent.
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority.

8.2 Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect about you.
• Right to Delete: Request deletion of personal information we have collected.
• Right to Opt-Out of Sale: We do not sell your personal information. However, you have the right to opt out if this ever changes.
• Right to Non-Discrimination: You will not be discriminated against for exercising any of your CCPA rights.
• Right to Correct: Request corrections to inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: Where applicable.

8.3 Your In-App Controls

You can exercise many of your rights directly within the app:

• ✏️ Edit Profile: Update your name, email, and profile picture;
• 🗑️ Delete Account: Permanently delete your account and associated data;
• 💬 Delete AI Conversations: Delete individual AI chat conversations;
• 🔔 Notification Preferences: Manage push notification and email preferences;
• 📱 Session Management: View and revoke active sessions on other devices;
• 🔑 Exchange API Keys: Add, update, or remove connected exchange API keys;
• ⚙️ Preferences: Change theme, language, and timezone settings.

8.4 How to Submit a Request

To exercise any of your privacy rights not available through in-app controls, please contact us at support@sindex.io with the subject line "Privacy Request." We will respond to your request within 30 days (or as required by applicable law). We may verify your identity before processing your request.

9. International Data Transfers

Your data may be transferred to, stored, and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Ensuring the receiving country provides an adequate level of data protection;
• Data processing agreements with all third-party service providers.

By using the Service, you consent to the international transfer of your data as described in this Privacy Policy.

10. Children's Privacy

The Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children under 18. Cryptocurrency trading is inherently risky and is not suitable for minors.

If we discover that we have inadvertently collected personal data from a child under 18, we will promptly delete such data from our systems. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@sindex.io.

11. Cookies and Tracking Technologies

11.1 Website

Our website may use cookies and similar tracking technologies to enhance your browsing experience. These may include:

• Essential Cookies: Required for the website to function properly;
• Analytics Cookies: Help us understand how visitors interact with the website;
• Preference Cookies: Remember your settings and preferences.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the website.

11.2 Mobile App

Our mobile app uses:

• Firebase Analytics: For app usage analytics and crash reporting. You can learn about Google's privacy practices at Google Privacy Policy.
• Firebase Crashlytics: For collecting crash reports and diagnostic information to improve app stability.
• Shared Preferences & Secure Storage: For storing local preferences and sensitive data securely on your device.

12. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals, as there is no universal standard for recognizing and implementing these signals. We will update this Privacy Policy if standards are established and we adopt a practice of responding to DNT signals.

13. App Store Data Safety Information

In accordance with Google Play's Data Safety requirements and Apple's App Privacy requirements, this section summarizes how we collect, share, and handle data in the mobile app:

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Update the "Last updated" date at the top of this page;
• Notify you of material changes through in-app notifications or email;
• Post the updated Privacy Policy on our website.

Your continued use of the Service after the changes become effective constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• 📧 Email: support@sindex.io
• 📧 Privacy-specific inquiries: privacy@sindex.io
• 🌐 Website: https://sindex.io
• 💬 Telegram: @sindex_ai
• 🐦 Twitter/X: @sindex_ai

For GDPR-related inquiries, you may also contact your local Data Protection Authority if you are unsatisfied with our response to your request.