Privacy Policy

Effective: May 23, 2026 · Last revised: May 23, 2026

This Privacy Policy (this “Policy”) describes how Crypto Arrow LLC (a New Jersey limited liability company, “CryptoArrow,” “we,” “us,” or “our”) collects, uses, discloses, retains, transfers, and otherwise processes information about you when you visit https://cryptoarrow.aior any related site we operate, join our waitlist, register for an account, subscribe to a paid plan, communicate with us, or otherwise interact with our websites, mobile applications, application programming interfaces, emails, and other products and services (collectively, the “Services”). This Policy is incorporated by reference into and forms part of our Terms of Service.

By accessing or using the Services, by joining our waitlist, by creating an account, or by clicking an “I Accept” or similar button, you confirm that you have read and understood this Policy and that you consent to the information practices described here, to the extent your consent is required by applicable law. If you do not agree, you must not access or use the Services.

At-a-glance summary.We collect the information needed to run the Services: your email, your portfolio entries (which you choose to provide), usage logs, and payment metadata via Stripe. We never have access to your wallet’s private keys, seed phrases, or any credential that could move your funds. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We use third-party service providers to host, secure, and operate the Services; they are contractually bound to protect your data. We respect access, deletion, correction, and portability rights provided by applicable US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, DPDPA, and others) and by the EU/UK General Data Protection Regulation.

1. Scope and Acceptance

This Policy applies to personal information processed by CryptoArrow in connection with the Services. It does not apply to (a) personal information we process on behalf of our business customers in our role as a service provider, processor, or sub-processor, which is governed by our agreement with the relevant business customer; (b) websites, applications, or services operated by third parties that may be linked from our Services; or (c) information about you that is publicly available on a blockchain (which is, by its nature, public and not within our control).

2. Information We Collect

2.1 Information you provide to us

  • Account and waitlist information.When you join the waitlist or create an account, we collect your email address, a referral code we generate for you, a referring user’s code (if you were referred), the marketing source associated with your signup (for example, “referral,” “tiktok,” “x”), the timestamp of your signup, and a hashed password if you set one. Authentication and password hashing are handled by Supabase Auth; we never store passwords in plain text.
  • Portfolio information. If you use portfolio features, you may voluntarily enter cryptocurrency holdings information, including ticker symbols, token names, quantities, purchase prices, dates, and any notes you choose to attach. We never request, store, or otherwise have access to your wallet private keys, seed or recovery phrases, exchange API keys with trading permissions, transaction-signing capability, or any other credentials that could be used to move your funds.
  • Communications. If you contact us by email, support form, survey, or other means, we retain the content of those communications, including any attachments, your contact information, and metadata such as time, date, and routing information.
  • Payment information.When you subscribe to a paid plan, billing is handled by Stripe, Inc. (“Stripe”). Stripe collects your name, billing address, payment-card details (including card number, expiration, and CVV), and similar information directly from you. We do not see or store full payment-card numbers. We receive only a Stripe customer identifier, subscription status, the last four digits of your card, the card brand, country of issuance, and other limited metadata necessary to manage your subscription.
  • Marketing preferences. Your choices regarding marketing communications, including any opt-outs you submit.

2.2 Information collected automatically

  • Device and connection data. When you visit the Services we automatically receive certain information about your device and connection, including IP address; user-agent string; browser type and version; device type and identifiers; operating system; referring URL; landing URL; pages viewed; links clicked; time spent on pages; the date and time of your visit; and approximate location inferred from your IP address (country and region only, not precise geolocation).
  • Server logs and usage data. We log requests to our servers, including the API endpoints called, response times, error codes, and feature interactions. We use these logs for security, fraud detection, debugging, analytics, and to improve the Services.
  • Cookies and similar technologies. See Section 8 for a full description of the categories of cookies we use.

2.3 Information we generate about you

  • Derived metrics.When you use portfolio features, we compute derived information that is stored with your account, including your queue position on the waitlist, your referral count and tier, your portfolio’s computed risk metrics (concentration, beta-to-BTC, stress-test outcomes), sector exposure, narrative alignment, and similar analytics.
  • AI-generated content.When you use AI-powered features, we send the relevant inputs (such as your holdings list, recent market data, and regime indicators) to our AI sub-processor (Anthropic, PBC) to generate summaries, briefs, and analyses. We may retain copies of generated content in association with your account for your future reference and for service improvement. See Section 9 for additional disclosures regarding automated-decision-making technology (“ADMT”).

2.4 Information from third parties

  • Payment processors. Stripe shares with us the limited payment metadata described in Section 2.1.
  • Market data providers. We obtain cryptocurrency market data (prices, market capitalization, category tags, and similar) from third-party providers such as CoinGecko. This data is about cryptocurrency assets, not about you personally.
  • Authentication providers. If you sign in using a magic link, Supabase processes your email to deliver and verify that link.

3. Notice at Collection (California Residents)

This Section serves as our “notice at collection” under California Civil Code § 1798.100(a) and the regulations promulgated under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, collectively the “CCPA”). The categories of personal information we collect from California consumers are identified in Section 2 above. The purposes for which we use each category are described in Section 4 below. We retain personal information for the periods described in Section 7 below. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising. The categories of personal information we have “sold” or “shared” under the CCPA in the preceding 12 months: none.

4. How We Use Information

We use information for the following purposes. For users in jurisdictions requiring a legal basis under data-protection law, the corresponding lawful basis appears in brackets after each purpose. (“Contract” means performance of a contract; “LI” means our legitimate interests; “Consent” means your consent; “Legal” means compliance with a legal obligation.)

  • To provide, operate, secure, maintain, and improve the Services [Contract; LI].
  • To create and authenticate your account, including via magic-link emails on drop day and at other times [Contract].
  • To process payments, manage subscriptions, prevent payment fraud, and provide receipts and tax documents [Contract; Legal].
  • To compute and display portfolio analytics, narrative scores, regime detections, stress tests, and related outputs that you request [Contract].
  • To generate AI Output (briefs, summaries, narrative analyses) using our AI sub-processor; see Sections 2.3 and 9 [Contract].
  • To send you transactional communications, including welcome emails, referral notifications, account-security alerts, billing receipts, and the drop-day launch email [Contract].
  • To send you marketing and product-update communications consistent with your preferences and applicable law [LI; Consent where required].
  • To respond to your inquiries, customer-support requests, and feedback [Contract; LI].
  • To measure aggregate usage, conduct analytics, benchmark performance, and improve the Services and our underlying models, in de-identified or aggregated form where reasonably feasible [LI].
  • To detect, prevent, investigate, and respond to fraud, abuse, security incidents, account compromise, and other harmful or unlawful activity [LI; Legal].
  • To enforce our Terms of Service and other applicable agreements and policies [LI; Legal].
  • To screen against applicable sanctions lists and confirm that you are not a prohibited party (see Section 10 below) [Legal; LI].
  • To comply with applicable laws, regulations, court orders, lawful subpoenas, and lawful government or regulatory requests [Legal].
  • To protect the rights, property, life, health, and safety of CryptoArrow, our users, and the public [Legal; LI].
  • For any other purpose disclosed to you at the point of collection, or for which you have provided consent [Consent].

5. How We Share Information

5.1 Service providers and sub-processors

We share information with the third-party vendors that help us operate the Services. These vendors are contractually required to safeguard your information and to use it only on our behalf and for the limited purposes for which we engage them. As of the effective date of this Policy, our active sub-processors are:

  • Supabase, Inc. (San Francisco, California, USA). Database hosting, authentication, file storage, magic-link generation.
  • Vercel, Inc. (San Francisco, California, USA). Application hosting, edge content delivery, serverless functions, deployment infrastructure, web analytics.
  • Stripe, Inc.(San Francisco, California, USA; processing activity also occurs in Stripe’s Dublin, Ireland data center for EU users). Payment processing, subscription billing, tax calculation, fraud screening.
  • Resend (Resend Labs, Inc.) (San Francisco, California, USA). Transactional and marketing email delivery, including the welcome email, referral notifications, and drop-day blast.
  • Anthropic, PBC(San Francisco, California, USA). Large-language-model inference for AI-generated briefs, narrative summaries, and portfolio commentary. Inputs are sent to Anthropic for the purpose of generating outputs only; pursuant to Anthropic’s API terms, inputs and outputs are not used to train Anthropic’s models without our affirmative opt-in.
  • Gecko Labs Pte. Ltd. (CoinGecko) (Singapore). Cryptocurrency market data, prices, categories, and metadata. We do not send personal information to CoinGecko.
  • GitHub, Inc. (San Francisco, California, USA). Source code hosting only; no personal information of end users is stored in GitHub.
  • Namecheap, Inc. (Phoenix, Arizona, USA). Domain registration; receives only domain-registration information, not end-user data.
  • Upstash, Inc. (Mountain View, California, USA). Redis infrastructure used to enforce rate limits on signup, login, and other public endpoints. Stores short-lived counters keyed by IP address (for anonymous requests) or user identifier (for authenticated requests) to detect and throttle abuse. Counters expire automatically within the configured time window (typically minutes to hours). No portfolio, payment, or content data is sent to Upstash.

We may engage additional or replacement sub-processors from time to time. The current list is also available on request from privacy@cryptoarrow.ai. For users protected by GDPR or UK GDPR, we will provide reasonable advance notice of material new sub-processors via email or in-product notice, and you may object as provided in the data-processing terms applicable to your account.

5.2 Business transfers

If CryptoArrow is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred or disclosed as part of that transaction. We will notify you of any such change in ownership or transfer of your personal information via email and/or a prominent notice on the Services prior to the change taking effect.

5.3 Legal disclosures and protection of rights

We may access, preserve, and disclose your information if we have a good-faith belief that doing so is necessary to: (a) comply with applicable law, regulation, legal process, valid subpoena, court order, or governmental or regulatory request, including from law-enforcement agencies; (b) enforce our Terms of Service or other agreements, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; (d) respond to claims of intellectual-property infringement, including under the Digital Millennium Copyright Act (“DMCA”); or (e) protect against harm to the rights, property, life, health, or safety of CryptoArrow, our users, or the public, as required or permitted by law.

5.4 With your direction or consent

We may share your information with third parties when you direct us to do so or otherwise provide your consent.

5.5 De-identified and aggregated information

We may use, share, and disclose de-identified or aggregated information that cannot reasonably be used to identify you for any lawful business purpose, including publishing market or product benchmarks, improving and training our models, conducting research, and producing content marketing.

5.6 What we do NOT do

  • We do not sell personal information for monetary consideration.
  • We do not share personal information for cross-context behavioral advertising.
  • We do not disclose your portfolio holdings or referral relationships to advertisers, data brokers, or analytics providers (other than the sub-processors necessary to operate the Services as described above).
  • We do not request or hold private keys, seed phrases, or other credentials capable of moving cryptocurrency funds.
  • We do not engage in profiling that produces legal or similarly significant effects on you (see Section 9).

6. International Data Transfers

CryptoArrow is operated from the United States. If you access the Services from outside the United States, your information will be transferred to, processed, and stored in the United States and other jurisdictions where our service providers operate. These jurisdictions may have data-protection laws that differ from those of your home jurisdiction.

When transferring personal data of individuals located in the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on one or more appropriate safeguards under applicable law, including: (a) the European Commission’s 2021 Standard Contractual Clauses (and the 2025 amendments thereto, as applicable); (b) the UK International Data Transfer Addendum or the International Data Transfer Agreement issued by the UK Information Commissioner’s Office; (c) the Swiss Federal Data Protection and Information Commissioner’s Standard Contractual Clauses where applicable; and (d) other derogations permitted by law. You may obtain a copy of the applicable safeguards by contacting us at privacy@cryptoarrow.ai.

7. Data Retention

We retain personal information for as long as your account is active, for as long as needed to provide the Services, and for the additional periods set out in the table below, after which we delete or de-identify the information unless a longer retention period is required by applicable law or to establish, exercise, or defend legal claims.

  • Waitlist records (including referral linkages): retained for the life of your account and for up to 24 months after deletion to support fraud detection and accurate referral attribution.
  • Account and authentication data: retained for the life of your account. Upon deletion of your account, your authentication record is purged within 30 days, subject to legal-hold or fraud-investigation exceptions.
  • Portfolio entries: retained until you delete the entry or your account, whichever is earlier.
  • Daily portfolio snapshots used for historical charting: retained for up to 24 months from the snapshot date.
  • AI-generated content associated with your account: retained for up to 18 months for your future reference; you may request earlier deletion.
  • Payment and subscription records: retained as required by applicable tax and accounting laws (typically 7 years in the United States).
  • Server logs, access logs, and security records: retained for up to 13 months.
  • Email communications and support tickets: retained for up to 36 months after the last interaction.
  • Marketing-preference records (opt-outs, suppression list): retained indefinitely so we can honor your preferences on a continuing basis.
  • Backup data: retained for up to 90 days from the date the backup is taken; deletion requests will be honored on the production data immediately and will propagate through backups as backups expire on their normal schedule.

8. Cookies and Similar Technologies

Cookies are small data files placed on your device when you visit a website. Similar technologies include local storage, session storage, and pixel tags. We and our service providers use the following categories:

  • Strictly necessary. Required to operate the Services and to provide features you have explicitly requested. Examples: authentication session cookies set by Supabase Auth; cookies that remember whether you have dismissed a notice; cookies used for CSRF/security protection. These cannot be disabled without breaking site functionality.
  • Functional. Remember your preferences and choices, such as referral code, display preferences, and similar. Disabling these may degrade your experience.
  • Analytics. Help us measure aggregate use of the Services and improve performance. We use Vercel Analytics and/or similar privacy-respecting analytics that do not build cross-site behavioral profiles. Analytics cookies may include first-party identifiers used to deduplicate visits.

We do not use third-party advertising cookies on the Services. We do not currently set any non-essential cookies. Vercel Analytics and Vercel Speed Insights, which we use to measure aggregate performance and usage, are cookieless by design and rely on first-party signals only. The only cookies we set today are strictly-necessary cookies for authentication and security (managed by Supabase Auth). Because we do not currently set non-essential cookies, no cookie consent banner is required and none is presented. If we add non-essential cookies in the future, we will update this Policy and, where required by law (such as for EEA/UK users), present a consent mechanism before any non-essential cookie is set. You can also configure your browser to refuse cookies; doing so for strictly-necessary cookies will prevent the Services from functioning. We do not respond to browser “Do Not Track” signals because there is no industry-standard definition of how to do so.

9. Automated Decision-Making and AI Features

Some features of the Services rely on automated processing of your data, including (a) computation of derived analytics (concentration, beta, regime fit, exposure); (b) ranking of sectors and tokens by narrative momentum; and (c) generation of AI Output (textual briefs, summaries, and commentary) by large-language-model sub-processor Anthropic. We provide this disclosure for transparency under Article 22 of the GDPR, equivalent provisions of UK GDPR, and California’s regulations on Automated Decision-Making Technology (“ADMT”) under the CCPA.

Significance.These automated processes do not produce legal or similarly significant effects concerning you within the meaning of GDPR Article 22(1) or the CCPA ADMT regulations. The Services do not use ADMT to make “significant decisions” about you regarding financial or lending services, housing, education, employment, or health care. The Services produce only informational outputs and analytical commentary; you retain full control over any decisions you make based on these outputs, and you should make those decisions in consultation with appropriately qualified, licensed advisors.

How it works. Inputs to the automated processes include your portfolio entries (when you have submitted them), aggregated market data, and published market signals. Outputs include numerical analytics and natural- language summaries. AI Output is generated probabilistically and may contain factual errors, omissions, hallucinations, or out-of-date information. AI Output is not reviewed by a human before delivery.

Your rights. You have the right to obtain meaningful information about the logic involved and to request human review of any automated output that affects you. To exercise these rights, contact us at privacy@cryptoarrow.ai.

10. Sanctions Screening

Consistent with applicable US sanctions laws administered by the Office of Foreign Assets Control (“OFAC”) and with the eligibility requirements set out in our Terms of Service, we may screen the information you provide (such as your email address and limited country/IP metadata) against publicly available sanctions and prohibited-party lists, including the OFAC Specially Designated Nationals and Blocked Persons List. If a screening result indicates that you may be a prohibited party, we may suspend your account, decline to process payment, and take any other action required by law.

11. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These include, without limitation:

  • encryption in transit using TLS 1.2 or higher;
  • encryption at rest for databases and backups via our infrastructure provider;
  • password hashing using industry-standard algorithms (Supabase Auth);
  • row-level security and least-privilege access controls within the database;
  • audit logging for administrative actions;
  • secret-management and rotation for service credentials;
  • vulnerability monitoring and timely application of security patches; and
  • secure software-development practices, including code review and dependency scanning.

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for any activity under your account. If you believe your account has been compromised, contact us at privacy@cryptoarrow.ai immediately. We will notify you of a security breach affecting your personal information to the extent and within the timeframes required by applicable law.

12. Children’s Privacy

The Services are not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18. If you are under 18, you may not use the Services and may not provide any personal information. If we learn that we have collected personal information from a child under 18, we will promptly delete that information and terminate the associated account. Parents or guardians who believe their child has provided personal information to us should contact us at privacy@cryptoarrow.ai.

13. Your Rights and Choices. United States

13.1 Universal rights (all US users)

You may, at any time, request to access, update, correct, or delete your personal information; request a copy of the information you have provided to us in a portable format; opt out of marketing communications; and close your account. To submit a request, email privacy@cryptoarrow.ai or use the in-product account-deletion mechanism if available. We will verify your identity (typically by confirming the request comes from the email associated with your account) before fulfilling a request. We will respond within 30 days, subject to applicable law-specific extensions.

13.2 California (CCPA / CPRA)

If you are a California resident, the CCPA provides you with the following rights, subject to certain exceptions:

  • the right to know what categories of personal information we collect, the sources of that information, the purposes for which we use it, and the categories of third parties with which we disclose it;
  • the right to access the specific pieces of personal information we have collected about you in the preceding 12 months (or longer where applicable);
  • the right to delete personal information we have collected from you, subject to legal-retention exceptions;
  • the right to correct inaccurate personal information;
  • the right to opt out of the sale of personal information and the sharing of personal information for cross-context behavioral advertising. We do not sell or share for these purposes;
  • the right to limit the use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger this right;
  • the right to non-discrimination for exercising any of the rights above;
  • the right to designate an authorized agent to make a request on your behalf, subject to verification.

To submit a CCPA request, email privacy@cryptoarrow.aiwith the subject line “California Privacy Request” and indicate the right(s) you wish to exercise.

13.3 Other US states with comprehensive privacy laws

As of the effective date of this Policy, residents of the following US states have comprehensive privacy rights that include, in varying combinations, the rights to access, correct, delete, port, and opt out of certain processing: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. We honor verified requests from residents of any of these states without regard to whether we are formally subject to the relevant statute. Some states permit you to appeal a denial of your request; if your request is denied, we will provide instructions for appeal in our response.

13.4 Sensitive personal information

We do not knowingly collect sensitive personal information as defined by applicable US state privacy laws (such as Social Security number, driver’s license, financial-account credentials, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, genetic data, or biometric data). Email address, even when used to authenticate, is treated by us with confidentiality but does not meet the definition of sensitive personal information under most state laws.

14. Your Rights and Choices. EEA, UK, and Switzerland

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR, UK GDPR, and equivalent local law:

  • the right of access (Article 15);
  • the right to rectification (Article 16);
  • the right to erasure (“right to be forgotten,” Article 17), subject to specified exceptions;
  • the right to restriction of processing (Article 18);
  • the right to data portability (Article 20);
  • the right to object to processing based on legitimate interests, including direct marketing (Article 21);
  • the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22). See Section 9;
  • where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal;
  • the right to lodge a complaint with your local supervisory authority, such as the Information Commissioner’s Office (UK), the Commission Nationale de l’Informatique et des Libertés (France), the Federal Commissioner for Data Protection and Freedom of Information (Germany), or the relevant authority in your country of residence.

We act as the “controller” (and sometimes “joint controller” with our service providers) of personal data processed in connection with the Services. To exercise any right, contact us at privacy@cryptoarrow.ai.

15. Marketing Communications

With your consent where required by law, we may send you marketing communications about new features, content, and offers. You can unsubscribe at any time by clicking the “unsubscribe” link at the bottom of any marketing email or by emailing privacy@cryptoarrow.ai. We will continue to send transactional communications necessary to operate your account (such as account-security notices, billing receipts, magic-link emails on drop day, and notices regarding material changes to these terms) regardless of your marketing preferences.

16. Third-Party Links and Services

The Services may contain links to third-party websites, products, or services that we do not own or control. This Policy does not apply to those third parties. We encourage you to read the privacy policies of every third party you interact with.

17. Do Not Sell or Share My Personal Information

We do not sell or share personal information within the meaning of the CCPA, VCDPA, CPA, CTDPA, UCPA, TDPSA, DPDPA, or other comprehensive US state privacy laws. Because we do not engage in such sales or sharing, we do not have a separate “Do Not Sell or Share My Personal Information” link . the default position is that we do not sell or share. If our practices change, we will update this Policy and provide a means for you to opt out.

18. Information Practices Specific to Cryptocurrency Data

Cryptocurrency and blockchain data presents unique privacy considerations. You should be aware of the following:

  • On-chain data is public. Information on public blockchains (such as wallet addresses, transactions, balances, and metadata) is publicly viewable and outside our control. We do not aggregate on-chain data with your account in a manner that links your wallet address(es) to your identity unless you voluntarily provide that linkage.
  • Aggregation risk. Combining portfolio holdings information with public on-chain data can in some cases create privacy or security risks. You are responsible for assessing whether providing portfolio information to the Services is appropriate for your circumstances.
  • No transaction execution. The Services do not custody assets or execute transactions. We do not have the technical capability to move your cryptocurrency.

19. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email to the address associated with your account or by posting a prominent notice on the Services at least 14 days prior to the new Policy taking effect (or such shorter period as permitted by law or required for legal or security reasons). The “Last revised” date at the top of this Policy indicates when it was most recently updated. Your continued use of the Services after the new Policy takes effect constitutes your acceptance of the new Policy.

20. Contact Us

If you have questions, concerns, or complaints about this Policy or our information practices, or if you would like to exercise any of the rights described above, you can contact us as follows:

We will respond to verifiable consumer requests within the timeframes required by applicable law. If we are unable to fulfill a request, we will explain the reason and inform you of any appeal rights.