Privacy Policy

This Privacy Policy ("Policy") describes how the operators of the Sumo platform ("Sumo," "we," "us," or "our") collect, use, store, protect, and share information when you access or use the Sumo platform, including the web application at app.sumo.trade, documentation at docs.sumo.trade, the Sumo API, and any associated Telegram bot integrations (collectively, the "Platform").

By using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices, you must stop using the Platform.

1. Information We Collect

1.1 Information You Provide

Email address
Collected at: Account registration
Purpose: Authentication, password recovery, notifications

Password (hashed)
Collected at: Account registration
Purpose: Authentication

Organization name
Collected at: Organization setup
Purpose: Multi-tenant identification

Project configuration
Collected at: Profile creation
Purpose: Token pair, DEX, chain, and strategy settings

Telegram user ID
Collected at: Telegram bot linking
Purpose: Bot command authorization, notifications

1.2 Information Generated Through Platform Use

Wallet addresses
Generated at: Wallet generation or import
Purpose: On-chain operations, balance tracking

Encrypted seed phrases and private keys
Generated at: Wallet generation or import
Purpose: Transaction signing (encrypted at rest)

Trading strategy configurations
Generated at: Strategy creation
Purpose: Automated strategy execution

Order and trade records
Generated at: Strategy execution
Purpose: Performance analytics, audit trail

Transaction signatures
Generated at: On-chain execution
Purpose: Confirmation tracking, reporting

Cashout and treasury records
Generated at: Treasury operations
Purpose: Fund movement tracking, audit trail

Balance snapshots
Generated at: Periodic polling
Purpose: Dashboard display, analytics

Audit logs
Generated at: All significant actions
Purpose: Security monitoring, compliance

1.3 Information Collected Automatically

IP address
Collection method: Server access logs
Purpose: Rate limiting, abuse prevention

Browser type and version
Collection method: HTTP headers
Purpose: Compatibility, debugging

Device information
Collection method: HTTP headers
Purpose: Compatibility, debugging

Access timestamps
Collection method: Server logs
Purpose: Security monitoring

API request metadata
Collection method: Server logs
Purpose: Performance monitoring, debugging

We do not use third-party advertising trackers or sell your data to advertisers.

2. How We Use Your Information

Platform Operation — Authenticating your identity, executing trading strategies, signing blockchain transactions, processing cashouts, delivering Telegram notifications, and displaying wallet balances and analytics.

Security and Integrity — Detecting and preventing unauthorized access, fraud, and abuse. Enforcing rate limits. Maintaining audit logs. Monitoring for anomalous activity.

Platform Improvement — Diagnosing technical issues, monitoring system performance, and improving user experience based on aggregated, non-identifying usage patterns.

Communication — Sending transactional notifications, responding to support inquiries, and notifying you of material changes to our Terms or Privacy Policy.

We do not use your trading data, strategy configurations, or wallet information for any purpose other than operating the Platform on your behalf.

3. Encryption and Security Measures

3.1 Wallet Key Encryption

Your seed phrases and private keys are protected with envelope encryption:

Data Encryption Key (DEK) — Each seed or private key is encrypted with its own unique AES-256-GCM key, providing 256-bit encryption strength with authenticated encryption and a unique nonce per operation.

Key Encryption Key (KEK) — Each DEK is itself encrypted with a master key stored in a hardware security module (HSM), HashiCorp Vault, AWS KMS, or Kubernetes-managed secrets, separate from the application database.

3.2 Signing Service Isolation

Transaction signing is handled by a dedicated, isolated Rust-based signing service that operates as a separate process with restricted network access, decrypts keys only in memory for signing, and immediately discards plaintext key material.

3.3 Multi-Tenant Data Isolation

Each organization's data is isolated at the database, API, encryption, and application layers. Cross-tenant access is structurally prevented.

3.4 Blockchain Data

Wallet addresses and transaction data are inherently public on blockchain networks. Sumo's privacy protections apply to off-chain data but cannot alter the public nature of on-chain data.

4. Third-Party Integrations

4.1 Blockchain Infrastructure

RPC providers, Jito block engines, and DEX protocols (Raydium, Jupiter, PumpFun, PumpSwap, Meteora, Uniswap, PancakeSwap, Aerodrome, and others) receive wallet addresses and transaction data necessary for executing trades.

4.2 Privacy Providers

Husher and SplitNOW receive source/destination wallet addresses and amounts when you use Privacy Cashout features. These providers operate their own privacy policies.

4.3 Communication Services

Telegram Bot API receives your Telegram user ID and message content for bot functionality. SMTP email providers receive your email address for account-related communications.

4.4 Data Sharing

We do not share your personal information with any third party for marketing or advertising purposes. Information may be disclosed only when required by law, to prevent fraud, with your consent, or in connection with a business transfer.

5. Data Retention

Account information
Retention period: Duration of account + 90 days

Encrypted wallet keys
Retention period: Until wallet archived or account deleted

Trading data
Retention period: Duration of account + 1 year

Audit logs
Retention period: 2 years from creation

Server access logs
Retention period: 90 days

Telegram session data
Retention period: Until unlinked or account deleted

Before deleting your account, you should export your seed phrases and withdraw all funds. Deleted keys cannot be recovered.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data. To exercise these rights, contact us at privacy@sumo.trade. We will respond within 30 days.

7. Cookies and Tracking

Sumo uses minimal cookies strictly for Platform functionality: session tokens, theme preference, and sidebar state. We do not use third-party advertising cookies, cross-site tracking, fingerprinting, or social media tracking widgets.

8. No Sale of Personal Data

Sumo does not sell, rent, lease, or trade your personal information to any third party for any purpose.

9. Children's Privacy

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors.

10. International Data Transfers

Your data may be transferred to and processed in jurisdictions other than your own. We implement appropriate safeguards including encryption and access controls to protect your data regardless of where it is processed.

11. Security Incident Response

In the event of a data breach, we will investigate promptly, notify affected users without undue delay, and report to relevant authorities where required by law.

12. Changes to This Policy

Material changes will be communicated through the Platform or via email at least 14 days before they take effect. Your continued use after changes constitutes acceptance.

13. Contact

For privacy inquiries: privacy@sumo.trade
For general inquiries: legal@sumo.trade