SnowMindDocs
Launch App

Privacy Policy

Last updated: May 23, 2026 · Effective: May 23, 2026

This Privacy Policy explains what personal data SnowMind collects when you use snowmind.xyz, app.snowmind.xyz, docs.snowmind.xyz, and our backend APIs (the “Service”), why we collect it, who we share it with, and what rights you have. It is written to be readable first and complete second.

1. Who is responsible (controller)

The data controller for the Service is:

Reimburse AI Inc.
A Delaware corporation
1315 NE Campus Parkway #623
Seattle, WA 98105, United States
Email: contact@snowmind.xyz

If you are an EU/EEA or UK resident, you may also contact your local data-protection authority.

2. What we collect

SnowMind is designed to minimize the personal data it touches. The categories below describe everything we may collect.

2.1 Information you provide directly

  • Authentication identifier: email address, social login identifier (e.g., Google sub), or external wallet address, depending on the sign-in method you choose via our authentication provider.
  • Communications: messages you send us through email or support channels, including any information you choose to include.
  • Survey or feedback responses (only if you submit them).

2.2 Information generated by your use of the Service

  • Smart account address and the underlying signer/wallet address used to sign session-key grants.
  • On-chain activity tied to your smart account: deposits, withdrawals, rebalances, protocol balances, and timestamps. This data is also independently public on the Avalanche blockchain.
  • Session-key metadata: encrypted session-key material (AES-256-GCM at rest), the allow-listed contract addresses and selectors, expiry, and revocation status.
  • Allocation preferences and configuration you set in the dashboard (e.g., diversification mode, per-protocol limits).

2.3 Information collected automatically

  • Technical data: IP address (used to derive approximate country and to enforce geographic restrictions), browser type and version, operating system, device type, language, referring URL, and timestamps.
  • Usage data: pages viewed, features used, API calls made, error and crash logs.
  • Cookies and similar technologies: see Section 8.

What we do NOT collect

We do not ask for your government ID, date of birth, address, phone number, biometric data, or financial-institution data. We do not collect your wallet private keys or recovery factors at any time. We do not run third-party advertising trackers.

3. Why we use it (purposes & legal bases)

PurposeData usedLegal basis (GDPR/UK GDPR)
Provide the Service (auth, deposits, optimizer execution, withdrawals)Auth identifier, addresses, session-key material, configuration, on-chain activityPerformance of a contract (Art. 6(1)(b))
Secure the Service (rate-limiting, abuse detection, sanctions screening)IP, technical data, addresses, on-chain activityLegitimate interest (Art. 6(1)(f)) & legal obligation (Art. 6(1)(c))
Comply with sanctions and geographic restrictionsIP, country signal, addressesLegal obligation (Art. 6(1)(c))
Debug, monitor uptime, and improve the ServiceTechnical data, usage data, error logsLegitimate interest (Art. 6(1)(f))
Respond to your support requestsCommunications, auth identifierLegitimate interest / contract (Art. 6(1)(b),(f))
Optional analytics and product feedbackUsage data, technical dataConsent where required (Art. 6(1)(a))

4. Who we share it with (processors & third parties)

We do not sell your personal data and we do not share it for cross-context behavioral advertising. To operate the Service we rely on the following categories of third-party service providers, each bound by a data processing agreement or equivalent terms:

CategoryPurposeData processedRegion
Authentication & wallet infrastructureSign-in, embedded-wallet, smart-account, and transaction relayingAuth identifier, wallet and smart-account addresses, transaction dataUS / global
Cloud hosting & databasesRunning the website and backend and storing application stateApplication data described in Section 2, technical and request logsUS / global
Blockchain infrastructure & dataOn-chain reads, broadcasting transactions, and public rate dataPublic chain queries; no personal dataGlobal

We may also share personal data: (a) to comply with a binding legal request, court order, or applicable law; (b) to enforce our Terms or protect our or others’ rights, safety, and property; or (c) in connection with a merger, acquisition, or transfer of assets, in which case we will use reasonable efforts to ensure your data continues to be protected.

5. International transfers

Several of our processors are located in the United States or operate globally. When personal data of EU/EEA, UK, or Swiss residents is transferred outside those regions, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) as the lawful transfer mechanism, supplemented by the technical and organizational measures described in Section 7.

6. How long we keep it (retention)

  • Account & auth data: for as long as your account exists, plus up to 90 days after deletion for backup expiry.
  • Operational logs & technical data: typically 30–90 days.
  • Session-key material: deleted on revocation or expiry.
  • Records required for legal or audit reasons: retained for as long as legally required.
  • On-chain data: permanently public on the Avalanche blockchain. We cannot delete on-chain data.

7. Security

We apply technical and organizational measures appropriate to the risk, including: AES-256-GCM encryption of session-key material at rest, transport-layer encryption (TLS) for all API traffic, principle-of-least-privilege access controls, row-level security in our database, isolated execution for the signer sidecar, dependency monitoring, and audit logging. No system is perfectly secure; you use the Service at your own risk and remain responsible for your own wallet and device security.

8. Cookies and similar technologies

We use only the minimum cookies and local storage necessary to operate the Service. These include: authentication session tokens (set by our authentication provider), a preference cookie for jurisdiction-acknowledgment, and basic anonymous analytics where deployed. We do not use third-party advertising cookies. Where consent is required by law (EU/EEA, UK), non-essential cookies are loaded only after you consent.

9. Your rights

Depending on where you live, you may have the following rights:

  • Access: obtain a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data, subject to legal and on-chain limitations.
  • Restriction & objection: restrict or object to processing based on legitimate interests.
  • Portability: receive your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (e.g., a national Data Protection Authority in the EU, the UK ICO).

California (CCPA/CPRA): California residents have the right to know, the right to delete, the right to correct, the right to opt out of “sale” or “sharing” of personal information (we do neither), and the right to non-discrimination. We do not knowingly process “sensitive personal information” beyond what is described above.

To exercise any right, email contact@snowmind.xyz from the email associated with your account or sign a message from the wallet address you wish to act on. We will respond within the timeframe required by applicable law (generally 30 days under GDPR; 45 days under CCPA, extendable once).

Limits of deletion

Information that is recorded on the Avalanche blockchain (deposits, withdrawals, rebalances) cannot be erased by us or anyone else. Deletion requests apply only to data within our control.

10. Children

The Service is not directed to anyone under 18 years of age and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact contact@snowmind.xyz and we will delete it.

11. Automated decision-making

The optimizer makes automated allocation decisions based on on-chain protocol metrics and your configuration. These decisions are not based on personal characteristics, do not produce legal effects concerning you, and do not constitute profiling within the meaning of Article 22 GDPR.

12. Data-breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and applicable authorities within the timeframes required by law (within 72 hours of awareness under GDPR where applicable).

13. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date above reflects the most recent revision. Material changes will be announced on docs.snowmind.xyz.

14. Contact

Privacy questions, requests, or complaints: contact@snowmind.xyz.

Not legal advice

This Policy is a plain-language template prepared by Reimburse AI Inc. and is not legal advice. Specific obligations under GDPR, UK GDPR, CCPA/CPRA, LGPD, and similar regimes vary; consult qualified counsel for compliance work.