Privacy Policy
This policy explains what personal data we process when you use this website, why, on what legal basis, and the rights you have under the GDPR.
Last updated: 23 June 2026
The Sally agent is self-hosted and non-custodial. Your wallets, private keys, master password, and trading data live only in your own local keystore / database — they are never transmitted to us. This policy therefore concerns mainly this marketing website.
Controller & contact
The party responsible for processing personal data on this website (the “controller”) can currently be reached at support@sally.tools or on Telegram ↗. Sally is in a pre-release phase; the controller's full legal identity and postal address (and a data- protection contact, if required) will be published before public launch — see the contact note on the Legal page.
Scope — self-hosted agent vs. this website
The Sally trading agent and SDKs run on infrastructure you control. Any data they handle (keys, wallets, balances, strategies, LLM prompts) stays on your machine and is not sent to us; we are not the controller for that processing. This policy covers the data processed when you visit and interact with this website (sally.tools).
What we process, why & on what legal basis
Server / hosting logs. When you load the site, our hosting provider may process technical data such as your IP address, browser/user-agent, referring page, and timestamps, to deliver the site and keep it secure and stable. Legal basis: our legitimate interest in operating and securing the site (Art. 6(1)(f) GDPR).
Wallet connection. If you choose to connect a wallet, your public wallet address and on-chain activity (which are public blockchain data) are read to display balances, positions, and stats. This happens through your wallet and public RPC endpoints. Legal basis: taking steps at your request and our legitimate interest in providing the requested feature (Art. 6(1)(b) and (f) GDPR).
Referral cookie. If you visit a referral link, we store a single first-party cookie (sally_ref, ~180 days) plus a matching localStorage entry, so the referrer can be credited on-chain. It holds only a referrer address — no profile, no cross-site tracking. Legal basis: our legitimate interest in operating the referral program (Art. 6(1)(f) GDPR), this being a functional cookie strictly related to a feature you invoked by following the link.
Entry gate & consent record. On your first visit a gate asks you to confirm you are 18+, may lawfully trade crypto where you live, and accept our terms and cookie use. Your confirmation — and your cookie choice — are stored in first-party cookies (sally_entry_gate, sally_cookie_consent) together with a version and a timestamp, so we can evidence the choice and re-ask only if the terms change. Legal basis: your consent and our legitimate interest in operating the service responsibly and meeting legal obligations (Art. 6(1)(a), (c), (f) GDPR).
No analytics or tracking today. The site currently runs no analytics, advertising, fingerprinting, or third-party tracking cookies of any kind. The only optional item is whether your own UI preferences are mirrored into a long-lived first-party cookie for cross-visit convenience — you control this via . Should we ever add analytics, it will load only after your explicit opt-in (Art. 6(1)(a) GDPR) and be listed here first.
Cookies & local storage
We use only what is needed to run the site plus, with your consent, analytics. Strictly necessary / functional items (such as the referral cookie and your consent choice) do not require consent; everything else is gated behind the banner. Manage your choices anytime via , or by clearing cookies in your browser.
Recipients & third parties
We do not sell your personal data. Data may be processed by our hosting/infrastructure provider (to serve the site) and by our own protocol stats endpoint (api.sally.tools), which your browser queries to show live volume/usage figures. When you read on-chain data or transact, the public RPC, wallet, and bridge providers you use can see your IP and wallet address as a normal part of serving a request.
On the swap, pools, dashboard and wallet screens, token and wallet logos are loaded directly from third-party image sources — currently DexScreener, TrustWallet and PancakeSwap asset CDNs, and GitHub avatar URLs — which means those providers receive your IP when an image loads. These requests only happen on those feature pages after you navigate to them; the landing page and global header load only self-hosted assets. Price and LLM-chat requests are proxied through our own server, so those providers never receive your IP directly.
Public blockchains are, by design, public and immutable: on-chain transactions are visible to anyone and cannot be deleted. We engage processors under appropriate agreements where required.
International transfers
Some providers may process data outside your country, including outside the EEA. Where that happens, we rely on appropriate safeguards under the GDPR (such as an adequacy decision or the EU Standard Contractual Clauses) where required. Details of specific providers will be listed here before public launch.
Retention
We keep personal data only as long as needed for the purpose it was collected or as required by law. Server logs are kept for a limited period for security and then deleted or anonymised; the referral cookie expires after about 180 days (or when you clear it); the entry-gate and consent cookies (with their version and timestamp) are kept up to ~12 months to evidence your choice and avoid re-asking. On-chain data is permanent and outside our control.
Your rights
Subject to the GDPR, you have the right to access your personal data and to rectification, erasure, restriction, and data portability; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time (without affecting prior processing). To exercise any of these, contact support@sally.tools. You also have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.
Children
The Service is not directed to children. You must be at least 18 to use it (see the Terms of Use), and we do not knowingly process the personal data of minors.
Changes to this policy
We may update this policy as the Service and our processing evolve. The version posted here with the “last updated” date above is the one that applies; material changes take effect when posted.