This Privacy Policy explains what personal data Automata AI, Inc. collects when you use the Tapioca platform, how it is used, who it is shared with, and what rights you have over your information.
Plain-language summary: Tapioca does not use cookies. We collect only what is necessary to operate the platform: your wallet address, authentication credentials, and on-chain activity. We do not sell your personal data. You have the right to access, correct, or delete the information we hold about you.
Version: v1.0.1
1. Overview
1.1 No cookies
Tapioca does not use cookies. We do not set first-party or third-party cookies on your browser. We do not use tracking pixels, browser fingerprinting techniques, or any similar persistent client-side identifiers for advertising, analytics, or any other purpose.
Certain third-party services embedded in the platform (see Section 4) may have their own data-collection practices. Where a third party is involved, we link to their privacy policies so you can review them directly.
1.2 Scope
This Privacy Policy applies to personal data processed by Automata AI in connection with the Services. It does not apply to on-chain data — transactions recorded on the Base blockchain are public by nature and are outside our control.
We collect only the information necessary to operate the Services safely and effectively.
| Category | Examples | Purpose |
|---|
| Authentication credentials | Email address used to sign in via Privy | Account creation and identity verification |
| Communication data | Messages you send to our support address | Responding to support requests |
| Category | Examples | Purpose |
|---|
| Wallet and account data | Smart account address (ERC-4337), public key | Protocol interaction and account management |
| On-chain activity | Deposit amounts, withdrawal amounts, yield strategy selections, Session Key events | Displaying your portfolio, calculating yields, operating the protocol |
| Application logs | Server-side request logs (IP address, timestamp, request path, HTTP status) | Security monitoring, incident response, operational debugging |
- Private keys or seed phrases (these are managed non-custodially by your authentication provider, Privy);
- Payment card numbers or bank account details;
- Government-issued identification documents;
- Precise geolocation data;
- Behavioural analytics or browsing history outside the Services.
We use the information we collect for the following purposes, in each case based on a legitimate legal basis:
| Purpose | Legal basis (GDPR) |
|---|
| Creating and managing your smart account | Performance of a contract (Art. 6(1)(b) GDPR) |
| Facilitating deposits, withdrawals, and yield strategies | Performance of a contract (Art. 6(1)(b) GDPR) |
| Managing Session Keys and delegated access | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending transactional communications (e.g., account confirmations, incident alerts) | Performance of a contract / Legitimate interests (Art. 6(1)(b), (f) GDPR) |
| Detecting and preventing fraud, abuse, or sanctions violations | Legal obligation / Legitimate interests (Art. 6(1)(c), (f) GDPR) |
| Security monitoring and incident response | Legitimate interests (Art. 6(1)(f) GDPR) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
| Improving the Services | Legitimate interests (Art. 6(1)(f) GDPR) |
4. Data processors
To operate the Services, we engage third-party data processors. Each processor handles only the data necessary for its specific function and is bound by a data processing agreement requiring them to protect your data in accordance with applicable law.
4.1 Current processors
| Processor | Role | Privacy policy |
|---|
| Privy | Embedded wallet creation, email-based authentication, key management | privy.io/privacy |
| ZeroDev | ERC-4337 smart account infrastructure, Session Key management, transaction bundling | zerodev.app/privacy |
| Alchemy | RPC node access, transaction bundling, blockchain data indexing | alchemy.com/privacy-policy |
| Vercel | Frontend hosting, edge network delivery, server-side request logging | vercel.com/legal/privacy-policy |
| Neon | Serverless PostgreSQL database for off-chain application data | neon.tech/privacy |
| Resend | Transactional email delivery | resend.com/privacy |
| PagerDuty | Operational incident management and on-call alerting | pagerduty.com/privacy |
| Coinbase / Base | Layer 2 network infrastructure (Base is a public blockchain; on-chain data is public by nature) | coinbase.com/legal/privacy |
4.2 Planned processors
The following processors are not yet active but are expected to be integrated in future versions of the Services. This table will be updated when they go live:
| Processor | Planned role |
|---|
| Biconomy | Additional relayer and bundler infrastructure for gasless transactions |
| MoonPay | Fiat on-ramp and off-ramp services |
| Safe | Multi-signature smart account support |
5. Your rights
5.1 GDPR rights (EEA, UK, and Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent applicable law:
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data where we no longer have a legal basis to process it.
- Right to restriction: You may request that we restrict our processing of your personal data in certain circumstances.
- Right to data portability: You may request that we provide your personal data in a structured, machine-readable format for transfer to another controller.
- Right to object: You may object to processing based on our legitimate interests, including any profiling based on those interests.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before the withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your country of residence.
5.2 CCPA and US state privacy rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties to whom we have disclosed it.
- Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of, but you may contact us to confirm this.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Residents of other US states with applicable privacy laws (including Colorado, Connecticut, Texas, and Virginia) may have similar rights under those laws. We will honour requests to the extent required by applicable law.
5.3 How to exercise your rights
To exercise any of the rights described above, please contact us at hello@beautomata.com with the subject line “Privacy Rights Request.” We will respond within the timeframe required by applicable law (generally 30 days for GDPR requests and 45 days for CCPA requests). We may ask you to verify your identity before processing your request.
6. Data retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data category | Retention period |
|---|
| Account and authentication data | Duration of your account plus 3 years after account closure, or as required by applicable law |
| Transaction and on-chain activity records | 5 years after the relevant transaction, or as required by applicable law |
| Support correspondence | 3 years from the date of the communication |
| Application and security logs | 90 days, unless required longer for an ongoing investigation |
7. Security
We implement technical and organisational measures designed to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:
- Encryption of data in transit using TLS;
- Encryption of sensitive data at rest;
- Access controls limiting data access to authorised personnel with a legitimate need;
- Operational monitoring and incident response procedures managed in part through PagerDuty;
- Regular review of security practices.
No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data, and you provide it at your own risk.
8. Children’s privacy
The Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@beautomata.com and we will take steps to delete the information as soon as practicable.
9. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will revise the “Effective Date” at the top of this page and, where practicable, notify you by email or through an in-app notice. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.
If you have questions, concerns, or requests relating to this Privacy Policy or our data-handling practices, please contact us at:
Automata AI, Inc.
Email: hello@beautomata.com
Website: beautomata.com
For GDPR-related inquiries, you may also contact us using the subject line “Data Protection Inquiry.” 
