Privacy Policy

This Privacy Policy (“Policy”) describes how Agent Nash (“Company,” “we,” “us,” or “our”) collects, uses, processes, stores, shares, transfers, retains, and protects information in connection with the Agent Nash platform (agentnash.ai), APIs, and all related services (the “Platform”). By accessing or using the Platform, you consent to all data practices described in this Policy. If you do not consent, do not use the Platform.

1. Scope and Application

1.1. This Policy applies to all Users, visitors, and any person who accesses or interacts with the Platform in any manner, regardless of whether they create an account.

1.2. This Policy applies to data collected through the Platform, email communications, customer support interactions, API integrations, and connected third-party services.

1.3. This Policy does not apply to third-party websites, exchanges, or services linked to or integrated with the Platform. We encourage you to review the privacy policies of all third-party services you interact with.

1.4. By using the Platform, you represent that you have the authority to consent to data processing on behalf of any entity you represent.

2. Information We Collect

2.1. Information You Provide Directly

• Account registration data: full legal name, email address, username, password (cryptographically hashed and salted)
• Identity verification data: government-issued identification documents, proof of residence, selfie/biometric verification images (if KYC/AML verification is required)
• Professional information: organization name, role, title, jurisdiction of residence, professional background, investor accreditation status
• Payment and billing data: payment method details, billing address, transaction history (full payment card numbers are processed by PCI-compliant third-party payment processors and are not stored by Agent Nash)
• Exchange credentials: API keys, secret keys, access tokens, OAuth tokens, and other authentication credentials for connected third-party exchanges (encrypted at rest using AES-256)
• Strategy and code: trading strategies, algorithms, configurations, parameters, source code, and any other materials you upload, deploy, or transmit through the Platform
• Communications: emails, support tickets, chat messages, feedback, survey responses, feature requests, bug reports, and all other correspondence with Agent Nash
• Voluntary disclosures: any additional personal or professional information you voluntarily share through the Platform or in communications with us

2.2. Information Collected Automatically

• Device information: IP address (IPv4 and IPv6), device type, device identifiers, hardware model, operating system and version, browser type and version, screen resolution, language settings, time zone
• Network information: internet service provider, connection type, network latency, proxy/VPN detection indicators
• Usage data: pages visited, features accessed, buttons clicked, navigation paths, session duration, session frequency, time stamps, referral URLs, exit pages, API endpoints called, request/response payloads (excluding sensitive credentials), rate limit events
• Agent execution data: all data generated by or about Agents running on the Platform, including trade signals, trade decisions, approved/rejected trade logs, position sizes, entry/exit prices, execution timestamps, fill rates, slippage data, P&L calculations (realized and unrealized), cumulative returns, win/loss records, Sharpe ratios, Sortino ratios, maximum drawdown, recovery periods, and all other performance metrics
• Reasoning and AI data: full reasoning chains and traces produced by AI agents, model prompts and completions, debate transcripts between multi-agent systems, confidence scores, probability estimates, research outputs, citation lists (including fabricated citations), model version identifiers, inference latency, token usage, and all other AI/ML operational data
• Risk and governance data: risk parameter configurations, position sizing calculations, Kelly fraction inputs and outputs, exposure levels by market and category, risk limit breach events, override events (including Trader overrides and Risk Manager self-multiplying events), validation layer decisions, halt events
• Error and diagnostic data: server logs, application logs, error reports, crash reports, stack traces, database query logs, queue processing logs, webhook delivery logs, and system health metrics
• Blockchain and on-chain data: wallet addresses associated with connected exchange accounts, on-chain transaction data, smart contract interaction data, and publicly available blockchain data
• Cookie and tracking data: cookies, session tokens, local storage identifiers, pixel tags, web beacons, and similar tracking technologies (see Section 10)

2.3. Information from Third Parties

• Exchange data: trade execution confirmations, order book snapshots, settlement data, account balance data, position data, and market data from connected exchanges (Polymarket, Kalshi, and future integrations)
• Market data providers: real-time and historical price data, volume data, liquidity metrics, and event resolution data from prediction markets and other data sources
• Blockchain analytics: publicly available on-chain transaction data, wallet analytics, whale tracking data, and smart contract event data from providers including Polygonscan, Dune Analytics, and similar services
• AI/LLM providers: model inference metadata, usage statistics, error reports, and operational data from OpenRouter, Anthropic, OpenAI, xAI, Google, DeepSeek, and other AI service providers
• Infrastructure providers: server performance metrics, uptime data, error rates, and operational data from Vercel, Supabase, Railway, and other infrastructure providers
• Identity verification providers: KYC/AML screening results, sanctions list matches, PEP (Politically Exposed Person) screening results, and adverse media screening results
• Analytics services: aggregated web analytics, usage patterns, and performance metrics from analytics providers
• Public sources: publicly available information relevant to your account or trading activity

3. Legal Bases for Processing

3.1. We process your data on the following legal bases:

Contract Performance: Processing necessary to provide the Platform services you requested, manage your account, execute Agent operations, and fulfill our contractual obligations.

Legitimate Interests: Processing necessary for our legitimate business interests, including: Platform improvement and optimization; security and fraud prevention; Benchmark Data collection and analysis; meta-model development; capital routing optimization; product research and development; business analytics; and enforcement of our Terms. We have balanced these interests against your rights and believe they do not override your fundamental rights and freedoms.

Consent: Processing based on your explicit consent, including marketing communications and optional analytics. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Legal Obligation: Processing necessary to comply with applicable laws, regulations, court orders, subpoenas, and governmental requests, including AML/KYC requirements, tax reporting, and sanctions compliance.

Vital Interests: Processing necessary to protect vital interests of you or another person, in rare emergency circumstances.

4. How We Use Your Information

We use collected information for the following purposes:

4.1. Platform Operations

• Providing, maintaining, operating, and improving all Platform features and services
• Creating, managing, and authenticating your account
• Processing payments and managing billing
• Deploying, executing, monitoring, and governing Agents on your behalf
• Connecting to and communicating with third-party exchanges
• Enforcing risk parameters and executing the AI validation layer
• Displaying performance data, rankings, and analytics in your dashboard

4.2. Benchmark Data and Proprietary Dataset Development

• Generating, collecting, storing, and maintaining the Benchmark Dataset
• Computing performance metrics, rankings, and comparative analytics across all Agents and Strategies
• Training, improving, and developing proprietary meta-models, capital routing algorithms, and strategy selection systems
• Analyzing reasoning quality, identifying failure modes (hallucination, anchoring, override patterns), and improving AI agent reliability
• Creating aggregated and anonymized datasets for research, investor presentations, and public reporting
• Supporting Fund operations by providing audited performance data for capital allocation decisions
• Developing and refining the proprietary benchmark methodology and scoring systems

4.3. Security and Integrity

• Detecting, preventing, and investigating fraud, abuse, market manipulation, unauthorized access, and other security threats
• Monitoring for Terms violations and prohibited conduct
• Maintaining audit trails and forensic capabilities
• Protecting the rights, property, and safety of Agent Nash, our Users, and the public
• Conducting security assessments, penetration testing, and vulnerability analysis

4.4. Legal and Compliance

• Complying with applicable laws, regulations, legal processes, and governmental requests
• Conducting KYC/AML verification and sanctions screening
• Fulfilling tax reporting and withholding obligations
• Establishing, exercising, or defending legal claims
• Responding to law enforcement requests and regulatory inquiries

4.5. Communications

• Sending transactional messages (account verification, trade confirmations, risk alerts, security notices)
• Sending service communications (Platform updates, maintenance notices, policy changes, feature announcements)
• Sending Agent performance reports and benchmark notifications
• Sending marketing and promotional communications (with consent, and with opt-out available)

4.6. Research and Development

• Conducting internal research to improve AI agent performance, reliability, and safety
• Developing new features, tools, and services
• Analyzing user behavior and Platform usage patterns to improve user experience
• Benchmarking Platform performance and infrastructure optimization

5. Benchmark Data — Special Provisions

5.1. CORE ASSET. THE BENCHMARK DATASET IS THE CORE PROPRIETARY ASSET OF AGENT NASH AND CONSTITUTES TRADE SECRET AND CONFIDENTIAL INFORMATION. The Benchmark Dataset comprises longitudinal behavioral data including reasoning traces, confidence calibration data, strategy drift analytics, execution quality metrics, risk management event logs, and all derived models and insights. This dataset is uniquely valuable because it can only be generated through live operation and cannot be replicated through backtesting.

5.2. Ownership and License. All Benchmark Data is the sole and exclusive property of Agent Nash. By using the Platform, you irrevocably assign to Agent Nash all right, title, and interest in Benchmark Data generated through your activity. Where assignment is not effective, you grant Agent Nash a perpetual, irrevocable, worldwide, royalty-free, exclusive, transferable, sublicensable license to use, reproduce, modify, distribute, commercialize, and exploit all Benchmark Data for any purpose (see Terms and Conditions Section 6.2).

5.3. Uses of Benchmark Data. Benchmark Data is used to:

• Evaluate, rank, and compare Agent and Strategy performance across markets and timeframes
• Train and improve proprietary meta-models and capital routing algorithms
• Identify and analyze AI reasoning failure modes (hallucination, fabrication, anchoring, override cascades)
• Generate anonymized and aggregated performance reports for investors, research partners, and the public
• Support Fund capital allocation and risk management decisions
• Develop academic and industry research on AI trading agent behavior
• Improve Platform infrastructure, benchmarking methodologies, and scoring algorithms

5.4. PERPETUAL RETENTION. BENCHMARK DATA IS RETAINED INDEFINITELY. This is fundamental to the integrity and longitudinal value of the dataset. Upon account termination, your Benchmark Data will be anonymized (personal identifiers removed) but the underlying behavioral, performance, and reasoning data will not be deleted. This retention is necessary for: dataset continuity; ongoing model training; historical comparability; regulatory compliance; and the proper functioning of meta-models that depend on longitudinal data.

5.5. No Individual Identification in Public Outputs. Individual Users and Strategies are not identified by name in public-facing Benchmark Data reports unless you provide explicit written consent. However, anonymized strategy profiles, performance patterns, and behavioral characteristics may be published.

5.6. Benchmark Data is Not Subject to Deletion Requests. Due to its anonymized, aggregated nature and its essential role in Platform operations, Benchmark Data falls outside the scope of individual data deletion rights (see Section 9.3).

6. Data Sharing and Disclosure

We may share your information in the following circumstances:

6.1. Service Providers and Processors: We share data with third-party service providers who process data on our behalf, including: cloud hosting and infrastructure providers (Vercel, Supabase, Railway, and their sub-processors); payment processors; email delivery services; analytics providers; identity verification providers; AI/LLM inference providers (OpenRouter, Anthropic, OpenAI, xAI, Google, DeepSeek); customer support tools; and monitoring services. These providers are bound by data processing agreements and may only use your data for the purposes we specify.

6.2. Exchange Partners: When you connect exchange accounts, necessary data (API credentials, trade instructions, and related metadata) is transmitted to and from those exchanges. We do not control how exchanges process your data after transmission.

6.3. Fund Operations: If you participate in the Fund, your performance data, identity information, investor qualification data, and related information may be shared with Fund administrators, auditors, legal counsel, tax advisers, regulatory authorities, and potential or existing limited partners (LPs), as required for Fund operations.

6.4. Legal and Regulatory: We may disclose information: (a) when required by law, subpoena, court order, arbitral order, or governmental request; (b) when we believe disclosure is necessary to comply with applicable law or regulation; (c) to protect the rights, property, or safety of Agent Nash, our Users, or the public; (d) to detect, prevent, or address fraud, security, or technical issues; (e) in connection with legal proceedings or regulatory investigations.

6.5. Law Enforcement: We may disclose information to law enforcement authorities if we have a good faith belief that such disclosure is required or permitted by law, or if we reasonably believe that a User’s activity may constitute a criminal offense.

6.6. Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, receivership, dissolution, sale of all or substantially all assets, or similar corporate transaction, your information may be transferred as part of that transaction. We will use reasonable efforts to notify you of such transfer, but you acknowledge that notification may not always be possible.

6.7. Professional Advisers: We may share information with our lawyers, accountants, auditors, bankers, insurers, and other professional advisers on a confidential basis.

6.8. Affiliates: We may share information with our current and future parent companies, subsidiaries, and affiliates for the purposes described in this Policy.

6.9. Research Partners: We may share anonymized and aggregated Benchmark Data with academic researchers, industry analysts, and research partners for the purpose of advancing AI trading research. Individual Users are not identified in such sharing.

6.10. Aggregated and De-identified Data: We may share aggregated or de-identified data that cannot reasonably be used to identify you for any purpose whatsoever, including commercial, research, marketing, investor relations, and public reporting purposes, without restriction.

6.11. With Your Consent: We may share your information for purposes not described in this Policy with your explicit consent.

7. International Data Transfers

7.1. Agent Nash operates globally. Your data may be processed in jurisdictions other than your country of residence, including the United Arab Emirates (where Agent Nash is based), the United States (where primary infrastructure providers are hosted), and any other jurisdiction where our service providers or affiliates operate.

7.2. These jurisdictions may have data protection laws that differ from, and may be less protective than, the laws of your home jurisdiction.

7.3. Where required by applicable law (including the GDPR), we implement appropriate safeguards for international data transfers, including: Standard Contractual Clauses (SCCs); adequacy decisions by relevant authorities; Binding Corporate Rules; or other approved transfer mechanisms.

7.4. By using the Platform, you explicitly consent to the transfer and processing of your data in jurisdictions outside your country of residence, including jurisdictions that may not provide equivalent data protection.

8. Data Retention

8.1. We retain your data for the periods described below, or for longer periods where required by law, regulation, or legitimate business need:

• Account data (name, email, profile): Duration of account plus 7 years after termination (legal, tax, and audit requirements)
• Benchmark Data (performance, reasoning traces, execution logs): INDEFINITELY (see Section 5.4)
• Payment and billing records: 7 years after the relevant transaction (tax and audit requirements)
• Exchange API keys and credentials: Deleted within 30 days of account termination or exchange disconnection
• Usage logs, analytics, and diagnostic data: Up to 36 months
• Communication records (emails, support tickets): Up to 7 years
• Identity verification documents (KYC): Duration of account plus 6 years after termination (AML requirements)
• Marketing consent records: Duration of account plus 3 years after withdrawal of consent
• Cookie and tracking data: See Section 10
• Server and application logs: Up to 24 months

8.2. After the applicable retention period, data is either deleted or irreversibly anonymized.

8.3. We may retain data beyond the stated periods if: (a) required by law or regulation; (b) necessary for ongoing legal proceedings or investigations; (c) necessary to enforce our Terms; or (d) necessary to protect our legitimate interests.

9. Your Rights and Choices

9.1. Subject to applicable law and the limitations described below, you may have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right of Rectification: Request correction of inaccurate or incomplete personal data
• Right of Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal retention requirements and the Benchmark Data exceptions in Sections 5.4 and 5.6
• Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests, including profiling
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Lodge a Complaint: File a complaint with your local data protection authority

9.2. Exercising Your Rights. To exercise any right, contact us at hello@agentnash.ai with sufficient information to verify your identity and specify your request. We will respond within 30 days (or as required by applicable law). We may charge a reasonable fee for manifestly unfounded or excessive requests.

9.3. LIMITATIONS ON RIGHTS. Your rights are subject to the following limitations:

• Benchmark Data is not subject to deletion, portability, or restriction requests due to its anonymized, aggregated nature and its essential role in Platform operations and meta-model training (see Section 5.4 and 5.6)
• Data required for legal compliance (AML/KYC records, tax records, audit trails) cannot be deleted during mandatory retention periods
• Data necessary for the establishment, exercise, or defense of legal claims may be retained regardless of deletion requests
• Anonymized or aggregated data that can no longer identify you is outside the scope of individual data rights
• We may decline requests that are manifestly unfounded, excessive, or that would require disproportionate effort

10. Cookies and Tracking Technologies

10.1. We use the following tracking technologies:

Essential Cookies: Required for Platform operation, including session management, authentication, security tokens, and load balancing. These cannot be disabled without breaking core functionality.

Functional Cookies: Remember your preferences, settings, and configurations to enhance your experience.

Analytics Cookies: Collect aggregated data about Platform usage to help us understand how Users interact with the Platform and identify areas for improvement. We use Vercel Analytics and similar services.

Performance Cookies: Monitor Platform performance, error rates, and infrastructure health.

10.2. We do NOT use third-party advertising cookies or engage in cross-site behavioral advertising tracking.

10.3. You may manage non-essential cookies through your browser settings. Disabling cookies may affect Platform functionality.

10.4. Do Not Track (DNT): We do not currently respond to browser DNT signals. This may change in the future.

11. Data Security

11.1. We implement commercially reasonable technical and organizational security measures, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest using AES-256 (including exchange API keys and credentials)
• Cryptographic hashing and salting of passwords (bcrypt or equivalent)
• Role-based access controls and principle of least privilege for internal systems
• Network segmentation and firewall protection
• Regular security assessments, penetration testing, and vulnerability scanning
• Automated monitoring, alerting, and intrusion detection systems
• Incident response procedures and breach notification processes
• Secure software development lifecycle practices
• Employee security training and background checks
• Data backup and disaster recovery procedures

11.2. DESPITE THESE MEASURES, NO SYSTEM IS COMPLETELY SECURE. WE CANNOT AND DO NOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR DATA. YOU ACKNOWLEDGE THAT: (A) DATA BREACHES CAN OCCUR; (B) ENCRYPTION CAN BE COMPROMISED; (C) UNAUTHORIZED ACCESS MAY OCCUR DESPITE REASONABLE PRECAUTIONS; (D) DATA MAY BE LOST, CORRUPTED, OR DESTROYED; (E) AGENT NASH SHALL NOT BE LIABLE FOR ANY LOSSES ARISING FROM SECURITY INCIDENTS, DATA BREACHES, OR UNAUTHORIZED ACCESS TO YOUR DATA, REGARDLESS OF THE CAUSE, INCLUDING AGENT NASH’S OWN NEGLIGENCE, EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW.

11.3. You are responsible for: (a) maintaining the security of your own devices, accounts, and credentials; (b) using strong, unique passwords; (c) enabling multi-factor authentication when available; (d) not sharing credentials; (e) monitoring your account for unauthorized activity; (f) promptly reporting security incidents to us.

12. Children’s Privacy

The Platform is not intended for, marketed to, or designed for use by individuals under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will take steps to delete it promptly. If you believe a minor has provided us with personal data, contact us at hello@agentnash.ai.

13. Automated Decision-Making and Profiling

13.1. The Platform uses automated systems, including AI models and algorithms, to:

• Generate trade signals and execute trading decisions through Agents
• Validate trade decisions against risk parameters via the AI validation layer
• Benchmark, rank, and score Agent and Strategy performance
• Route capital through the meta-strategy layer
• Detect fraud, abuse, and suspicious activity
• Make account risk assessments

13.2. These automated decisions may have significant effects on your account and trading activity. You acknowledge and consent to such automated processing.

13.3. Where required by applicable law (e.g., GDPR Article 22), you may have the right to request human review of automated decisions that significantly affect you. To request human review, contact hello@agentnash.ai.

14. AI-Specific Data Disclosures

14.1. LLM Provider Data Sharing. When Agents execute on the Platform, prompts, market data, and contextual information are sent to third-party LLM providers (including Anthropic, OpenAI, xAI, Google, DeepSeek, and providers accessed through OpenRouter) for inference. These providers may process this data according to their own privacy policies and data retention practices. We use commercially available API agreements, but we cannot guarantee how LLM providers process or retain inference data.

14.2. Model Training Disclosure. Some LLM providers may use API data for model training unless opted out. Agent Nash uses reasonable efforts to opt out of provider training programs where available, but cannot guarantee that all providers comply. You accept this risk.

14.3. AI Output Retention. All AI model outputs, including reasoning traces, confidence scores, research outputs, and trade decisions, are permanently logged as part of the Benchmark Dataset.

14.4. AI Hallucination Data. The Platform’s AI agents may produce fabricated data, including false statistics, non-existent citations, and incorrect reasoning. Such fabricated outputs are still collected and retained as Benchmark Data, as they are valuable for understanding and improving AI reliability.

15. Third-Party Links and Services

The Platform may contain links to, or integrations with, third-party websites, exchanges, APIs, and services. We are not responsible for the privacy practices, security measures, or content of any third party. We encourage you to review the privacy policies of all third-party services before providing them with any data or credentials.

16. Jurisdiction-Specific Provisions

16.1. European Economic Area (EEA) and United Kingdom

• Our legal bases for processing are detailed in Section 3
• You have the rights described in Section 9, plus the right to lodge a complaint with your local supervisory authority
• International data transfers are safeguarded as described in Section 7
• For GDPR-specific inquiries, contact our Data Protection Officer at hello@agentnash.ai
• We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities

16.2. California Residents (CCPA/CPRA)

• Categories of personal information collected: identifiers, professional information, financial information, internet/network activity, geolocation, inferences, and sensitive personal information
• We do not “sell” or “share” personal information as defined under the CCPA/CPRA
• You have the right to know, delete, correct, and opt out of the sale/sharing of personal information
• You have the right to limit the use of sensitive personal information
• We will not discriminate against you for exercising CCPA/CPRA rights
• To submit a request: email hello@agentnash.ai or use the designated mechanisms on the Platform
• Authorized agents may submit requests on your behalf with proper documentation

16.3. United Arab Emirates and DIFC

• Data processing is governed by the DIFC Data Protection Law (Law No. 5 of 2020) where applicable
• You have rights of access, rectification, erasure, restriction, portability, and objection under applicable DIFC regulations
• The Commissioner of Data Protection (DIFC) is the relevant supervisory authority

16.4. Other Jurisdictions

If you are located in a jurisdiction with specific data protection laws not addressed above (e.g., Brazil LGPD, Canada PIPEDA, Australia Privacy Act, Singapore PDPA, South Korea PIPA, Japan APPI), please contact us to discuss your specific rights. We will make commercially reasonable efforts to comply with applicable local requirements.

17. Data Breach Notification

17.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware (where required by applicable law)
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and remedial actions taken

17.2. Breach notification will be provided via email to the address on your account, or by posting a notice on the Platform if email is not feasible. We may also provide notice through other reasonable channels.

17.3. NOTWITHSTANDING OUR COMMITMENT TO BREACH NOTIFICATION, AGENT NASH’S LIABILITY FOR DATA BREACHES IS LIMITED AS SET FORTH IN THE TERMS AND CONDITIONS (SECTION 11). BREACH NOTIFICATION DOES NOT CONSTITUTE AN ADMISSION OF LIABILITY.

18. Changes to This Privacy Policy

18.1. We may update this Policy from time to time. Material changes will be communicated via email or Platform notification at least 14 days before taking effect.

18.2. The “Last Updated” date at the top indicates when this Policy was last revised.

18.3. Continued use of the Platform after changes take effect constitutes acceptance. If you do not agree to any changes, your sole remedy is to stop using the Platform and close your account.

18.4. We maintain an archive of prior versions of this Policy available upon request.

19. Contact Information

For questions, concerns, complaints, or requests regarding this Privacy Policy or our data practices:

For urgent security matters (data breaches, credential compromise): Include “URGENT: SECURITY” in your email subject line.