Last updated: May 4, 2026
Summary: HyperPerps AI is designed with privacy in mind. We do not collect names, emails, phone numbers, or government IDs. Most data — including your API wallet key — stays in your browser. The server-side data we collect is your trading event log keyed to your wallet address, plus aggregated funnel analytics (Google Analytics 4) that include only anonymized event labels and a hashed wallet identifier.
This Privacy Policy describes how HyperPerps AI ("we," "us," "our," or "the Operator") collects, uses, stores, and protects information when you use the HyperPerps AI trading application and marketing site (the "Service"). This policy applies to all users of the Service, including the landing site at hyperperps.app and the trading app at trade.hyperperps.app.
By using the Service, you agree to the collection and use of information as described in this policy. This Privacy Policy is incorporated into and subject to our Terms of Service.
The following data is stored exclusively in your web browser and is never transmitted to our servers unless explicitly noted:
| Data | Storage | Purpose |
|---|---|---|
| Wallet address | localStorage | Identify your session and connect to Hyperliquid |
| API wallet (agent) key | IndexedDB | Execute trades on your behalf via Hyperliquid |
| Strategy preferences | IndexedDB | Customize AI behavior and risk parameters |
| Bot configuration | localStorage | Persist UI settings and preferences |
| BYOK API keys | localStorage | Authenticate with your chosen AI provider |
You can delete all locally stored data by clearing your browser's site data for the HyperPerps AI domains.
When the Service communicates with our backend, we collect the following:
| Data | Storage | Purpose |
|---|---|---|
| Trading event logs (evaluations, signals, order events) | Cloudflare D1 / Durable Object SQLite | Event timeline, AI performance improvement, leaderboard |
| Wallet address (as account identifier) | Cloudflare D1 | Associate events with your account, leaderboard |
| Referral associations | Cloudflare D1 | Track referral relationships for fee sharing |
| Gas-airdrop ledger (one row per recipient wallet) | Durable Object SQLite | Idempotency for the bridge gas-relayer; prevents double-funding the same wallet |
| Daily aggregate gas-airdrop counter | Cloudflare D1 | Defensive ceiling on relayer spend across all users per day |
| Request metadata (rate limiting) | Cloudflare KV (ephemeral) | Prevent abuse and enforce rate limits |
We use Google Analytics 4 (GA4) for funnel analysis — measuring how visitors move from the landing site through wallet connection, funding, bridging, and bot deployment. GA4 is delivered via Cloudflare's edge tag service (a server-side proxy that batches events). We tag specific user actions and emit them as events to the dataLayer; downstream tools (GA4, Cloudflare Zaraz) receive them.
The events we fire are listed below. Each event carries only the parameters listed — no other data is attached.
| Event | Parameters | Where it fires |
|---|---|---|
section_view | section name (e.g. "hero", "pricing") | Landing site, on scroll |
cta_click | cta_location, cta_label | Landing site CTAs |
nav_click | target, link_location | Landing site nav anchors |
faq_open | faq_question (verbatim text) | Landing site FAQ accordion |
hl_referral_click | link_location | Hyperliquid affiliate links |
social_click | platform, link_location | Twitter, Discord links |
legal_click | doc, link_location | Terms / Privacy links |
welcome_modal_shown | — | App, on first paint pre-connect |
welcome_get_started_click | — | App, Privy login attempted |
welcome_advanced_* | connector_name (for connect events) | App, external-wallet path |
welcome_browse_click | — | App, dismiss without connecting |
wallet_connected | provider, wallet_short ("0x1234…abcd") | App, after auth completes |
onboarding_step | from, to (state-machine label) | App, on each onboarding transition |
onboarding_funding_provider | provider ("coinbase" / "manual") | App, funding picker |
onboarding_gas_airdrop | result label (e.g. "sent", "skipped") | App, after relayer call |
onboarding_bridge_* | amount_usdc (rounded integer), error_class | App, bridge tx attempt |
onboarding_complete | from (previous step label) | App, end of onboarding |
bot_start_click | preset, has_custom_prompt, risk_pct, leverage | App, Start Bot button |
bot_start_* | error_class (on failure only) | App, after start attempt |
What event parameters do NOT contain:
0x1234…abcd). The same wallet always produces the same stub, so cohort analysis works, but the stub alone cannot be reversed back to a full address.UserRejectedRequestError). We strip free-form error text because it can contain transaction hashes, RPC endpoints, or other identifiers we don't want in analytics.GA4 sets first-party cookies (_ga, _ga_<property_id>) on your browser to maintain a session identifier. These cookies persist for up to 2 years per Google's defaults. You can opt out — see Section 4.4.
The following data is processed in-memory during requests and is not stored or logged:
We explicitly do not collect, store, or process:
4.1. The Service uses the following cookies and storage mechanisms:
| Cookie / Storage | Purpose | Set by | Expiry |
|---|---|---|---|
_ga, _ga_<id> | GA4 session + visitor identifier (analytics) | Google Analytics 4 (via Cloudflare edge tag) | 2 years |
__cf_bm | Bot management (essential security) | Cloudflare | 30 minutes |
localStorage / IndexedDB | Wallet address, agent key, strategy preferences (see Section 2.1) | HyperPerps AI | Until cleared |
| Privy authentication tokens | Maintain your authenticated session if you sign in with email/passkey | Privy | Per Privy session policy |
4.2. Analytics framing: We use Google Analytics 4 to understand how visitors move through the funnel — what CTAs convert, where users drop off in onboarding, which strategies get deployed. The events we fire are listed exhaustively in Section 2.3. We do not share GA4 data with advertisers or third parties beyond Google Analytics itself.
4.3. No advertising trackers: We do not embed Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, or any advertising network's tracker. We do not engage in retargeting.
4.4. Opt out of analytics: You can prevent GA4 from collecting your data by:
googletagmanager.com and google-analytics.com domainsOpting out does not affect your ability to use the Service. None of our trading or onboarding functionality depends on analytics events firing.
5.1. When the Service generates an AI evaluation, market data (OHLCV candles, technical indicators, order book data, funding rates, open interest) and your strategy configuration are included in the prompt sent to the AI model provider.
5.2. AI prompts do not contain personally identifiable information (PII). They contain only market data, indicator values, and your strategy configuration (risk tolerance, bias preference, custom strategy text if any). Your wallet address is not included in prompts.
5.3. Free tier: The default LLM is Kimi K2.6, accessed through Cloudflare Workers AI. Prompts are processed by Cloudflare's AI inference infrastructure.
5.4. BYOK tier: If you bring your own API key, prompts are forwarded to your chosen provider (Anthropic, OpenAI, OpenRouter, etc.) in real time. Your API key is processed transiently — see Section 2.4.
5.5. Privy authentication: If you sign in with email, passkey, Apple, or Google via Privy, Privy may collect identifiers (email address, OAuth profile data) as part of providing authentication. Privy's privacy practices are governed by Privy's Privacy Policy, which we encourage you to review. We do not receive your email or OAuth profile from Privy — we only receive the wallet address Privy provisions for you.
5.6. We recommend reviewing the privacy policies of the respective AI providers:
We use the data we collect for the following purposes:
We do not sell, rent, share, or transfer your data to third parties for advertising, marketing, or any purpose unrelated to the operation of the Service. The Google Analytics relationship is a data-processor relationship — Google processes events on our behalf, governed by Google's Data Processing Terms.
7.1. When the Service places a trade on Hyperliquid on your behalf, a 0.02% builder fee is routed to our builder address (0x79ce08822E57aa76EfBc2E3Ae813C055A9D1bdC1) by Hyperliquid's protocol. This is on-chain activity — your wallet address and trade size are publicly visible on the Hyperliquid blockchain by design. We do not control on-chain disclosure.
7.2. Hyperliquid maker/taker fees apply on top of the builder fee, the same as if you were trading manually. These are paid to Hyperliquid, not to us.
8.1. The Service is hosted on Cloudflare's global network. Cloudflare provides CDN, DDoS protection, DNS, Workers runtime, Durable Objects (per-user state), and D1 (shared SQL).
8.2. Cloudflare may collect limited infrastructure-level data (e.g., IP addresses for security and performance purposes) as part of their standard service operation. This data is governed by Cloudflare's Privacy Policy, not ours.
8.3. Cloudflare's edge tag service is the proxy through which Google Analytics 4 events are routed. Events still go to Google's servers — Cloudflare's role is delivery and batching, not data processing of analytics events on our behalf.
9.1. Browser-stored data: Persists until you clear your browser's site data or uninstall the application. We have no control over or access to data stored solely in your browser.
9.2. Server-stored event logs: Trading event data is retained indefinitely for AI training and leaderboard purposes, unless you request deletion.
9.3. GA4 analytics events: Retained per the data retention setting on our GA4 property (default: 14 months). Aggregated reports may be retained longer.
9.4. Rate limiting data: Stored in Cloudflare KV with short TTLs (typically minutes to hours) and automatically expires.
9.5. Referral data: Retained as long as the referral relationship is active.
9.6. Gas-airdrop ledger: Retained indefinitely. The wallet column is the primary key and serves as a permanent idempotency record — if your wallet has received an airdrop, that fact is preserved to prevent double-funding.
10.1. All communications between your browser and our backend are encrypted via TLS (HTTPS).
10.2. Server-side data is stored in Cloudflare's infrastructure, which provides encryption at rest and in transit, along with enterprise-grade physical and network security.
10.3. Your API wallet (agent) key is stored only in your browser's IndexedDB. In hosted mode, it is encrypted with AES-256-GCM using HKDF-SHA256-derived keys with random per-blob salt and fresh IV, inside a Cloudflare Durable Object. The encryption key is a server-side secret that never leaves the Cloudflare runtime.
10.4. Despite our security measures, no system is perfectly secure. You are responsible for securing your own devices and browser environment.
You have the right to request a copy of the data we hold that is associated with your wallet address. Contact us to make an access request.
You have the right to request deletion of all server-stored data associated with your wallet address, including event logs, leaderboard entries, and referral associations. Browser-stored data can be deleted by you directly by clearing site data. GA4 analytics events can be deleted via Google's user-deletion request flow — see Google Analytics: Delete data.
If any data we hold about you is inaccurate, you have the right to request correction.
You have the right to request your data in a structured, machine-readable format (e.g., JSON).
You have the right to object to the processing of your data for AI training purposes or analytics. Upon objection, we will cease using your data for that purpose, though we may retain it for core Service functionality. To opt out of analytics, see Section 4.4.
To exercise any of the above rights, contact us through the channels listed on the HyperPerps AI website or repository. We will respond to requests within 30 days. We may verify your identity by requesting a signed message from your wallet address.
12.1. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following applies:
12.2. All rights described in Section 11 are available to EEA, UK, and Swiss users in accordance with the General Data Protection Regulation (GDPR) and equivalent local laws.
13.1. If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
13.2. For purposes of the CCPA, your wallet address (and the privacy-safe stub used in analytics events) are the primary "personal information" we associate with your use of the Service.
The Service is not directed to individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect data from minors. If we become aware that a minor has used the Service, we will take steps to delete associated data.
The Service may contain links to or integrations with third-party services:
fundWallet).We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.
We may update this Privacy Policy from time to time. Changes will be reflected in the "last updated" date at the top of this page. Material changes (e.g. new third-party data processors, new analytics events) will be communicated through the Service interface. Your continued use of the Service after changes constitutes acceptance of the revised policy.
For privacy-related inquiries, data access requests, or deletion requests, please contact us through the channels listed on the HyperPerps AI website or repository. We will respond within 30 days.