Skip to content
ArxionTerms of Service →

Privacy Policy

Last updated: 2026-05-06

1. Information We Collect

Account & authentication data: name, email address, profile picture (from Google OAuth) or email-only (via Resend magic-link). Telegram data when you link the bot or receive notifications: Telegram user ID, username (if public), and language code. On-chain data: public wallet addresses (Solana / Ethereum) that you voluntarily connect or paste into the wallet tracker. Payment metadata from Heleket, Telegram Stars, and CryptoBot: invoice/transaction IDs, plan code, amount, currency, and status — we never receive credit card numbers, private keys, or seed phrases. Usage data: pages visited, features used, browser type, IP address, device information, referral source, and tour completion. Anti-abuse signals from Cloudflare Turnstile (challenge tokens) and our rate limiter (request counts per IP/account).

2. How We Use Your Information

We use your information to: (a) provide and personalize the Service; (b) authenticate your identity and manage your account; (c) send important service notifications; (d) analyze usage patterns to improve the platform; (e) ensure security and prevent abuse. We do not sell your personal information to third parties.

3. Data Storage & Security

Your data is stored on secure servers with encryption at rest and in transit. We use industry-standard security measures including TLS 1.3, mTLS for API communication, and PostgreSQL with encrypted connections. Session data is managed via secure HTTP-only cookies with short expiration periods.

4. Third-Party Services

We integrate with the following third parties under their respective privacy policies: Google (OAuth login), Resend (transactional email — magic-link, expiry notifications, weekly digests), Telegram (login widget, bot notifications, support channel), Cloudflare (DNS, CDN, Turnstile anti-bot challenge), Heleket (crypto subscription payments), CryptoBot (TON in-bot payments), Telegram Stars (in-bot payments), Binance and other public exchange APIs (read-only market data), Solana RPC providers and public block explorers (read-only on-chain data), and OpenAI / Anthropic LLM APIs for the AI Coach feature (your prompts may be transmitted to the model provider for inference; we do not send your email, name, or wallet addresses with prompts unless you include them yourself). We share only the minimum data necessary for each integration to function and never sell personal data.

5. Cookies & Local Storage

We use essential cookies for NextAuth session management, CSRF protection, and Cloudflare anti-bot. We use localStorage to remember language preference, UI theme, dismissed banners, completed product-tour status, and cookie-consent acknowledgment. We use sessionStorage for short-lived form drafts. We do NOT use advertising, retargeting, or third-party analytics tracking cookies. Optional Google Analytics 4 (privacy-respecting, IP-anonymized) may be enabled to count anonymous visits; opting out is possible by declining cookies on first visit. You can clear cookies and local storage at any time through your browser settings; doing so will sign you out and reset preferences.

6. Your Rights

You have the right to: (a) access your personal data; (b) request correction of inaccurate data; (c) request deletion of your account and associated data; (d) export your data in a portable format; (e) withdraw consent for data processing. To exercise these rights, contact [email protected].

7. Data Retention

We retain your account data for as long as your account is active. Usage analytics are retained in anonymized form for up to 24 months. Upon account deletion, personal data is permanently removed within 30 days. Aggregated, non-identifiable data may be retained indefinitely for service improvement.

8. International Data Transfers

Our servers are located in Canada. If you access the Service from outside Canada, your data may be transferred to, stored, and processed internationally. By using the Service, you consent to the transfer of your data to Canada and other jurisdictions where we or our service providers operate. We take appropriate safeguards to ensure your data remains protected in accordance with this Privacy Policy.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email or by posting a prominent notice on our website prior to the changes taking effect. We encourage you to review this page regularly. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact & Data Controller

The data controller responsible for your personal information is Arxion Labs. If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at: Email: [email protected] | Telegram: @buddajustOm.

12. Payment Data Handling

Subscription payments are processed exclusively by external providers: Heleket (crypto), Telegram Stars, and CryptoBot (TON). We never receive or store credit card numbers, bank details, private keys, or seed phrases. From these providers we receive only: invoice ID, plan code, amount, currency, status (pending / paid / refunded / failed), and a transaction hash where applicable. This metadata is retained for accounting, anti-fraud, and tax-reporting purposes for up to 7 years as required by applicable law. If you connect a Solana wallet for the $ARX token presale or receive prizes from tournaments, only the public address is stored — we cannot sign, transfer, or freeze any assets in your wallet.

13. Security Incident Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the incident, in line with GDPR Article 33 standards. Notification will include the nature of the breach, categories and approximate volume of data affected, likely consequences, and the measures taken or proposed to address it. We maintain server-side error monitoring with alerts routed to our internal Telegram channel for rapid response.

Questions about your data?

[email protected]