Privacy Policy

1. Introduction and Scope

PolyFire ("PolyFire," "we," "us," or "our") operates a Telegram-based automated trading bot and accompanying website that enables users to trade prediction market contracts on Polymarket. This Privacy Policy describes what personal information we collect, how we use and protect it, with whom we share it, and what rights you have over your data.

This policy applies to all users of the PolyFire Telegram bot, the PolyFire website at polyfire.co, and any associated API services or agent integrations. By using PolyFire, you acknowledge that you have read and understood this Privacy Policy. If you disagree with any part of it, you should discontinue use of the service.

Because PolyFire operates at the intersection of Telegram messaging, blockchain networks, and prediction market trading, your data flows through several distinct systems. We've written this policy to be specific about each of those flows rather than hiding behind vague language. What you see here reflects an actual audit of our codebase and database schema — not boilerplate copied from a template.

2. Definitions

The following terms are used throughout this policy and have specific meanings in this context:

• Personal Data — any information that identifies or can reasonably be used to identify a natural person, including Telegram user IDs, wallet addresses, and IP addresses.
• Telegram User ID — the numeric identifier assigned to your account by Telegram. This is our primary key for all user records. It is not the same as your username.
• Polygon Wallet — the Polygon-network Ethereum-compatible wallet address generated for you at signup and used to execute trades on Polymarket.
• Encrypted Private Key — the cryptographic private key for your Polygon wallet, stored in our database encrypted with AES-256-GCM. We cannot read it without your cooperation.
• On-chain Data — any transaction, balance, or interaction recorded on the Polygon blockchain. This data is public, permanent, and outside our ability to modify or delete.
• CLOB — Central Limit Order Book. Polymarket's order matching system, which your trades are submitted to via signed cryptographic transactions.
• Processing — any operation performed on personal data, including collection, storage, use, transmission, or deletion.

3. Information We Collect — Account Information

When you start the PolyFire Telegram bot and complete onboarding, we collect a small set of account-identifying data from Telegram and generate additional data on your behalf. From Telegram, we receive and store your Telegram user ID (a numeric BIGINT that serves as your permanent account identifier), your Telegram username or first name as a fallback display label, and whether you accepted our Terms of Service and the timestamp of that acceptance.

Your first name, last name, and profile photo are fetched from Telegram during website login for display purposes only. These are stored exclusively in your browser's localStorage under the key pf_user and are never transmitted to or stored on our servers. If you clear your browser storage, this display data disappears. Whether you have Telegram Premium (is_premium) is available from Telegram's data but we do not store or use it.

On account creation, we generate a Polygon wallet address and an associated encrypted private key for you, a unique referral code, and (if applicable) record the Telegram ID of the person who referred you. Your Polymarket API credentials (API key, secret, and passphrase) are encrypted and stored so the bot can submit trades on your behalf without requiring you to re-authenticate on each trade. We also store your user preference settings: copy trading toggle, arena daily spend limit, referral notification mode, and whether to hide tiny open positions.

4. Information We Collect — Trading and Financial Data

Every trade executed through PolyFire — whether triggered by a Telegram command, copy trading, Signal Arena, or an MCP agent — is logged in our trades table. Each record includes: the market ID and condition ID on Polymarket, the outcome you traded (YES or NO), the number of shares, the price, the USDC amount, the fee charged, whether the trade succeeded or failed, any error message if it failed, the execution timestamp, the on-chain transaction hash, realized profit and loss where calculable, and the trade source (telegram, arena, manual, signal, or agent).

Open and resolved positions are tracked separately in our user_positions table, which records the market title, token identifiers, your average cost basis, current share count, resolution status, and any payout received. Copy trading relationships are stored in copy_wallets, recording which external wallet address you're copying, your allocation settings, and aggregate trade counts and volume.

Financial lifecycle events are recorded across several tables: deposits (token, amount, from address, transaction hash, block number), withdrawals (token, amount, fee, destination address, transaction hash, status), and swaps (token pair, amounts, transaction hash, status). Our fee revenue is tracked in a revenue table that records action type, total fee, platform share, and any referral commission split. We also periodically snapshot your wallet balances (USDC, USDC.e, POL, and total portfolio value) to support portfolio history and P&L tracking.

5. Information We Collect — Referral Program Data

PolyFire operates a multi-level referral program. When you refer another user, a record is created in our referrals table linking your Telegram user ID to theirs, along with the referral level (1, 2, or 3) and the fee share earned. Every commission event that flows from a referred user's trades is logged in referral_commission_log, which records referrer and referee IDs, the commission level, the commission amount, the status (pending or paid), and the associated transaction hash when paid on-chain. Payout events are recorded in referral_payouts with the payout amount, transaction hash, and status.

Referral data is retained indefinitely because it underlies financial relationships and commission calculations. If you refer someone, a record of that relationship exists in our database for the life of the program. If you were referred by someone, their Telegram user ID is stored in your account record as referred_by. Referral relationships cannot be altered after the fact.

6. Information We Collect — Activity and Usage Data

We maintain a user_activity table that logs interactions with the bot and service. Activity types include command executions (e.g., /trade, /portfolio, /copy), button clicks in Telegram inline keyboards, trades, deposits, swaps, and similar actions. Each record includes an activity type, a JSONB payload with context-specific details, and a timestamp.

The user_activity table has columns for IP address and user agent, but these are sparsely populated — the current codebase does not actively collect them in most flows. Where they do appear, they come from direct API requests (not Telegram bot commands, which do not expose IP addresses). IP addresses in this table are not used for profiling, behavioral tracking, or advertising.

We do not use any third-party analytics platforms. There is no Google Analytics, Mixpanel, Amplitude, Segment, Heap, or equivalent service on our website or bot. Usage data stays in our own database and is used solely for debugging, service improvement, and fraud detection.

7. Information We Collect — Support Data

When you submit a support ticket via the /support command or through an MCP agent, we store the ticket category, status, source (telegram or mcp), and subject in our support_tickets table. Individual messages within a support thread are stored in support_ticket_messages, including any text content and Telegram photo file IDs if you attach images to your support request.

Support records are linked to your Telegram user ID. They are retained indefinitely for audit, dispute resolution, and service quality purposes. Photo file IDs stored in support tickets reference files hosted on Telegram's own servers — we store the reference identifier, not the actual image bytes.

8. Information We Collect — Technical and Device Data

IP addresses are processed in two contexts. First, our API endpoints apply an in-memory rate limiter that maps IP addresses (extracted from the x-forwarded-for header or the raw request IP) to request counts. This data lives in a server-side memory Map and is purged every five minutes. It is never written to disk or database. Second, Redis stores IP-based keys for rate limiting agent API registrations (5 per hour per IP) and for auth failure lockout (20 failed authentication attempts per hour per IP triggers a temporary block). These Redis keys expire automatically after one hour.

We do not collect device fingerprints, browser characteristics, screen resolution, installed fonts, or any other device-identifying signals beyond what is described in this policy. We do not sell or share IP address data with advertising platforms.

9. Information We Collect — Cookies and Local Storage

The PolyFire website sets one cookie: pf_session_token. This is an HttpOnly cookie, meaning JavaScript running in your browser cannot read it. It is HMAC-signed with a server-side secret and contains only your numeric Telegram user ID — no name, no email, no profile data. It expires after 7 days. This cookie is strictly necessary for maintaining your authenticated session on the website and cannot be opted out of while using the authenticated portions of the service.

Your browser's localStorage stores a pf_user object containing your Telegram user ID, username, first name, last name, auth timestamp, and a Base64-encoded profile photo URL. This data never leaves your device — it is used only for rendering your name and avatar in the website UI. Clearing your browser storage removes it completely. We do not set any tracking cookies, advertising cookies, or analytics cookies.

10. How We Use Your Information

The primary use of your data is straightforward: making the service work. Specifically, we use your information to:

• Authenticate you and maintain your session across bot interactions and website visits
• Generate and manage your Polygon wallet and Polymarket API credentials
• Execute trades, swaps, and withdrawals on your behalf when you request them
• Track your open positions, realized P&L, and portfolio history
• Monitor copy-trading relationships and replicate trades from wallets you choose to follow
• Calculate and distribute referral commissions accurately
• Detect and respond to deposits to your wallet address via Alchemy webhooks
• Respond to support requests and resolve disputes
• Apply rate limiting to prevent abuse and protect system stability
• Debug failures, trace errors, and improve the service
• Comply with applicable legal obligations

We do not use your data for advertising, profiling, behavioral targeting, or sale to third parties. We do not build interest profiles. We do not share data with data brokers. We do not use your trading activity to trade against you.

11. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data (including the EU General Data Protection Regulation), we rely on the following:

• Contract performance — Processing your Telegram user ID, wallet address, trade data, and financial records is necessary to perform the trading services you've contracted for. Without this processing, the service cannot function.
• Legitimate interests — IP-based rate limiting, abuse prevention, auth failure tracking, fraud detection, and service debugging serve our legitimate interest in maintaining a secure and functional platform. These interests are not overridden by your fundamental rights given the minimal intrusiveness of the processing.
• Legal obligation — We may retain financial records (deposits, withdrawals, fees, trade history) to the extent required by applicable financial regulations, tax law, or legal process.
• Consent — Where we rely on consent (such as your acceptance of Terms of Service at onboarding), you may withdraw consent at any time, though this may result in termination of your ability to use the service.

12. Data Sharing with Third Parties — Overview

PolyFire shares user data with a small number of third parties, each of which is necessary for core service operations. We do not share data with advertising networks, analytics companies, data brokers, or any party whose purpose is commercial exploitation of your personal information. Every third-party data flow described below is a direct operational necessity, not a business arrangement where your data is the product.

The third parties who receive any user data in connection with your use of PolyFire are: Telegram (messaging infrastructure and authentication), Polymarket (the trading venue), Polygon RPC providers including Alchemy (blockchain transaction submission), Alchemy (webhook-based deposit detection), Decodo (a residential proxy service used for trade submission), and Railway (our cloud infrastructure host). Each is described in the sections below.

13. Data Sharing — Telegram

PolyFire is a Telegram bot. Every interaction you have with the bot transits through Telegram's infrastructure. When you send commands, Telegram delivers them to our servers via webhook. When we respond, Telegram delivers the response back to you. This is fundamental to how Telegram bots work and cannot be avoided.

Telegram receives your Telegram user ID from the PolyFire website for the purpose of fetching your profile photo during website authentication. Telegram's own privacy policy governs how Telegram handles data that flows through its platform. PolyFire is not responsible for Telegram's data practices. We recommend reviewing telegram.org/privacy for details on what Telegram retains from bot interactions.

14. Data Sharing — Polymarket and Blockchain Networks

When you execute a trade, PolyFire submits a signed order to Polymarket's Central Limit Order Book (CLOB) API. This submission includes your Polygon wallet address, the market and outcome you're trading, share quantity, price, and a cryptographic signature generated from your private key. Polymarket does not receive your Telegram user ID, username, first name, or any other personal identifier — only your wallet address and trade parameters.

Confirmed trades are broadcast to the Polygon blockchain. Once on-chain, transaction data (wallet address, trade amounts, contract interactions) is permanently public and accessible to anyone who queries the blockchain. This is the nature of public blockchain infrastructure. We cannot retract, obscure, or delete on-chain data on your behalf. See Section 18 for more on blockchain data.

Blockchain transactions are processed via Polygon RPC nodes including Alchemy. These providers receive your wallet address and signed transaction data as part of standard transaction broadcast. They do not receive your Telegram identity.

15. Data Sharing — Infrastructure Providers

Our database, bot server, and API are hosted on Railway (railway.app) in the Amsterdam, Netherlands region (europe-west4). All data stored in our PostgreSQL database resides on Railway's managed infrastructure. Railway's servers have access to encrypted database contents as part of hosting the service. Database connections are encrypted in transit. Railway is subject to their own privacy policy and terms of service.

Alchemy (alchemy.com) is configured as a webhook provider to detect incoming deposits to your wallet address. When a deposit transaction appears on-chain, Alchemy sends a webhook notification to our server. To configure these webhooks, Alchemy stores your wallet address. Alchemy does not receive your Telegram ID or any other personal identifiers beyond the wallet address.

16. Data Sharing — Proxy Services

Trade order submissions to Polymarket's CLOB API are routed through a residential proxy service operated by Decodo, with servers located in the Netherlands. This routing is used exclusively for POST /order requests to Polymarket. The Decodo proxy sees the request payload, which includes your wallet address and trade parameters, but does not receive your Telegram identity or any explicitly personal information beyond what is included in the trade submission itself.

We use this proxy for operational reliability purposes. Decodo is a commercial proxy provider subject to its own privacy and data handling policies. We do not use Decodo for any purpose other than trade order routing.

17. Data We Do NOT Share

To be explicit about what does not leave our control:

• Your Telegram user ID, username, or any Telegram identity is never shared with Polymarket, Alchemy, Decodo, or any third party other than Telegram itself.
• Your encrypted private key is never transmitted to any third party. It leaves our database only as decrypted data within our own server memory during trade execution, and is never logged.
• Your Polymarket API credentials (encrypted at rest) are never shared with any third party.
• TradeSphere, which provides alpha market data and smart wallet signals to PolyFire, is a one-way read relationship. No user data of any kind is ever sent to TradeSphere.
• We have no relationship with advertising networks, data brokers, marketing platforms, or analytics companies. None of your data goes to these categories of third parties.
• We do not sell your data.

18. Blockchain Data and Public Ledgers

Prediction market trades executed through PolyFire result in on-chain transactions on the Polygon blockchain. These transactions are permanently recorded on a public ledger that anyone in the world can query. Your Polygon wallet address and every transaction it has ever made — trades, deposits, withdrawals, swaps — are visible on public block explorers such as PolygonScan.

This is not a PolyFire policy choice; it is how public blockchains work. We have no ability to modify, hide, or delete on-chain data. If you export your private key via /exportkey and use your wallet independently of PolyFire, the on-chain history of that wallet remains unchanged regardless of whether you continue using our service. If you request account deletion, we will delete your data from our database, but blockchain transaction records are permanent.

Your Polygon wallet address, while technically pseudonymous, can potentially be linked to your identity by sophisticated chain analysis if you interact with exchanges or other services that collect identity information. PolyFire does not conduct or assist chain analysis, but we cannot guarantee the pseudonymity of on-chain activity.

19. Data Security — Encryption and Access Controls

Session tokens issued by the PolyFire website are HMAC-signed with a server-side secret before being set as HttpOnly cookies. HttpOnly means browser JavaScript cannot read the cookie, which prevents cross-site scripting attacks from stealing session tokens. Session cookies expire after 7 days.

All database connections use encrypted transport. The database itself is hosted on Railway's managed PostgreSQL service in the EU (Amsterdam). Agent API keys are stored only as SHA-256 hashes — the actual key is shown to the user once at creation and never stored in recoverable form. The first 16 characters of the key (the key_prefix) are stored for identification purposes only.

IP-based rate limiting provides defense against brute force attacks. Twenty authentication failures from a single IP address within one hour results in a temporary lockout. Agent API registration is limited to 5 new registrations per IP per hour. These controls are implemented in Redis with automatic TTL-based expiration.

20. Data Security — Private Key Protection

Your Polygon wallet private key is the most sensitive data in our system. It is encrypted using AES-256-GCM before being written to the database and is never stored in plaintext form anywhere in our infrastructure. It is never included in application logs, error messages, API responses, or support records.

Decryption of your private key occurs only in server memory, only at the moment a trade or transaction requires it, and the decrypted value is not held in memory beyond that operation. Similarly, your Polymarket API credentials (API key, secret, and passphrase) are encrypted at rest with the same mechanism and decrypted only at the moment of trade submission.

You can export your private key at any time using the /exportkey command. This gives you full, independent control over your wallet outside of PolyFire. We recommend storing your private key in a secure password manager if you choose to export it. If your private key is compromised, any funds in the associated wallet are at risk — this applies universally and is not specific to PolyFire.

21. Data Retention Periods

Different categories of data have different retention periods based on their purpose and legal requirements:

• Account data (user ID, wallet, settings, credentials) — retained while your account is active; deleted upon verified account deletion request.
• Trading history (trades, positions, P&L) — retained indefinitely. Required for accurate P&L reporting, tax record-keeping, and dispute resolution.
• Financial records (deposits, withdrawals, fees, revenue) — retained indefinitely. Financial records are kept for compliance, audit, and dispute resolution purposes.
• Referral data — retained indefinitely. Referral relationships underlie ongoing commission calculations.
• Balance snapshots — retained indefinitely for portfolio history.
• Support tickets — retained indefinitely for audit and service quality purposes.
• Session cookies — expire after 7 days. No action required on your part.
• Rate limit data (Redis) — automatically expires after 1 hour via Redis TTL. Not persisted to disk.
• BullMQ trade queue data (Redis) — ephemeral job queue data, not persisted beyond job execution.
• Database backups — full backups run every 6 hours. Backup files are retained until manually purged by our team. Data deleted from the live database may persist in backup snapshots for a period after deletion.
• Blockchain data — permanent and immutable. Cannot be deleted under any circumstances.

22. Your Rights and Choices

You have meaningful control over your PolyFire account and data. Within the service, you can:

• Enable or disable copy trading at any time via bot command
• Adjust your referral notification mode (per-trade, batched, daily, or silent)
• Set or change your Signal Arena daily spend limit
• Toggle the display of tiny open positions
• Export your private key at any time via /exportkey to take custody of your wallet independently
• Request account deletion via the /support command or by messaging @polyfireco on Telegram

Depending on your jurisdiction, you may have additional rights described in Sections 28 and 29. These include rights to access, correct, restrict processing of, or request deletion of your personal data.

23. Account Deletion

You may request deletion of your PolyFire account by messaging @polyfireco on Telegram or by submitting a support ticket via the /support command. We will process deletion requests within a reasonable timeframe, typically within 30 days.

Account deletion will remove: your account record (Telegram user ID, username, wallet address, encrypted credentials, settings), your copy wallet relationships, and your agent API keys. We will not retain data that serves no purpose beyond identifying you as a user.

Certain data cannot be deleted or may be retained after deletion: on-chain blockchain transactions are permanent and public; trading history and financial records may be retained to the extent required for tax compliance, dispute resolution, or legal obligations; data included in database backup snapshots created before your deletion request may persist in those snapshots; referral commission records may be retained to the extent they affect other users' pending payouts. We will inform you of any such limitations when processing your request.

Before requesting account deletion, we strongly recommend exporting your private key via /exportkey if you have any funds in your wallet. Once your account is deleted, we cannot recover your encrypted private key.

24. Data Portability

You can request a copy of your personal data held by PolyFire by contacting @polyfireco. We will provide a structured export of your account information, trade history, position history, deposit and withdrawal records, and referral data in a machine-readable format (JSON or CSV) within 30 days of a verified request.

Your private key can be exported at any time directly through the bot using /exportkey — you do not need to submit a data portability request for this. The /exportkey command is the intended mechanism for taking custody of your wallet and its funds independently of PolyFire.

25. International Data Transfers

Our primary database and server infrastructure is hosted in the EU (Amsterdam, Netherlands, Railway's europe-west4 region). If you access PolyFire from outside the EU, your data travels internationally to reach our servers. If you are located in the EU, your data remains within the EU on our database servers.

Telegram's infrastructure is globally distributed. Messages sent to the PolyFire Telegram bot may transit through Telegram's servers in multiple jurisdictions as part of Telegram's normal operation. We do not control Telegram's routing.

Blockchain data is globally replicated by the nature of the Polygon network. Every full node worldwide that syncs the Polygon blockchain stores a copy of your transaction history. This is an inherent property of public blockchain infrastructure.

We do not currently have formal data processing agreements (DPAs) in place with all infrastructure providers or formal Standard Contractual Clauses (SCCs) for all international transfers. We are disclosing this limitation transparently. If you are an EU resident with concerns about international data transfers, you may contact us at @polyfireco.

26. Children's Privacy

PolyFire is not directed at children under the age of 18 and is not intended for use by minors. Prediction market trading involves financial risk and requires legal capacity to enter into contracts. We do not knowingly collect personal data from anyone under 18 years of age.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you are a parent or guardian and believe your child has created a PolyFire account, please contact us at @polyfireco and we will investigate and act accordingly.

27. Do Not Track Signals

Some browsers send a "Do Not Track" (DNT) signal to websites. PolyFire does not alter its data collection practices based on DNT signals because we do not engage in cross-site tracking, behavioral advertising, or the categories of tracking that DNT signals are designed to address. We collect only what is described in this policy for the purposes described in this policy — nothing more — regardless of whether DNT is enabled in your browser.

28. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.

Right to Know: You have the right to know what personal information we collect, the purposes for which we use it, and whether we sell or disclose it to third parties. This Privacy Policy is our disclosure. We do not sell personal information and do not share it with third parties for cross-context behavioral advertising.

Right to Delete: You have the right to request deletion of personal information we hold about you, subject to certain exceptions (e.g., data necessary to complete a transaction, comply with a legal obligation, or prevent fraud). See Section 23 for how to submit a deletion request.

Right to Correct: You have the right to request correction of inaccurate personal information. Contact us via @polyfireco to submit a correction request.

Right to Opt Out of Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of in this regard.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. Exercising these rights will not result in denial of service, different pricing, or different service quality.

To exercise any of these rights, contact us at @polyfireco. We will respond to verifiable requests within 45 days, with a possible 45-day extension if needed.

29. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation gives you the following rights with respect to your personal data:

• Right of Access (Article 15) — You may request a copy of the personal data we hold about you and information about how we process it.
• Right to Rectification (Article 16) — You may request correction of inaccurate personal data.
• Right to Erasure (Article 17) — You may request deletion of your personal data where processing is no longer necessary, you withdraw consent, or processing was unlawful. This right is subject to the limitations described in Section 23.
• Right to Restriction of Processing (Article 18) — You may request that we restrict processing of your data in certain circumstances, such as while you contest its accuracy.
• Right to Data Portability (Article 20) — You may request your personal data in a structured, machine-readable format. See Section 24.
• Right to Object (Article 21) — You may object to processing based on legitimate interests. We will cease such processing unless we demonstrate compelling legitimate grounds.

Our database infrastructure is hosted in the EU (Amsterdam, Netherlands), which means your primary data at rest is within the EU. As noted in Section 25, we do not currently have formal Standard Contractual Clauses in place for all international data flows (e.g., Telegram's global routing, Alchemy webhooks). We are being transparent about this limitation.

To exercise any GDPR rights, contact us at @polyfireco. We will respond within 30 days. If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl.

30. Changes to This Privacy Policy

We will update this Privacy Policy when our data practices change materially. The "Last updated" date at the top of this page reflects when the policy was last revised. Changes become effective upon posting.

For significant changes that affect how we use personal data — new third-party sharing, new categories of data collection, or material changes to retention — we will notify active users via the Telegram bot with sufficient notice before the changes take effect. Continued use of PolyFire after such notice constitutes acceptance of the revised policy.

31. Contact Information

All privacy-related requests, questions, and concerns should be directed to us on Telegram at @polyfireco. This includes requests to access, correct, or delete your data; concerns about how we handle your information; and any CCPA or GDPR rights requests.

We are a small team and Telegram is the fastest way to reach us. We take privacy requests seriously and commit to responding within 30 days. For account-related requests, we will need to verify your identity by confirming control of the Telegram account associated with the request before taking action on sensitive data.