Legal

Privacy policy

Last updated: 24 May 2026

Template for counsel review. This document is drafted to professional standards for an international crypto-trading product but has not been signed off by external counsel. Items in [brackets] require completion based on your operating entity and jurisdiction. Have qualified legal counsel review and adapt before launch.

1. Overview

This Privacy Policy ("Policy") describes how Swarm AI Lab ("Sparkling", "we", "us", "our") collects, uses, discloses, and protects information about you when you use Sparkling, our AI-powered trading agent operating within Telegram and accessible at sparkl.ing and through the Sparkling Telegram bot (collectively, the "Service").

This Policy applies to all users of the Service worldwide. Additional rights may apply in your jurisdiction (see Section 8).

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, do not use the Service.

2. Data Controller

The data controller responsible for your personal information is:

Swarm AI Lab
[Registered Office Address]
[City, Country of Incorporation]
Email: privacy@sparkl.ing

For users in the European Economic Area ("EEA") or the United Kingdom, you may also contact our Data Protection Officer at dpo@sparkl.ing.

3. Information We Collect

We collect information in four ways: directly from you, automatically as you use the Service, from third parties, and from public blockchains.

3.1 Information You Provide

  • Account information. Your Telegram user identifier, username, and the email address you provide during wallet setup.
  • Authentication credentials. One-time passwords sent to your email for wallet recovery. We do not store these credentials in retrievable form.
  • Identity verification information. Where required by applicable law (see Section 4(g)), we collect government-issued identification, proof of address, date of birth, and a live photo or video for biometric verification ("KYC Information"). KYC Information is processed by our regulated identity verification partner.
  • Communications. The content of your messages to Sparkling, including trade instructions, support requests, and any correspondence with our team.
  • Preferences and settings. Strategy parameters you configure (such as DCA schedules, agent rules, risk thresholds), notification preferences, and language selection.

3.2 Information Collected Automatically

  • Transaction data. Records of activity within the Service, including swap quotes requested, transactions you signed, agent strategies executed, and on-chain transaction hashes.
  • Technical data. Device type, operating system, Telegram client version, IP address (used transiently for routing and security and not retained beyond 30 days unless required for fraud investigation), and approximate geographic region derived from IP.
  • Usage data. Feature interactions, error logs, performance metrics, and session metadata, collected through privacy-preserving telemetry.

3.3 Information From Third Parties

  • Custodial wallet provider. Our wallet partner provides us with wallet addresses, transaction status updates, and authentication events necessary to operate the Service.
  • Settlement and routing partners. We receive transaction execution data, routing decisions, and pricing information from our liquidity and settlement partners, including TetraChain.
  • Sanctions and compliance screening providers. We receive screening results when verifying that you are not subject to applicable sanctions or financial-crime restrictions.

3.4 On-Chain Information

Public blockchain data, including wallet addresses, transaction amounts, counterparties, and timing, is by its nature public and accessible to anyone. While we do not generate this data, we may analyze it in connection with operating the Service and meeting compliance obligations.

4. How We Use Information

We process your information for the following purposes, on the legal bases indicated for users in the EEA, the United Kingdom, and Switzerland.

(a) To provide the Service. Routing trade instructions, executing transactions, displaying balances and history, operating Agents you configure. Legal basis: performance of a contract.

(b) To authenticate and secure your account. Verifying logins, sending one-time passwords, detecting suspicious access patterns. Legal basis: performance of a contract; legitimate interests in account security.

(c) To communicate with you. Sending transactional notifications (trade confirmations, security alerts) and responding to support inquiries. Legal basis: performance of a contract; legitimate interests in customer support.

(d) To improve the Service. Analyzing aggregated usage patterns, debugging errors, testing new features. Legal basis: legitimate interests in product development.

(e) To prevent fraud and abuse. Detecting bots, market manipulation, account takeovers, and other prohibited conduct. Legal basis: legitimate interests in service integrity; legal obligations under anti-fraud and anti-money-laundering laws.

(f) To comply with legal obligations. Responding to lawful requests from regulators, courts, and law enforcement; meeting record-keeping and reporting obligations. Legal basis: legal obligation.

(g) To verify identity where required (KYC/AML). Conducting identity verification, sanctions screening, and transaction monitoring as required under applicable anti-money-laundering and counter-terrorism financing laws. Legal basis: legal obligation; legitimate interests in compliance.

(h) To send service-related updates. Notifying you of material changes to this Policy, the Terms of Service, fees, or supported features. Legal basis: performance of a contract; legitimate interests.

We do not use your personal information for marketing or advertising purposes without your express, opt-in consent. We do not sell your personal information.

5. How We Share Information

5.1 Service Providers

We share information with vendors that process data on our behalf, including:

  • cloud infrastructure providers for hosting and storage;
  • email service providers for transactional email delivery;
  • analytics providers for privacy-preserving usage analytics;
  • identity verification providers for KYC processing where required;
  • customer support tooling for managing inquiries.

Each service provider is bound by a written data processing agreement requiring confidentiality, security, and processing only on our documented instructions.

5.2 Partners Integrated With the Service

  • Wallet (by Telegram) — our custodial wallet partner. Receives wallet provisioning instructions, signing requests, and authentication events. Subject to its own privacy policy.
  • TetraChain — settlement layer. Receives transaction execution data necessary for clearing. Subject to its own privacy policy.
  • Liquidity providers and aggregators receive routing and execution data for the trades you initiate.

5.3 Legal and Regulatory Disclosure

We may disclose information when we believe in good faith that disclosure is necessary to:

  • comply with applicable law, regulation, legal process, or governmental request;
  • enforce our Terms of Service, including investigation of potential violations;
  • detect, prevent, or address fraud, security, or technical issues;
  • protect against harm to the rights, property, or safety of Sparkling, our users, or the public.

Where legally permitted, we will notify affected users in advance of disclosure.

5.4 Business Transfers

If we are involved in a merger, acquisition, financing, asset sale, or similar transaction, your information may be transferred as part of that transaction. The acquiring party will be bound by privacy commitments at least as protective as this Policy.

5.5 With Your Consent

We will share your information for other purposes only with your express consent, which you may withdraw at any time.

6. International Data Transfers

Sparkling operates internationally. Your information may be transferred to, and processed in, countries other than the country in which you reside, including jurisdictions that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal information out of the EEA, the United Kingdom, or Switzerland to a country not deemed adequate by the relevant authority, we rely on:

  • the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable);
  • supplementary technical and organizational measures consistent with the Schrems II ruling;
  • explicit consent or other lawful transfer mechanisms where applicable.

Copies of the safeguards we use are available on request to privacy@sparkl.ing.

7. Data Retention

We retain your information only as long as necessary for the purposes set out in this Policy:

CategoryRetention period
Account informationDuration of account, plus 12 months after closure
Transaction records7 years from transaction date (regulatory requirement)
KYC Information5 years after account closure (AML requirement)
Support correspondence3 years from last interaction
Technical logs and IP addresses30 days (90 days for security investigations)
Aggregated, de-identified analyticsIndefinite
Marketing consent recordsUntil consent withdrawn, plus 3 years

Where local law mandates different retention periods, those laws apply.

8. Your Rights

Subject to applicable law and certain exceptions, you have the following rights regarding your personal information.

8.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Access. Request a copy of the personal information we hold about you.
  • Rectification. Request correction of inaccurate or incomplete information.
  • Erasure. Request deletion of your information, subject to legal retention obligations.
  • Restriction. Request that we restrict processing in certain circumstances.
  • Portability. Receive your information in a structured, commonly used, machine-readable format.
  • Objection. Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent. Where processing is based on consent, withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Complaint. Lodge a complaint with your local data protection authority. A list of EEA authorities is available at edpb.europa.eu. The UK Information Commissioner's Office is at ico.org.uk.

8.2 Rights Under CCPA/CPRA (California Residents)

California residents have the following additional rights:

  • the right to know what personal information we collect, use, disclose, and sell or share;
  • the right to delete personal information, subject to exceptions;
  • the right to correct inaccurate personal information;
  • the right to opt out of the sale or sharing of personal information — we do not sell or share personal information as defined under CCPA/CPRA;
  • the right to limit use of sensitive personal information;
  • the right to non-discrimination for exercising these rights.

To exercise these rights, contact us at privacy@sparkl.ing.

8.3 Other Jurisdictions

Residents of Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), and other jurisdictions with comprehensive data protection laws may have similar rights. Contact us to exercise them.

8.4 How to Exercise Your Rights

Email privacy@sparkl.ing with:

  • your request and the specific right you are exercising;
  • sufficient information for us to verify your identity (we will request only what is necessary);
  • the email address associated with your Sparkling account.

We will respond within 30 days. We may extend this period by 60 days for complex requests, in which case we will notify you within the initial 30-day period.

9. Security

We implement technical and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

  • encryption of data in transit using TLS 1.3;
  • encryption of sensitive data at rest;
  • multi-factor authentication for internal systems;
  • role-based access controls with least-privilege principles;
  • regular external security audits and penetration testing;
  • a vulnerability disclosure program (report findings to security@sparkl.ing);
  • logging and monitoring of access to personal data;
  • employee training on data protection and security.

No system is completely secure. If you become aware of a security issue, please report it to security@sparkl.ing.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verified parental consent, we will promptly delete it. If you believe we have collected information from a child, contact privacy@sparkl.ing.

11. Automated Decision-Making

The Service uses automated processing in the following ways:

  • Agent strategy execution. Agents you configure propose trades based on rules you set; you confirm each trade before execution.
  • Fraud and security detection. Automated systems flag suspicious activity for human review.
  • Transaction monitoring. Automated systems screen transactions against AML and sanctions criteria.

Decisions with legal or similarly significant effect on you (such as account suspension for suspected fraud) involve human review before final action. You have the right to request human intervention, to express your point of view, and to contest such decisions.

12. Cookies and Tracking Technologies

The Sparkling website (sparkl.ing) uses strictly necessary cookies only — those required for the site to function. We do not use advertising cookies, identifying analytics cookies, or third-party tracking pixels.

The Sparkling Telegram bot does not place cookies on your device.

13. Links to Third-Party Services

The Service may contain links to third-party websites and services, including blockchain explorers, partner sites, and educational resources. This Policy does not apply to those third parties. Review their privacy policies before providing personal information.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified at least 30 days before they take effect, via in-app notification, email, or both. The "Last updated" date at the top of this Policy reflects the version currently in force. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

A history of material revisions is available on request.

15. Contact Us

PurposeEmail
General privacy inquiriesprivacy@sparkl.ing
Data subject rights requestsprivacy@sparkl.ing
Data Protection Officer (EEA/UK)dpo@sparkl.ing
Security vulnerabilitiessecurity@sparkl.ing
Legal noticeslegal@sparkl.ing

Postal address:
Swarm AI Lab
[Registered Office Address]
[City, Country]