Privacy Policy

1. Introduction

This Privacy Policy describes how Assistant Hub (“we,” “us,” or “our”) collects, uses, stores, and protects your personal information when you use Assistant Hub at rmassistanthub.io (“the Service”). By using the Service, you agree to this Policy.

2. Information We Collect

2.1 Information You Provide

• Account information: Username, email address, display name, and password (stored as a cryptographic hash — we never store plain-text passwords)
• Wallet address: Your EVM wallet address if you connect a wallet for sign-in or portfolio viewing
• Payment information: USDC transaction data on the Base blockchain (public blockchain — we do not store credit card or bank details)
• Chat messages: Messages you send through the AI chat interface

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, message counts, and timestamps
• IP address: Used for rate limiting and abuse prevention
• Browser/device info: Browser type and operating system via standard server logs
• API keys you provide: Third-party API keys entered in Settings are stored encrypted in our database
• Request tracing: Each request is assigned a unique correlation ID for end-to-end tracing across services. These IDs contain no personal data and are used for debugging and performance monitoring

2.3 NIST SP 800-53 Audit Logs

We maintain security audit logs aligned with NIST SP 800-53 AU-2 standards. These immutable, append-only logs record:

• Authentication events: Login, logout, registration, and failed attempts (IP address and username only)
• Agent actions: Agent creation, deployment, permission changes, and trade executions
• Capability checks: When an AI agent requests permission to perform an action, the request and result are logged
• Administrative changes: Settings modifications, tier upgrades, and API key rotations

Audit logs are retained for operational and compliance purposes. They do not contain message content or financial account details.

2.4 Agent Capability Attestations (ACA)

If you deploy autonomous trading agents, a formal permissions record is stored for each agent. This includes which capabilities are granted (e.g., read market data, execute trades) and a timestamped audit trail of every permission change. This data is associated with your account and agent configuration only.

2.5 What We Do NOT Collect

• Your wallet private keys (we never have access)
• Credit card or bank account numbers
• Government-issued ID numbers
• Precise geolocation data

3. How We Use Your Information

• Provide the Service: Authenticate your account and deliver AI responses
• Enforce usage limits: Track daily message counts per tier
• Process payments: Verify USDC tier upgrade transactions
• Improve the Service: Analyze usage patterns to fix bugs and develop features
• Security: Detect and prevent abuse, rate-limit requests, protect accounts
• Communications: Send account-related notices (no marketing emails without consent)

4. How We Store Your Information

• Database: User data is stored in PostgreSQL hosted on Railway (United States)
• Passwords: Hashed using bcrypt — we cannot retrieve your plain-text password
• API keys: Stored in our database, transmitted over HTTPS only
• Chat messages: May be logged temporarily for debugging; not permanently retained beyond operational necessity
• Retention: Account data is retained while your account is active. Request deletion at any time

5. Information Sharing

We do not sell, rent, or trade your personal information.

5.1 Third-Party AI Providers

Your chat message content is transmitted to AI providers to generate responses:

• Google Gemini — privacy policy
• xAI Grok — privacy policy
• Ollama (local) — messages never leave your machine

5.2 Infrastructure Providers

• Railway (hosting) — privacy policy
• Cloudflare (CDN/DNS) — privacy policy

5.3 Legal Requirements

We may disclose information if required by law, subpoena, or court order, or to protect the rights and safety of users or the public.

5.4 Business Transfer

In the event of a merger or acquisition, your information may be transferred with advance notice.

6. Cryptocurrency and Blockchain Data

Blockchain transactions are permanently public by nature — we cannot delete blockchain records. Your wallet address is stored in our database as described above. Portfolio data fetched through the Portfolio Oracle is read-only and is not permanently stored — it is fetched live from third-party APIs (DeBank, Etherscan) on demand.

7. Cookies and Tracking

• Local storage: Auth token and UI preferences stored in your browser
• No advertising trackers: We do not use Google Analytics, Facebook Pixel, or other ad trackers
• Session storage: Referral codes and UTM parameters stored temporarily

8. Your Rights

You may have the right to access, correct, delete, or receive a portable copy of your personal data. To exercise these rights, email us at [email protected].

GDPR (European Users)

If you are in the EEA, our legal bases for processing are: (a) contract performance and (b) legitimate interests (security and fraud prevention). You may lodge a complaint with your local data protection authority.

CCPA (California Users)

California residents have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell your personal information.

9. Children’s Privacy

The Service is not directed to children under 18. We do not knowingly collect data from children under 18. If we become aware of such collection, we will delete the data promptly.

10. Data Security

We implement security measures including:

• Encryption: HTTPS/TLS for all data in transit, bcrypt password hashing
• Authentication: JWT tokens with expiration and tier-based access controls
• Agent Security: Formal Agent Capability Attestations (ACA) with default-deny permissions, 3-layer enforcement gates, optional Bun Worker V8 isolation, and immutable audit trails
• Audit Logging: NIST SP 800-53 AU-2 aligned audit system with 25+ event types, append-only storage, and SHA-256 hash chain linking for tamper detection
• Observability: Distributed request tracing with W3C Trace Context, configurable sampling, OTLP export, and correlation IDs for incident response
• Content Guard: Supervised message bus that blocks PII, API keys, and exploit patterns before broadcast
• Behavioral Monitor: Rolling-window anomaly detection that auto-pauses agents exhibiting unusual behavior
• Rate Limiting: Per-tier request limits to prevent abuse

No method of internet transmission is 100% secure and we cannot guarantee absolute security. See our Security Architecture page for full details.

10.1 Security Controls & Disclosures (NIST / ACA / Tracing)

We align our logging and monitoring practices with NIST SP 800-92 (audit log management). All audit events use pseudonymized actor IDs and are retained for 90 days (standard) or up to 365 days (high-severity incidents).

Our Agent Capability Attestations (ACA) enforce strict isolation so that AI agents cannot access other users' data, keys, or wallets without explicit per-capability authorization.

Distributed tracing is used solely for operational debugging and security monitoring. Traces never contain raw user prompts, API keys, or personal information and are automatically deleted after 30 days.

11. International Data Transfers

The Service is operated from the United States. If you access it from outside the U.S., your information may be processed in the U.S., where data protection laws may differ.

12. Changes to This Policy

We may update this Policy at any time. The “Last Updated” date above reflects the most recent revision. Continued use constitutes acceptance.

13. Contact Us

For privacy questions or requests: [email protected]