This Privacy Policy explains how Vortical ("Vortical", "we", "our", or "us") handles information in connection with your use of the Vortical desktop application and the vortical.io website. Vortical is incorporated in the Republic of Ireland.

1. What Data We Collect

A. Licence Relay Server

When you activate or use Vortical, our licence relay server records the following and nothing more:

Licence key — the alphanumeric key you purchased
Machine identifier — a one-way fingerprint derived from your hardware; used only to bind the licence to your device
Usage timestamps — the date and time of licence verification events

We do not collect wallet addresses, private keys, seed phrases, token names, transaction hashes, SOL balances, or any financial data. This data never leaves your machine.

B. Desktop Application (Local)

All of the following data is stored only on your local machine inside %APPDATA%\vortical\ on Windows or ~/Library/Application Support/vortical/ on macOS:

Wallet keypair files (encrypted with AES-256-GCM; your master password never leaves your device)
Bot configuration (RPC URL, buy amounts, phase settings)
Application logs and crash reports

Vortical does not upload, sync, or transmit any of this data to our servers.

C. Website (vortical.io)

The vortical.io website is hosted on Vercel. Vercel may automatically log standard server request data (IP address, browser type, referring URL) in accordance with their own Privacy Policy. We do not use advertising cookies, tracking pixels, or third-party analytics on this website.

2. How We Use the Data We Hold

The limited data held on our relay server is used solely to:

Verify that your licence key is valid and active
Enforce the per-device binding of your licence
Detect abuse such as licence key sharing or automated brute-force attacks

We do not use this data for marketing, profiling, advertising, or sale to third parties.

3. Third-Party Services You Connect To

When you use Vortical, your transactions are broadcast to the Solana network through the RPC endpoint you provide. We have no control over, and no visibility into, what your chosen RPC provider logs. The following third-party services may receive data as a result of your activity:

Your Solana RPC provider (e.g. Alchemy, Helius) — receives transaction data you submit
Pump.fun — receives on-chain token interactions; all activity is publicly visible on the Solana blockchain
Arweave — receives token metadata you upload (name, symbol, image, description); this data is permanently public

Please review the privacy policies of each third-party service you choose to connect to.

4. Data Sharing and Disclosure

We do not sell, rent, or share your data with third parties except in the following limited circumstances:

Legal obligation: If we are required to disclose data by applicable law, court order, or regulatory authority
Security: To investigate suspected fraud, licence abuse, or attacks on our relay infrastructure
Business transfer: In the event of a merger, acquisition, or sale of assets, users will be notified and data handling will be governed by the same terms

5. Data Retention

Licence relay server logs are retained for a maximum of 24 months from the date of last licence use, after which they are deleted. You may request earlier deletion — see Section 7.

Local application data on your machine persists until you uninstall the application or manually delete the data directory. Uninstalling Vortical does not delete your wallet files; you must delete them manually if you wish to remove them.

6. Security

Wallet keypairs stored by Vortical on your device are encrypted with AES-256-GCM using a key derived from your master password via scrypt with a unique per-installation random salt. Your master password is never transmitted to our servers. The encryption implementation is published at github.com/vorticalengine/vortical-releases for independent audit.

Our relay server uses TLS in transit. Access is restricted to authorised personnel only. In the event of a confirmed security incident affecting relay server data, we will notify affected users via our website and Twitter/X account within 72 hours of discovery.

7. Your Rights (GDPR / EEA)

As Vortical is incorporated in the Republic of Ireland, EU/EEA data protection law (GDPR) applies. If you are located in the EEA or UK, you have the right to:

Access — request a copy of the personal data we hold about you (licence key and machine identifier)
Rectification — request correction of inaccurate data
Erasure — request deletion of your data from our relay server
Restriction — request that we restrict processing of your data in certain circumstances
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Lodge a complaint — with the Data Protection Commission of Ireland (dataprotection.ie)

To exercise any of these rights, email us at legal@vortical.io with the subject line "Data Rights Request". We will respond within 30 days.

8. Children's Privacy

Vortical is not intended for use by persons under 18 years of age. We do not knowingly collect any personal data from children under 18. If you believe a child has provided data to us, contact us immediately and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised "Last Updated" date. Where changes are material, we will announce them via our website and Twitter/X account ( @vorticalengine). Your continued use of Vortical after the effective date constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions, data rights requests, or security disclosures:

Email: legal@vortical.io
Subject: Privacy Policy Inquiry