GALNT Privacy Policy

02Who We Are and How to Contact Us

This Privacy Policy is published by 77 Spark LLC ("Company," "we," "us," or "our"), the developer of the GALNT AI Bridge and GALNT Prime software platforms (the "Platform"). 77 Spark LLC is a limited liability company organized under the laws of the United States.

For any privacy-related questions, requests, or concerns, please contact us at:

• Email: privacy@galnt.com
• Support: support@galnt.com
• Website: galnt.com

We will respond to all privacy-related inquiries within thirty (30) days of receipt.

03Scope of This Policy

This Privacy Policy applies to:

• The GALNT AI Bridge and GALNT Prime desktop applications (Windows and macOS).
• The GALNT Prime mobile companion application (iOS and Android).
• Our license validation server and cloud infrastructure (hosted on AWS).
• Our website at galnt.com and any associated subdomains.

This Privacy Policy does not apply to third-party services that you connect to through the Platform, including cryptocurrency exchanges, AI model providers, payment processors, or prediction market platforms. Each of those services maintains its own privacy policy governing how they handle your data. You should review the privacy policies of any third-party service you use in connection with the Platform.

04Information We Collect and Why

We collect only the minimum information necessary to operate the license verification service. We do not collect personal information beyond what is described in this section, and we will not ask you for any additional personal information.

4.1 Account Identifier (Gmail Address)

When you sign in to the Platform using Google OAuth, Google's authentication service returns your Gmail address to us. We store this Gmail address as your account identifier in our license database. We use it for exactly three purposes:

• To match you to your license record when you activate or validate a Premium license.
• For Free Tier users, to coordinate cloud synchronization of your rule set between your desktop and mobile applications using Gmail's draft API (which your own Google account facilitates — we are reading your own drafts at your direction).
• To deliver transactional email related to your account, such as license activation confirmations or critical security notices (only if required).

We do not use your Gmail address for marketing, advertising, or any purpose beyond those listed above. We do not sell, rent, trade, or share your Gmail address with any third party except as described in Section 8 of this Policy.

4.2 License Status

Our servers store the following license-related data associated with your Gmail address:

• Your account tier (Free or Premium).
• Your license key (a randomly generated alphanumeric identifier, not linked to any personal data).
• A machine fingerprint hash (a one-way cryptographic hash of non-personal device identifiers used to enforce seat limits). This hash cannot be reversed to identify your device or your identity.
• Activation timestamp and last validation timestamp.

This information exists solely to answer the question: "Is this license valid for this device?" No other use is made of it.

4.3 Device Push Notification Tokens

If you grant the GALNT mobile application permission to send push notifications, the Platform registers a device push token (an opaque identifier issued by Apple APNs or Google FCM) with our notification delivery service (AWS SNS). This token allows us to deliver trade execution alerts, rule trigger notifications, and account notices to your specific device.

The push token is a randomly generated identifier issued by Apple or Google. It does not contain your name, location, or any other personal information. If you revoke notification permission or uninstall the application, the token becomes invalid and is no longer used.

4.4 Temporary Device Connectivity Data

When the GALNT desktop application is running, it periodically registers its local network IP address and port number with our license server. This is used solely to allow the mobile application to locate the desktop on your local network when mDNS discovery is unavailable. This data:

• Is always a private RFC 1918 address (e.g., 192.168.x.x) — your public IP address is never stored.
• Is overwritten each time the desktop registers, retaining only the most recent value.
• Is deleted when you deactivate your device or delete your account.
• Is accessible only to authenticated requests from devices signed in to your own account.

4.5 Anonymized Usage Telemetry

The Platform transmits a small number of anonymized, non-identifying usage events to our analytics pipeline. These events are used solely to understand platform usage patterns for product improvement. Examples include:

• session_start — a session was initiated (no user identifier attached in the telemetry pipeline).
• rule_created — a rule was created (no rule content, no account identifier).
• order_placed — an order was submitted (no amount, asset, exchange, or account data).

These events contain no personally identifiable information, no account identifiers, no trading data, no asset information, and no financial data. They cannot be linked back to any individual user. If you prefer to opt out of even this anonymized telemetry, you may do so in Settings.

4.6 Server and Access Logs

Our web servers and AWS infrastructure generate standard server access logs that record IP addresses, request timestamps, HTTP methods, and response codes. These logs are retained for security and debugging purposes only, for a maximum of ninety (90) days, after which they are automatically deleted. We do not use server logs for tracking, profiling, or advertising.

05Information We Do Not Collect

This section is as important as Section 4. We want to be explicit about the categories of sensitive information that we have deliberately designed the Platform to never collect.

5.1 No Exchange API Keys or Credentials

Your exchange API keys, secret keys, OAuth tokens for connected exchanges, and any other exchange credentials are stored exclusively in your local operating system's credential manager (macOS Keychain on Mac, Windows Credential Manager on Windows). These credentials are never transmitted to our servers under any circumstances. We have no technical ability to access your exchange credentials and no business need to do so.

5.2 No Trading or Financial Data

We do not collect, store, or transmit any of the following:

• Your portfolio balances, asset holdings, or account values on any exchange.
• Your trade history, order history, or execution records.
• Your open or closed positions, unrealized or realized profit and loss figures.
• Your configured automated rules, rule triggers, rule actions, or rule names (beyond the anonymized existence count in telemetry).
• Your AI chat messages, queries, or responses.
• Market quotes, price data, or order book data viewed within the Platform.

The GALNT_SYNC document, which synchronizes your account snapshot, rules, and market data between your desktop and mobile applications, flows from your desktop to your mobile device via our cloud relay infrastructure, but is not stored by us beyond the transit buffer necessary for delivery. For Premium users, this document is briefly stored in DynamoDB to facilitate push delivery and is associated only with your Gmail address identifier, not with any personal profile.

5.3 No Payment or Billing Information

All billing, subscription management, and payment processing is handled exclusively by LemonSqueezy, our third-party payment processor. 77 Spark LLC does not receive, store, or process any of the following:

• Credit card numbers, debit card numbers, or bank account information.
• Billing address or billing name.
• Payment method details of any kind.

When you purchase a Premium subscription, your payment information is entered directly into LemonSqueezy's payment interface and is subject to LemonSqueezy's Privacy Policy. The only information that passes from LemonSqueezy to us upon a completed purchase is: (a) the license key issued, (b) the Gmail address associated with the purchase, and (c) the subscription tier. No financial or billing data is included in that exchange.

5.4 No Sensitive Personal Information

We do not collect, request, or want any of the following categories of sensitive personal information:

• Full legal name.
• Physical address or mailing address.
• Phone number.
• Date of birth or age (beyond the acknowledgment in our Terms that you are 18 or older).
• Government-issued identification numbers (Social Security number, passport, driver's license, etc.).
• Biometric data — the biometric authentication used within the Platform (Face ID, Touch ID, fingerprint) is processed entirely on your device by your operating system and is never transmitted to us.
• Health or medical information.
• Race, ethnicity, religion, or political views.
• Sexual orientation or gender identity.

5.5 No Behavioral Profiling or Advertising Data

We do not use any advertising networks, behavioral tracking pixels, or cross-site tracking technologies. We do not build profiles of your behavior for advertising purposes. We do not sell your data to data brokers or advertising platforms. The Platform contains no advertising and is not monetized through advertising in any form.

5.6 No Precise Location Data

We do not collect GPS coordinates, precise location data, or fine-grained geolocation information. We may infer your approximate country or region from your IP address in server access logs for security purposes (e.g., to detect account access from unexpected regions), but this inference is not stored as a profile attribute and is used only for security monitoring.

06How We Use the Information We Collect

We use the limited information described in Section 4 only for the following purposes:

• License verification: Confirming that an installed copy of the Platform is associated with a valid license for the device attempting to use it.
• Authentication: Identifying your account when you sign in, so we can retrieve your license record.
• Feature enforcement: Applying the correct feature set (Free vs. Premium) to your session based on your license status.
• Notification delivery: Routing push notifications about your own trade executions and rule triggers to your own registered device.
• Mobile-to-desktop connectivity: Providing your mobile application with the last known local IP address of your desktop application for direct local network connections.
• Product improvement: Analyzing aggregated, anonymized usage telemetry to understand which features are used and how to improve the Platform.
• Security monitoring: Detecting unauthorized access attempts, license abuse, or anomalous usage patterns.
• Legal compliance: Complying with applicable law, responding to lawful requests from governmental authorities, and enforcing our Terms and Conditions.

We do not use the information we collect for any purpose not listed above. We do not use your data to target advertising, to make automated decisions about you beyond license eligibility, or to create profiles for any purpose other than account management.

07Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the processing of your personal data is governed by the General Data Protection Regulation (GDPR) or applicable national implementing legislation. The legal bases on which we rely to process your personal data are as follows:

• Contract performance: Processing your Gmail address and license data is necessary to perform the contract between you and 77 Spark LLC (your use of the Platform under our Terms and Conditions).
• Legitimate interests: Processing anonymized usage telemetry and server logs is necessary for our legitimate interests in operating, securing, and improving the Platform, provided these interests are not overridden by your rights and interests.
• Consent: Where we rely on your consent (such as for push notification delivery), you may withdraw that consent at any time through your device settings without affecting the lawfulness of prior processing.
• Legal obligation: Processing may be necessary to comply with applicable law or to respond to lawful governmental requests.

You have the right to object to processing based on legitimate interests by contacting us at privacy@galnt.com. If we are unable to demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, we will cease that processing.

08How We Share Information

We do not sell your data. We do not rent your data. We do not trade your data. The only circumstances in which information about you leaves 77 Spark LLC are described below.

8.1 Service Providers

We use a small number of third-party service providers who process data strictly on our behalf and under our instructions, solely to support the operation of our license infrastructure:

• Amazon Web Services (AWS): Provides the cloud infrastructure (Lambda, DynamoDB, SNS, API Gateway) that runs our license server and notification relay. AWS processes data as a data processor on our behalf under AWS's Data Processing Agreement. AWS does not have independent access to or use of your data. See aws.amazon.com/privacy for AWS's privacy information.
• LemonSqueezy: Processes Premium subscription payments. As described in Section 5.3, LemonSqueezy receives billing information directly from you and only provides us with the minimum data necessary to issue a license. LemonSqueezy is an independent data controller for the payment data it collects.
• Google (OAuth): Google's authentication service provides us with your Gmail address when you sign in. Your use of Google Sign-In is also subject to Google's Privacy Policy at policies.google.com/privacy.
• Apple (APNs) and Google (FCM): Push notification delivery for the mobile application is routed through Apple's and Google's notification services. These services receive your device push token and the notification content, which consists only of event type and basic metadata (no trading data). Both are subject to their respective privacy policies.

We do not use any advertising networks, data brokers, analytics platforms that retain user-level data, social media platforms for tracking, or any other third-party service that would involve sharing personally identifiable information for purposes other than Platform operation.

8.2 Legal Requirements

We may disclose information about you if we are required to do so by applicable law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of 77 Spark LLC, our users, or the public; or (c) prevent, investigate, or take action regarding illegal activity, fraud, or violations of our Terms and Conditions.

Where permitted by law, we will attempt to notify you before disclosing your information in response to a legal request. We will notify you unless we are prohibited from doing so by law or court order, or unless providing notice would be futile or would pose a risk of harm.

8.3 Business Transfers

If 77 Spark LLC undergoes a merger, acquisition, restructuring, asset sale, or other business transaction, your information (limited as it is) may be transferred as part of that transaction. In such an event, we will provide notice through the Platform or by email to the Gmail address associated with your account, and the successor entity will be bound by the terms of this Privacy Policy or will obtain your consent to any materially different terms.

8.4 With Your Explicit Consent

We may share information about you with third parties for any other purpose with your explicit prior consent.

09Data Retention

We retain information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our specific retention practices are:

• Gmail address and license record: Retained for the duration of your account, plus a reasonable period thereafter to handle post-termination disputes or legal obligations. You may request deletion at any time (see Section 11).
• Machine fingerprint hash: Retained for the duration of the license activation. Deleted when you deactivate the device or when your license is terminated.
• Device push tokens: Retained for the duration of your account. Automatically invalidated if the token rotates. Deleted upon account deletion or upon uninstalling the mobile application.
• Device connectivity data (local IP / port): Overwritten each time the desktop re-registers. Deleted upon device deactivation or account deletion.
• Anonymized telemetry: Retained in aggregated form indefinitely. Because it is truly anonymized and cannot be linked to any individual, it is not subject to deletion requests.
• Server access logs: Automatically deleted after ninety (90) days.
• Temporary GALNT_SYNC relay buffer (Premium): Retained only for the period necessary for delivery to connected devices, typically seconds to minutes. Not retained as a permanent record.

When your account is deleted, we will delete or anonymize all personal data associated with your account within thirty (30) days, except where retention is required by applicable law.

10Data Security

We implement industry-standard technical and organizational security measures to protect the limited information we hold against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Encryption in transit: All communications between the Platform and our servers use TLS 1.2 or higher. Communications between the desktop application and the mobile application over local networks are authenticated with bearer tokens.
• Encryption at rest: Data stored in DynamoDB is encrypted at rest using AES-256 encryption managed by AWS KMS.
• Access controls: Access to our production infrastructure and databases is restricted to authorized personnel only, with multi-factor authentication required for all administrative access.
• Signed JWTs: License validation tokens are cryptographically signed and cannot be forged or modified.
• Local credential security: Exchange API keys are stored in your device's OS-level credential manager (macOS Keychain, Windows Credential Manager), which is the highest security storage available on each platform. We never have access to these credentials.
• Code integrity: The desktop application binary is code-signed by 77 Spark LLC and notarized by Apple (macOS) and signed with an EV certificate (Windows), protecting against tampering.

No security system is perfect. While we work hard to protect the limited information we hold, we cannot guarantee absolute security. In the event of a data breach affecting your information, we will notify you as required by applicable law.

11Your Privacy Rights

Depending on your location, you may have certain rights with respect to the personal information we hold about you. We honor these rights regardless of your location.

11.1 Right to Access

You have the right to request a copy of the personal information we hold about you. Because we hold only your Gmail address, license status, and device identifiers, we can fulfill this request promptly. Contact us at privacy@galnt.com with the subject line "Data Access Request."

11.2 Right to Correction

If you believe any information we hold about you is inaccurate, you have the right to request its correction. Because your Gmail address is sourced from Google's authentication service and cannot be changed within our system (it is your account identifier), corrections to it require updating your Google account.

11.3 Right to Deletion

You have the right to request deletion of your account and all associated personal data. To exercise this right, contact us at privacy@galnt.com with the subject line "Account Deletion Request." We will delete your account and associated data within thirty (30) days of your verified request, except where retention is required by law.

Please note that deleting your account will immediately terminate your access to the Platform, including any active Premium subscription. Subscription fees are not refunded upon account deletion.

11.4 Right to Data Portability

You have the right to receive a machine-readable copy of the personal information you have provided to us. Given the limited nature of the data we hold, this consists of your Gmail address and license record, which we can provide in JSON format upon request.

11.5 Right to Opt Out of Telemetry

You may opt out of anonymized usage telemetry at any time through Settings within the Platform. Opting out will not affect your access to any features.

11.6 Right to Withdraw Consent

Where we rely on your consent for processing (such as push notifications), you may withdraw that consent at any time through your device's notification settings. Withdrawal of consent does not affect the lawfulness of any processing that occurred prior to withdrawal.

11.7 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• The right to delete personal information we have collected from you, subject to certain exceptions.
• The right to opt out of the sale or sharing of personal information. We do not sell or share personal information for advertising purposes.
• The right to non-discrimination for exercising your CCPA rights.

To exercise California rights, contact us at privacy@galnt.com. We will respond to verifiable consumer requests within forty-five (45) days.

11.8 EEA, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR or applicable national law, including the right to object to processing, the right to restriction of processing, and the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at privacy@galnt.com. You may also contact your local data protection authority.

11.9 How to Submit a Request

To exercise any of the rights described above, please email privacy@galnt.com. We will verify your identity by confirming your Gmail address and, where necessary, verifying that you have access to the associated Google account. We will respond to all verified requests within thirty (30) days, or within any shorter period required by applicable law.

12Cookies and Tracking Technologies

12.1 The Platform Application

The GALNT desktop and mobile applications do not use cookies, pixel trackers, browser fingerprinting, or any persistent cross-session tracking technology. The session token used to authenticate your session is stored in your device's secure credential storage and is not accessible to third parties.

12.2 The Website (galnt.com)

Our website uses minimal cookies necessary for its operation. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies that share data with advertising platforms. If we use any analytics on the website, it will be configured to anonymize IP addresses and to comply with applicable privacy law. We will update this section with specific cookie details if and when the website is launched.

If you prefer to block all cookies, you may configure your browser to do so. This will not affect your ability to use the Platform application.

13Children's Privacy

The Platform is not directed to, and is not intended for use by, any person under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly. If you believe that a child under 18 has provided us with personal information, please contact us immediately at privacy@galnt.com.

14Third-Party Platforms and Services

The Platform integrates with and connects to a variety of third-party platforms. This Privacy Policy applies only to information processed by 77 Spark LLC. It does not apply to information processed by:

• Cryptocurrency exchanges and brokerages you connect to the Platform (Coinbase, OKX, Kraken, sFox, Crypto.com, Hyperliquid, or others).
• Prediction market platforms (Kalshi, Polymarket).
• Decentralized exchange protocols.
• AI model providers (Anthropic, OpenAI, Google).
• Payment processor (LemonSqueezy).
• Google (for OAuth authentication and, for Free Tier users, Gmail draft storage).
• Apple and Google (for push notification delivery).

Each of these services is an independent data controller with its own privacy policy. You should review the privacy policies of any third-party service you use in connection with the Platform. 77 Spark LLC is not responsible for the privacy practices of any third-party service.

When you provide your API credentials to connect an exchange account to the Platform, those credentials are stored locally on your device and are used by the Platform to communicate with that exchange on your behalf. Your use of that exchange is governed by your agreement with the exchange, not by this Privacy Policy.

15International Data Transfers

77 Spark LLC is based in the United States. Our license infrastructure is hosted on AWS, which operates data centers in the United States. If you are located outside the United States, your information (Gmail address and license data) will be transferred to and processed in the United States.

If you are located in the EEA, UK, or Switzerland, we implement appropriate safeguards for international transfers as required by the GDPR, including reliance on adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms where applicable.

By using the Platform, you acknowledge that your information will be processed in the United States, where privacy laws may differ from those in your country.

16Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this Policy.
• Provide notice through an in-app notification within the Platform.
• For significant changes affecting rights under GDPR or CCPA, provide at least thirty (30) days' advance notice where practicable.

Your continued use of the Platform after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must discontinue use of the Platform and may request account deletion as described in Section 11.3.

We will not, without your explicit consent, change this Privacy Policy in a way that permits us to collect, use, or share your personal information in a materially different manner than described in the version of this Policy you agreed to.