// DECRYPTING... // _

PRIVACY POLICY

// EFFECTIVE: 2026-05-27

This Privacy Policy describes how aiport (“aiport”, “we”, “us”, or “our”) collects, uses, shares, and protects information when you visit aiport.trade or use our managed Hermes Agent operations service (the “Service”). It also describes your rights under the EU and UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act, as amended by the CPRA (collectively, “CCPA”).

By using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree, do not use the Service.

1. Data We Collect

1.1 Account data

When you sign up, redeem an invite, apply for the Operator Grant Program, or join the waitlist, we collect:

  • Your email address.
  • Your X (Twitter) handle, where you provide it on the grants or waitlist form.
  • The Google account profile information returned by Google OAuth on sign-in (name, email, and a stable account identifier).
  • The invite token associated with your account, if applicable.

1.2 Operational data

Once your Agent is provisioned, we collect:

  • Encrypted secrets you provide to your Agent, including the Telegram bot token and the Bankr API key. These are stored encrypted at rest using AES-256-GCM and decrypted only on the orchestrator at the moment they are needed.
  • Your assigned Venice inference key (drawn from our managed pool), stored encrypted at rest.
  • Operational metadata about your Agent: status, restart events, balance snapshots, provisioning errors, and the host identifier of the virtual machine running your Agent.

1.3 Usage and technical data

  • IP address, user agent, and approximate location (derived from IP) for security, abuse prevention, and aggregate analytics.
  • Operator console interaction logs, including page requests, API requests to the orchestrator, and timestamps. These are retained for security and debugging.
  • Audit log entries for sensitive actions (such as deploys, Telegram token updates, Bankr verification). Audit entries record the action type, the actor, the target, and a minimal whitelist of non-sensitive details — we do not log API keys, secrets, or tokens.

2. How We Use Your Data

We use the data we collect to:

  • Provision, operate, monitor, and restart your Agent.
  • Authenticate you, bind your Google account to your invite, and enforce per-Operator access controls.
  • Communicate with you about your account, your Agent's status, billing, security incidents, and material changes to the Service. Account-related email is delivered through our email provider, Resend.
  • Investigate, prevent, and respond to abuse, fraud, security incidents, and violations of our Terms of Service.
  • Comply with applicable legal obligations, court orders, and lawful requests from regulators or law enforcement.
  • Improve the Service, including by analysing aggregate, non-identifying usage patterns.

We do not sell your personal data, and we do not use your data to train third-party AI models.

3. Third-Party Service Providers

We rely on a small set of third-party providers to operate the Service. Each receives only the data necessary for its function:

  • Google — OAuth sign-in. Google receives a sign-in request from your browser and returns your account profile to us.
  • Resend — transactional email delivery. Resend processes the email address and message content for messages we send you.
  • Venice AI — inference. Your Agent's prompts and the resulting responses are transmitted to Venice using a Venice API key we assign to your Agent. Venice processes inference requests subject to its own terms and privacy policy.
  • Vultr — virtual machine hosting. Your Agent runs inside a dedicated virtual machine provisioned with Vultr. Vultr processes infrastructure-level metadata (instance IDs, networking, billing).
  • Bankr — agent wallet custody. The Bankr CLI runs on the orchestrator on your behalf to mint an isolated wallet for your Agent. The Bankr API key issued during this flow is stored encrypted at rest and propagated to your Agent.

We may also disclose data to professional advisors, auditors, or in connection with a merger, acquisition, or sale of assets, in each case subject to standard confidentiality obligations.

4. Cookies

We use a small number of strictly necessary cookies:

  • A NextAuth session cookie that keeps you signed in across requests to the operator console.
  • A short-lived pending_invite_token cookie set when you redeem an invite, used to bind the invite to the Google account that subsequently signs in.

We do not use third-party advertising cookies, analytics cookies, or cross-site tracking cookies.

5. Data Retention

  • Account data is retained while your subscription is active and for ninety (90) days after termination, after which it is permanently deleted, except where retention is required to comply with a legal obligation, resolve a dispute, or enforce our agreements.
  • Audit log entries are retained for twelve (12) months for security, abuse prevention, and incident investigation.
  • Waitlist and grant application entries are retained until the corresponding intake closes, plus ninety (90) days, unless you request earlier deletion.
  • Encrypted Agent secrets (Telegram token, Bankr API key, Venice key) are scheduled for deletion on termination of your Agent.

6. Your Rights

6.1 GDPR (EU and UK)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

  • The right to access the personal data we hold about you.
  • The right to rectify inaccurate or incomplete data.
  • The right to request deletion of your data (the “right to erasure”), subject to our legal obligations.
  • The right to restrict or object to certain processing of your data.
  • The right to data portability — to receive your data in a structured, commonly used, machine-readable format.
  • The right to lodge a complaint with your local data protection authority.

The legal basis on which we process your data is, depending on the context: performance of the contract between us, our legitimate interests in operating and securing the Service, compliance with a legal obligation, or, where applicable, your consent.

6.2 CCPA (California)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it.
  • Request deletion of your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA.
  • Be free from discrimination for exercising your privacy rights.

6.3 How to exercise your rights

To exercise any of the rights above, contact us at operations@aiport.trade. We will verify your request using the email associated with your account and respond within the timeframes required by applicable law.

7. International Transfers

Our infrastructure and our third-party providers are located in the United States and other jurisdictions. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's standard contractual clauses, or on derogations permitted by applicable law.

8. Security

We apply administrative, technical, and physical safeguards designed to protect your data, including AES-256-GCM encryption at rest for sensitive secrets, transport-layer encryption (TLS) in transit, key isolation per Operator, restricted access to the orchestrator, and audit logging of sensitive actions. No security system is perfect, and we cannot guarantee absolute security.

9. Children

The Service is not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact operations@aiport.trade and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify active Operators by email or via a banner in the operator console at least thirty (30) days before the changes take effect.

11. Contact

For privacy questions, requests, or complaints, write to operations@aiport.trade.