Privacy Policy

1. Introduction

Buji Development Corporation, a Wyoming corporation ("Company," "we," "us," or "our"), operates the Agent Midas platform, available at www.agentmidas.xyz and through associated applications and services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of the Service immediately.

Our principal office is located at 1712 Pioneer Ave. Ste. 500, Cheyenne, WY 82001. For privacy-related inquiries, you may contact us at [email protected] or by telephone at (561) 571-2646.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for an account, subscribe to a plan, or otherwise interact with the Service:

• Account Information: Name, email address, username, and password when you create an account.
• Payment Information: Billing address, payment card details, and transaction history. Payment card information is processed directly by our payment processor (Stripe) and is not stored on our servers.
• Profile Information: Any additional information you choose to add to your profile, such as a display name, avatar, or biographical details.
• Communications: Messages, feedback, support requests, and other correspondence you send to us.
• API Keys and Credentials: Third-party API keys or exchange credentials you provide to enable integrations. These are encrypted at rest using AES-256 encryption and are never accessible to our staff in plaintext.
• Trading Preferences: Strategy configurations, risk parameters, asset selections, and other settings you configure within the Service.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical information:

• Device Information: Hardware model, operating system and version, unique device identifiers, browser type and version, and screen resolution.
• Log Data: IP address, access times, pages viewed, links clicked, the page visited before navigating to the Service, and other system activity.
• Usage Data: Features used, actions taken within the Service, session duration, frequency of use, and performance metrics.
• Location Data: Approximate geographic location derived from your IP address. We do not collect precise GPS-based location data.
• Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar technologies to collect information about your interactions with the Service. See Section 11 for details.

2.3 Information from Third Parties

We may receive information about you from third-party sources, which we may combine with other information we collect:

• Authentication Providers: If you sign in using a third-party service (such as Google or GitHub), we receive your name, email address, and profile picture from that provider.
• Payment Processors: Our payment processor provides us with transaction confirmations, subscription status, and limited billing details necessary to maintain your account.
• Analytics Providers: We receive aggregated and anonymized analytics data from third-party services to help us understand usage patterns.
• Affiliate and Referral Sources: If you were referred by an affiliate, we may receive a referral identifier and associated attribution data.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

• To create, maintain, and secure your account.
• To process transactions, manage subscriptions, and send billing-related communications.
• To execute AI agent tasks, trading strategies, and other operations you configure within the Service.
• To provide customer support and respond to your inquiries.
• To authenticate your identity and prevent unauthorized access.

3.2 Service Improvement and Development

• To analyze usage patterns and trends to improve the functionality, reliability, and performance of the Service.
• To develop new features, products, and services.
• To conduct internal research and analytics.
• To test and troubleshoot new products and features before deployment.

3.3 Communications

• To send transactional messages, including account confirmations, billing receipts, technical notices, security alerts, and support responses.
• To send promotional communications about new features, products, or services, subject to your opt-out preferences.

3.4 Safety and Compliance

• To detect, investigate, and prevent fraud, abuse, and other harmful activities.
• To comply with applicable laws, regulations, legal processes, and governmental requests.
• To enforce our Terms of Service and other agreements.

3.5 No AI Training on User Data

We do not use your personal data, trading configurations, API keys, or strategy outputs to train, fine-tune, or otherwise improve our artificial intelligence or machine learning models. Your data is used solely to deliver the Service to you and is never commingled with other users' data for model training purposes. Aggregated, fully anonymized usage statistics may be used to improve system performance, but such data cannot be linked back to any individual user.

4. Data Isolation Architecture

Agent Midas employs a multi-layered data isolation architecture designed to ensure that each user's data remains logically and, where applicable, physically separated from all other users' data:

4.1 Data-Level Isolation

Each user's data is protected by row-level security policies enforced at the database layer. These policies provide data-level isolation, meaning that one user's queries cannot access the records, files, or configurations of another user. All API requests are authenticated and authorized before any data access occurs.

4.2 Encryption Standards

All sensitive data, including API keys, exchange credentials, and authentication tokens, is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys). Data in transit is protected using TLS 1.2 or higher. Encryption keys are managed through a dedicated key management service and are rotated on a regular schedule.

4.3 Row-Level Security

Our database layer enforces row-level security (RLS) policies that ensure every database query is scoped to the authenticated user. Even in the event of an application-level vulnerability, row-level security provides a database-enforced boundary that prevents cross-user data access. These policies are applied at the database engine level and cannot be bypassed by application code.

4.4 Network Segmentation

Internal services communicate over private networks with strict firewall rules. Public-facing endpoints are protected by a web application firewall (WAF) and rate limiting. Database servers are not directly accessible from the public internet.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf, such as payment processing, cloud hosting, analytics, email delivery, and customer support. These providers are contractually obligated to use your information only as necessary to provide services to us and are bound by confidentiality obligations. Our current sub-processors include:

• Stripe: Payment processing and subscription management.
• Vercel: Application hosting and content delivery.
• Supabase: Database hosting and authentication services.
• Anthropic: AI model inference (no user data is used for model training).
• Resend: Transactional email delivery.

5.2 Legal Requirements

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of Buji Development Corporation, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred as part of the transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so, such as when you authorize a third-party integration or choose to participate in a co-branded promotion.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Our specific retention practices are as follows:

• Active Account Data: Retained for the duration of your active subscription. This includes your profile information, trading configurations, and transaction history.
• Post-Cancellation: Upon account cancellation, we retain your personal data for ninety (90) days to facilitate account reactivation if you change your mind. After this period, your data is scheduled for deletion.
• Backup Retention: Encrypted backups containing your data may persist for up to one (1) year after account deletion for disaster recovery purposes. These backups are encrypted, access-restricted, and automatically purged at the end of the retention period.
• Legal Obligations: We may retain certain information for longer periods as required by law, such as financial transaction records required for tax compliance or records necessary to resolve disputes.
• Anonymized Data: Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

You may request immediate deletion of your data at any time by contacting us at [email protected]. Upon receiving a verified deletion request, we will delete your personal data within thirty (30) days, except where retention is required by law.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of Access: You may request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format within thirty (30) days of a verified request.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal information. You can update most account information directly through your account settings.
• Right to Deletion: You may request that we delete your personal information. We will comply with verified deletion requests within thirty (30) days, subject to any legal retention obligations.
• Right to Opt Out: You may opt out of promotional communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly. Note that you cannot opt out of transactional communications related to your account.
• Right to Data Portability: You may request a copy of your data in a structured, commonly used, and machine-readable format for transfer to another service.
• Right to Restrict Processing: You may request that we limit the processing of your personal information under certain circumstances, such as while we verify the accuracy of your data.
• Right to Object: You may object to the processing of your personal information where we rely on legitimate interests as the legal basis for processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to all verified requests within thirty (30) days. We will not discriminate against you for exercising any of your privacy rights.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising purposes. Therefore, there is no need to opt out of such activities.
• Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information (such as account credentials), we use it only as necessary to provide the Service and not for any secondary purposes.
• Non-Discrimination: We will not deny you the Service, charge you different prices, provide a different quality of service, or retaliate against you for exercising your CCPA/CPRA rights.

Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers (name, email address, IP address, account username).
• Commercial information (subscription tier, transaction history, payment records).
• Internet or electronic network activity (browsing history, usage data, log data).
• Geolocation data (approximate location derived from IP address).
• Professional information (trading preferences, strategy configurations).

To submit a CCPA/CPRA request, please contact us at [email protected] or call (561) 571-2646. You may also designate an authorized agent to submit a request on your behalf. We will verify your identity before fulfilling any request.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and applicable local legislation:

9.1 Legal Bases for Processing

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to perform our contract with you (e.g., delivering the Service under your subscription).
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.
• Consent: Processing based on your explicit consent, such as for marketing communications. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with legal obligations to which we are subject.

9.2 Your GDPR Rights

In addition to the rights listed in Section 7, you have the following GDPR-specific rights:

• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR.

9.3 Data Controller

Buji Development Corporation acts as the data controller for personal data collected through the Service. For GDPR-related inquiries, please contact us at [email protected].

10. AI-Specific Privacy Provisions

Agent Midas utilizes artificial intelligence and machine learning technologies to deliver its services. The following provisions address privacy considerations specific to AI functionality:

10.1 Transparency

When you interact with AI-powered features of the Service, we will clearly identify that the output is generated or assisted by AI. We use third-party AI model providers (including Anthropic) to process your instructions and generate responses. Your inputs (prompts, instructions, and configurations) are transmitted to these providers solely for the purpose of generating a response and are not retained by the provider for training purposes under our contractual agreements.

10.2 Output Data

AI-generated outputs, including trading signals, market analyses, portfolio recommendations, and other content produced by the Service, are associated with your account and treated as your confidential data. We do not share AI outputs generated for one user with any other user. AI outputs are retained according to the data retention schedule described in Section 6.

10.3 Algorithmic Decision-Making

The Service may use automated processing to generate trading signals, risk assessments, and market analyses. These automated processes do not make binding decisions about you as an individual. All trading actions taken through the Service are initiated based on configurations you have set and are subject to your review and control. You have the right to:

• Request an explanation of how AI-generated recommendations are produced.
• Modify, override, or disable any automated trading behavior at any time.
• Request human review of any decision that significantly affects you, where required by applicable law (such as Article 22 of the GDPR).

10.4 AI Model Training Prohibition

To reiterate: we do not use your personal data, trading data, prompts, outputs, or any other user-specific information to train, fine-tune, or improve any AI or machine learning model. This prohibition extends to our third-party AI providers, with whom we maintain contractual provisions ensuring the same.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information when you use the Service. The types of cookies we use include:

• Strictly Necessary Cookies: Essential for the operation of the Service, including authentication, session management, and security. These cookies cannot be disabled.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.
• Analytics Cookies: Help us understand how visitors interact with the Service by collecting and reporting usage data in aggregate. We use Vercel Analytics for this purpose.
• Performance Cookies: Monitor the performance of the Service and help us identify and resolve issues.

We do not use advertising or targeting cookies. We do not engage in cross-site tracking for advertising purposes.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when a cookie is being set. Please note that disabling strictly necessary cookies may prevent you from using certain features of the Service.

We honor Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, we disable all non-essential cookies and tracking for your session.

12. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take immediate steps to delete that information. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected] so that we can take appropriate action.

13. International Data Transfers

Buji Development Corporation is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws that differ from those of your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following transfer mechanisms to ensure adequate protection:

• Standard Contractual Clauses (SCCs): We enter into European Commission-approved Standard Contractual Clauses with our service providers to ensure that your personal data is protected during cross-border transfers.
• Data Processing Agreements: All sub-processors that handle personal data of EEA, UK, or Swiss residents are bound by data processing agreements that include appropriate safeguards consistent with GDPR requirements.
• Supplementary Measures: Where necessary, we implement supplementary technical and organizational measures, including encryption and access controls, to provide an equivalent level of data protection.

For more information about our data transfer practices or to request a copy of the applicable Standard Contractual Clauses, please contact us at [email protected].

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Provide notice through the Service, such as a banner or notification, at least thirty (30) days before the changes take effect.
• Send an email notification to the address associated with your account for material changes.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the revised Privacy Policy, you must stop using the Service and may request deletion of your account and data.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information.

15. Third-Party Financial Services — Plaid

Agent Midas provides account linking and financial data connectivity services through Plaid Inc. (“Plaid”). By using Agent Midas features that connect to your bank account or financial institution, you acknowledge and agree that the terms of Plaid's Privacy Policy will govern Plaid's use of such information.

When you connect a financial account through Agent Midas:

• You expressly grant Plaid the right, power, and authority to access and transmit your information as reasonably necessary for Plaid to provide its services to you.
• Plaid may collect and process certain personal information including your name, email address, phone number, account balances, transaction history, and account and routing numbers in accordance with Plaid's Privacy Policy.
• Agent Midas does not see, access, or store your bank login credentials. Your credentials are entered directly in Plaid's secure interface and are never transmitted to or stored by Agent Midas.
• You may revoke Plaid's access to your financial accounts at any time through Agent Midas Settings or through Plaid Portal.
• Upon revocation or account deletion, all Plaid access tokens and financial data retrieved through Plaid are permanently deleted from Agent Midas within 24 hours.

Please note that Plaid is an independent third party. Agent Midas has no control over Plaid's use of your information beyond what is described in Plaid's Privacy Policy. If you do not agree to Plaid's use of your information, do not use the financial account connection features of Agent Midas.

For more information about how Plaid handles your data, security practices, and your rights, visit:

• Plaid Privacy Policy
• Plaid Portal (manage connections)
• Plaid Security

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: