Effective 2026-04-25
This Privacy Policy explains what information Malcontent Games LLC, doing business as PaladinFi ("PaladinFi", "we", "us"), collects when you use our websites, APIs, and MCP servers (collectively, the "Service"), how we use it, and your rights under U.S. law.
Service is U.S.-focused; not offered in EEA/UK. The Service is operated from the United States and is intended for users located outside the European Economic Area, the United Kingdom, and Switzerland. PaladinFi does not target users in those jurisdictions, has not appointed a representative under Article 27 of the EU/UK General Data Protection Regulation, and may decline service to users determined to be located there. If you nonetheless access the Service from those jurisdictions, you do so at your own initiative and at your own risk.
Plain-language summary: The Service is non-custodial — we do not see your wallet's private keys or sign transactions on your behalf. We collect minimal operational data (server logs and the parameters you send to our API), do not currently use tracking cookies or third-party analytics, do not sell personal information, and share only what is necessary with the infrastructure subprocessors and third-party aggregators we route through.
taker wallet address you submit, chain ID, and slippage settings. Wallet addresses are public on-chain identifiers and, in combination with other information, may constitute personal information under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).taker address to our quote endpoint, the address is screened against publicly available sanctions lists (including the OFAC Specially Designated Nationals (SDN) List). The screening result is recorded with the request log entry.For California residents, this section serves as the Notice at Collection required by Cal. Civ. Code § 1798.100(b). The categories below are described in Section 2 (Categories of Personal Information). Sources of personal information are: (a) directly from you (email, API parameters); (b) automatically from your interaction with the Service (server logs); and (c) from our payment processor (subscription identifiers, when applicable). We retain personal information only as long as necessary for the purposes described in Section 6. We do not sell or share personal information for cross-context behavioral advertising. You have the rights described in Section 8.
The following table maps the categories of personal information defined in Cal. Civ. Code § 1798.140(v) to what we collect, the sources, the business purposes, and the categories of recipients.
| Category | What we collect | Source | Business purpose | Recipients |
|---|---|---|---|---|
| Identifiers | IP address, taker wallet address, email (if provided) | You; automatic | Operate the Service; security; sanctions screening | Subprocessors (§ 4.2); aggregators (§ 4.1); law enforcement when legally required |
| Internet/network activity | Request URL, user-agent, response status, timestamps | Automatic | Security; capacity planning | Subprocessors (§ 4.2) |
| Commercial information | Subscription identifiers and payment-processor identifiers (no card or bank-account numbers) | You; payment processor | Billing; refund processing; legal compliance (tax/audit) | Stripe; tax/audit recipients when legally required |
| Geolocation (inferred from IP, non-precise) | Country/region inferred from IP for security and sanctions purposes only; we do not collect precise geolocation | Automatic | Security; sanctions compliance | Subprocessors (§ 4.2) |
We do not knowingly collect categories defined as "sensitive personal information" under CPRA § 1798.140(ae) (such as government IDs, biometric data, precise geolocation, racial/ethnic origin, or contents of communications other than support emails you initiate). We do not use any personal information for purposes other than those listed above without additional notice.
We use the information we collect to:
To return a swap quote, we forward your request parameters (token addresses, amounts, taker address, chain, slippage) to one or more upstream aggregators such as 0x. We act as an intermediary in this routing path: aggregators receive only the parameters needed to compute their route, and we do not control how they process or retain that data downstream. Aggregators are subject to their own privacy practices.
We use third-party infrastructure providers to operate the Service. As of the date of this policy, these include the providers listed below. We rely on each provider's published Data Processing Addendum (or equivalent contractual safeguards) accepted at signup, which require providers to process personal data only on our documented instructions and to apply reasonable security measures. We are working to maintain a current list of executed DPAs and intend to publish vendor-specific DPA references in a future revision of this Policy.
| Provider | Purpose | Categories shared |
|---|---|---|
| Amazon Web Services (EC2) | Backend hosting, compute | Identifiers (IP), Internet activity, request payloads |
| Hostinger | Static website hosting (apex and product landing pages) | Identifiers (IP), Internet activity (page requests) |
| Squarespace (DNS registrar) | Domain registration; DNS authoritative records | No end-user data; only domain configuration |
| Mailgun | Inbound email forwarding for support addresses | Email metadata and content forwarded by you |
| Stripe | Payment processing (when applicable) | Payment-processor identifiers, billing details |
| Let's Encrypt / ISRG | TLS certificate issuance | Domain names; no user-identifying data |
| Anthropic, OpenAI | AI model APIs used for internal operational text only | Internal logs, code, and documentation. We do not transmit user API request parameters, taker wallet addresses, support-email content, or other user-identifiable data to these providers without consent. |
The subprocessor list may change. We will update this Policy and the "Last updated" date when material changes occur.
We may disclose information if required by valid legal process, to protect the security of the Service, to investigate fraud or abuse, or to enforce our Terms. We will narrow disclosures to what is required and, where lawful and practicable, notify affected users.
If PaladinFi is involved in a merger, acquisition, sale of assets, financing, or similar corporate transaction, your information may be transferred as part of that transaction, subject to a successor's continued obligations under this Policy.
Blockchain networks are public and persistent. Wallet addresses, transactions, and on-chain calldata you submit to a blockchain are visible to anyone and cannot be deleted or modified by us or by anyone. The taker address you submit to our API is, by design, ultimately reflected in on-chain transactions you sign. You should treat any wallet address as a permanent public identifier.
Erasure-request scope. Upon a valid erasure or deletion request from a California resident under CCPA/CPRA, we will delete records of your taker address from our server logs (subject to the retention obligations in § 6 below). On-chain records and records held by third-party aggregators or blockchain networks are not within our control and cannot be erased by us.
Retention periods are determined based on the purposes for which the data was collected, applicable security and legal-compliance obligations, and operational necessity.
We use commercially reasonable technical and organizational measures to protect information we process, including TLS encryption in transit, restricted internal access, encrypted storage of sensitive credentials, and standard server hardening. No system is perfectly secure. You are responsible for the security of your wallet, devices, and any credentials you use to access the Service.
If you are a California resident, you have the right to (a) know the categories and specific pieces of personal information we have collected about you over the prior 12 months, including categories of sources and recipients; (b) request deletion of personal information; (c) correct inaccurate personal information; (d) opt out of any "sale" or "sharing" of personal information — we do not sell or share for cross-context behavioral advertising and therefore no opt-out is currently necessary, but if our practices change we will provide a "Do Not Sell or Share My Personal Information" link as required by Cal. Civ. Code § 1798.135; (e) limit use of sensitive personal information — we do not knowingly collect sensitive personal information as defined in § 1798.140(ae); and (f) not be discriminated against for exercising these rights.
How to exercise rights. Email dev@paladinfi.com with the subject "CCPA Request". For pseudonymous users, we may verify your identity by requesting a signed message from the wallet address associated with your request. We will respond within the timeframe required by applicable law. We may decline requests that are clearly unfounded, excessive, or that conflict with our legal obligations.
The Service is not directed to or offered to data subjects located in the European Economic Area, the United Kingdom, or Switzerland. PaladinFi does not engage in marketing, advertising, or other targeting activities directed at those jurisdictions, and has not appointed a representative under Article 27 of the EU GDPR or UK GDPR. We may decline to provide the Service to users determined to be located in those jurisdictions, and may employ technical controls to that effect. If you nonetheless access the Service from those jurisdictions, you do so at your own initiative; the Service is provided to you on the same basis as to U.S. users, and PaladinFi does not assume the role of a controller under the EU GDPR or UK GDPR by virtue of such access.
In the event of a security incident affecting your personal information, we will notify affected users and applicable regulators without undue delay where required by law (including — without limitation — under Cal. Civ. Code § 1798.82 and applicable U.S. state breach-notification statutes). Notice may be provided by email to the address you have provided, by posting on the Service, or by other means reasonably designed to reach affected users.
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the U.S. Children's Online Privacy Protection Act (COPPA). Under CCPA/CPRA § 1798.120(c), we also do not knowingly sell or share personal information of consumers under 16. The Terms of Service additionally require all users to be at least 18 years of age. These three thresholds reflect different statutory regimes (COPPA at under 13, CCPA/CPRA at under 16, and the Service's contractual age requirement at 18+). If you believe we have collected information from a child in violation of these standards, contact us and we will delete it.
PaladinFi is based in the United States. Our infrastructure providers may operate in or replicate data to other jurisdictions. By using the Service, you understand that your information may be transferred to and processed in the United States or other countries where our subprocessors operate. The Service is not offered in the EEA, UK, or Switzerland (see § 9) and we therefore do not undertake EU/UK cross-border transfer mechanisms (such as Standard Contractual Clauses) for outbound transfers from those jurisdictions.
Because we do not currently engage in "sale" or "sharing" of personal information as defined under CPRA, there is no opt-out for Global Privacy Control signals to trigger at this time. We will treat any GPC signal as an opt-out request if and when our practices change such that opt-outs become applicable, consistent with Cal. Civ. Code § 1798.135(b) and CCPA Regulations § 7025.
We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days before they take effect via the Service or, where we have your contact email, by email. Non-material changes (such as typographical corrections or clarifying edits) take effect upon posting, and the "Last updated" date at the top of this page reflects when this Policy was last revised. After the effective date of any material change, your sole remedy if you do not agree is to stop using the Service.
Questions or requests under this Privacy Policy:
Email: dev@paladinfi.com
Operator: Malcontent Games LLC, doing business as PaladinFi, an Ohio limited liability company.