CavachFi Privacy Policy

Effective date: December 16, 2025 Last updated: December 16, 2025 Version: 1.0

1. Introduction

Welcome to CavachFi ("we," "us," "our," or "CavachFi"). This Privacy Policy explains how we collect, use, disclose, and protect information when you access or use our decentralized trading platform and loss coverage protocol (the "Platform" or "Services").

CavachFi is committed to protecting your privacy while providing a unified trading terminal with integrated loss coverage for perpetual futures trading. This policy applies to all users who interact with our Platform, whether through our web interface, APIs, or integrated services.

Operating entities

• Omis Labs UK Ltd : Protocol governance , asset management, Platform operations and development

By accessing or using CavachFi, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of our Services.

2. Information We Collect

2.1 Wallet and Blockchain Data

Wallet addresses

When you connect your cryptocurrency wallet (e.g., MetaMask, WalletConnect, Coinbase Wallet) to our Platform, we collect and process your public wallet address. This is necessary to:

• Enable trading and position management

• Process coverage activations and claims

• Manage your separate Coverage Wallet

• Calculate credit scores based on trading history

• Display your positions, balances, and transaction history

On-chain transaction data

We collect and analyze publicly available blockchain data associated with your wallet address, including:

• Trading positions (size, leverage, entry/exit prices, profit/loss)

• Liquidation events and history

• Coverage activations and premium payments

• Success tax payments from profitable trades

• Pool staking deposits and withdrawals

• Historical transaction patterns and frequencies

2.2 Trading Activity Data

We collect detailed information about your trading activity on the Platform, including:

• Positions: Pair selections, order types, leverage ratios, position sizes, entry/exit prices

• Coverage usage: Coverage toggle activations, coverage percentages, premiums paid, claims processed

• DEX interactions: Routing preferences across connected exchanges (Hyperliquid, Lighter, Avantis, Extended, Aster, Naomia)

• Bot operations: Automated strategy deployments, bot performance metrics, execution history

• Order history: All orders placed, filled, canceled, or rejected

• Funding rate data: Positions affected by funding rate payments

2.3 Account and Profile Information

Credit scoring data

We maintain a proprietary credit scoring system (0–100 scale) that evaluates:

• Total trading volume and account age

• Win/loss ratios and profitability patterns

• Liquidation frequency and loss severity

• Position management behavior (leverage usage, hold durations, stop-loss practices)

• Wallet balance stability and on-chain credit history

Optional KYC information (for institutional tiers)

If you voluntarily participate in our optional Know Your Customer (KYC) program, we may collect:

• Full legal name and date of birth

• Residential address and jurisdiction

• Government-issued identification documents

• Entity verification documents (for institutional accounts)

• Beneficial ownership information

• Source of funds documentation

2.4 Communications and Support Data

• Email communications: If you contact us at [email protected] or subscribe to updates

• Support tickets: Messages, attachments, and correspondence through our support system

• Community interactions: Public messages in Discord, Telegram, or other community channels (governed by those platforms' privacy policies)

• Feedback and surveys: Responses to user research, feature requests, or satisfaction surveys

2.5 Technical and Usage Data

Device and browser information

• IP addresses and general location data (country/region level)

• Device type, operating system, and browser type/version

• Screen resolution and device identifiers

• Referring websites and pages

Platform usage analytics

• Features accessed and interaction patterns

• Time spent on different sections

• Click paths and navigation flows

• Error messages and performance issues

• API usage patterns (for developers using our SDK)

Cookies and tracking technologies

We use cookies, local storage, and similar technologies to:

• Maintain your session and authentication state

• Remember your preferences and settings

• Analyze Platform performance and usage trends

• Prevent fraud and enhance security

3. How We Use Your Information

3.1 Core Platform Operations

We use collected information to:

• Execute trading functions: Process orders, manage positions, route to optimal DEXs, and calculate leverage and margin

• Provide loss coverage: Activate coverage on positions, calculate premiums based on credit scores, process liquidation claims automatically, and distribute success tax proceeds to the protection pool

• Manage coverage pools: Track staker deposits and withdrawals, calculate pool utilization and APY, and distribute yields to pool token holders

• Operate bot systems: Execute automated trading strategies, monitor bot performance, and process marketplace transactions

3.2 Credit Scoring and Risk Management

We analyze your trading history and on-chain behavior to:

• Calculate and update your credit score (0–100)

• Determine coverage percentages (70–90%) and premium rates

• Set position size limits and leverage restrictions

• Identify risk patterns and prevent system abuse

• Maintain the 30–35% maximum pool utilization policy

3.3 Platform Improvement and Development

We use aggregated and anonymized data to:

• Improve user interface and experience

• Develop new features and trading tools

• Optimize order routing and execution

• Enhance AI assistant responses and recommendations

• Test new strategies and risk models

3.4 Security and Fraud Prevention

We process information to:

• Detect and prevent unauthorized access

• Identify suspicious trading patterns or bot behavior

• Monitor for potential smart contract exploits

• Investigate security incidents

• Comply with our bug bounty program requirements

3.5 Communications

We may use your contact information to:

• Send transactional notifications (position updates, liquidations, claims processed)

• Provide customer support responses

• Share important Platform updates or security alerts

• Deliver educational content about features and best practices

• Announce new features, partnerships, or governance proposals (with your consent)

3.6 Legal and Regulatory Compliance

We may process data to:

• Comply with applicable laws and regulations

• Respond to legal requests (subpoenas, court orders)

• Enforce our Terms of Service

• Protect our rights and property

• Investigate violations or disputes

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share necessary information with trusted service providers who assist in Platform operations.

Trading infrastructure

• Orderly Network: Orderbook infrastructure, position data, margin calculations

• Arbitrum Network: Blockchain settlement and smart contract execution

Oracle services

• Chainlink: Primary price feeds for liquidation calculations

• Pyth Network: Secondary high-frequency price data

Security and monitoring

• Audit firms: Quantstamp, Trail of Bits, OpenZeppelin (for security reviews)

• Immunefi: Bug bounty program coordination

• Monitoring services: Infrastructure health and alerting systems

Analytics and performance

• Analytics providers: Anonymized usage data for product improvement

• Error tracking: Crash reports and debugging information

Communications

• Email services: Transactional and marketing email delivery

• Support platform: Customer service ticket management

All third-party providers are contractually obligated to protect your information and use it only for specified purposes.

4.2 Blockchain and Public Disclosure

On-chain transparency

Certain information is inherently public due to blockchain architecture:

• All transactions on Arbitrum are publicly visible and permanent

• Wallet addresses, position details, and trading activity can be viewed by anyone using blockchain explorers

• Smart contract interactions are transparent and auditable

We do not control this public blockchain data, but we may reference it in our analytics and documentation.

4.3 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify individual users, including:

• Trading volume statistics and market trends

• Pool performance metrics and utilization rates

• Credit score distributions (without individual identification)

• Platform usage analytics

This data may be shared publicly, with research partners, or used in marketing materials.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, user information may be transferred to the acquiring entity. We will notify users via email and/or a Platform notice before any such transfer, and the new entity will be required to honor this Privacy Policy.

4.5 Legal Requirements and Safety

We may disclose information when we believe, in good faith, that disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes

• Respond to lawful requests from government authorities

• Protect the rights, property, or safety of CavachFi, our users, or the public

• Detect, prevent, or address fraud, security, or technical issues

• Enforce our Terms of Service or other agreements

4.6 With Your Consent

We may share information for other purposes with your explicit consent or at your direction (e.g., when you authorize third-party integrations via our SDK).

5. Data Retention

5.1 Retention Periods

We retain different categories of information for varying periods.

Active account data

• Trading and position data: Retained while your account is active and for 7 years afterward (for regulatory and audit purposes)

• Credit score history: Retained indefinitely to maintain scoring accuracy and historical patterns

• On-chain data: Permanent (controlled by the blockchain, not by us)

Inactive accounts

• Accounts with no activity for 3 years may have non-essential data archived or deleted

• Essential audit trail information is retained for regulatory compliance (7+ years)

Support communications

• Retained for 5 years after ticket closure

Analytics data

• Anonymized usage data retained indefinitely for research and development

5.2 Deletion Requests

You may request deletion of certain personal information by contacting [email protected]. Please note:

• On-chain blockchain data cannot be deleted (it is permanent and public)

• We must retain some information for legal, regulatory, or security purposes

• Deletion may prevent you from using certain Platform features

• We will respond to deletion requests within 30 days

6. Data Security

6.1 Security Measures

We implement security practices designed to protect your information.

Technical safeguards

• End-to-end encryption for data transmission (TLS 1.3+)

• Encrypted storage for sensitive off-chain data

• Multi-signature requirements for administrative functions

• Hardware wallet storage for critical keys

• Regular security audits from top firms (Quantstamp, Trail of Bits)

Operational safeguards

• 24/7 security monitoring and incident response

• Access controls and role-based permissions

• Geographic distribution of key holders

• Regular security training for team members

• Bug bounty program through Immunefi (up to $500K rewards)

Smart contract security

• Comprehensive code audits before deployment

• Formal verification where feasible

• Upgradeable proxy patterns with timelocks

• Emergency pause mechanisms for critical issues

6.2 Your Responsibilities

We cannot:

• Recover lost or compromised private keys

• Reverse unauthorized transactions

• Protect against phishing attacks targeting your wallet

You are responsible for:

• Securing your wallet and private keys

• Using strong passwords and 2FA on your wallet provider

• Avoiding phishing sites and suspicious links

• Keeping your devices secure and malware-free

• Not sharing your wallet credentials with anyone

6.3 Breach Notification

In the unlikely event of a data breach affecting personal information, we will:

• Notify affected users via email within 72 hours of discovery

• Post a notice on our Platform

• Report to relevant authorities as required by law

• Provide information about the breach and recommended actions

7. International Data Transfers

7.1 Global Operations

CavachFi operates globally with infrastructure in multiple jurisdictions. Your information may be transferred to, stored, and processed in:

• Cayman Islands (CavachFi Foundation operations)

• United States (CavachFi Labs Inc. operations)

• Cloud infrastructure locations (where our servers and databases are hosted)

7.2 Cross-Border Protections

When transferring data internationally, we ensure protections through:

• Contractual safeguards (Standard Contractual Clauses where applicable)

• Encryption during transmission and storage

• Compliance with applicable data protection regulations

• Regular assessments of foreign jurisdiction data protection standards

7.3 Geographic Restrictions

At launch, CavachFi restricts access from certain jurisdictions due to regulatory considerations, including:

• United States: Initially restricted; may allow access after regulatory clarity or KYC implementation

• United Kingdom: Initially restricted pending FCA guidance

• Sanctioned countries: Access blocked in compliance with OFAC and international sanctions

We use IP-based geofencing to enforce these restrictions. Use of VPNs to bypass restrictions violates our Terms of Service.

8. Your Rights and Choices

8.1 Access and Portability

You have the right to:

• Access: Request copies of personal information we hold about you

• Portability: Receive your data in a structured, machine-readable format

• On-chain data: Access your transaction history directly through Arbitrum block explorers

To exercise these rights, contact [email protected] with your wallet address and request details.

8.2 Correction and Updates

You may:

• Update your email address or communication preferences in Platform settings

• Request corrections to inaccurate personal information

8.3 Deletion and Restriction

You may request:

• Deletion: Removal of certain personal information (subject to legal retention requirements)

• Restriction: Limitation of processing for specific purposes

Deletion requests will be honored to the extent legally permissible. However, we must retain some information for:

• Legal and regulatory compliance (7+ year retention for financial records)

• Ongoing security monitoring and fraud prevention

• Enforcement of Terms of Service

8.4 Opt-Out Rights

Marketing communications

• Unsubscribe from promotional emails via the link in each message or by contacting us

• You cannot opt out of transactional notifications essential to Platform functionality (liquidation alerts, claim processing confirmations, and security notices)

Analytics cookies

• Manage cookie preferences through your browser settings

• Disabling essential cookies may impair Platform functionality

Credit scoring

• You cannot opt out of credit scoring while using coverage features, as it is essential for risk-based pricing

• You may choose not to activate coverage on positions if you prefer not to be scored

8.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time by:

• Adjusting Platform settings

• Disconnecting your wallet

• Contacting [email protected]

Withdrawal does not affect the lawfulness of processing before withdrawal.

8.6 Complaint Rights

If you believe we have mishandled your personal information, you may:

1. Contact our privacy team at [email protected] to resolve the issue

2. File a complaint with the relevant data protection authority in your jurisdiction

For EU residents (once/if services expand to Europe), you may lodge a complaint with your local Data Protection Authority.

9. Children's Privacy

CavachFi is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected information from someone under 18, we will promptly delete such information.

If you believe we have collected information from a child under 18, please contact [email protected] immediately.

10. Third-Party Links and Integrations

10.1 External Websites

Our Platform may contain links to third-party websites, including:

• Connected DEX platforms (Hyperliquid, Lighter, etc.)

• Block explorers (Arbiscan, Etherscan)

• Educational resources and documentation

• Social media channels (X/Twitter, Discord, Telegram)

We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.

10.2 Wallet Providers

When you connect your wallet (MetaMask, WalletConnect, etc.), you are also subject to those providers' privacy policies. We do not control or access the contents of your wallet beyond the public address and transaction data you authorize.

10.3 SDK and API Users

Developers integrating CavachFi via our SDK or API are independent data controllers responsible for their own users' privacy. We provide documentation on privacy requirements, but integration partners must implement their own privacy policies and obtain necessary user consents.

11. Do Not Track Signals

Some browsers support “Do Not Track” (DNT) signals. Currently, there is no universal standard for responding to DNT signals. CavachFi does not respond to DNT signals at this time. We will update this policy if industry standards evolve.

12. California Privacy Rights (CCPA)

While CavachFi initially restricts U.S. access, if services expand to California residents, the following applies:

• Right to Know: You may request disclosure of personal information collected, used, or shared in the past 12 months.

• Right to Delete: You may request deletion of personal information, subject to certain exceptions.

• Right to Opt-Out: You may opt out of the “sale” of personal information. CavachFi does not sell personal information in the traditional sense, but sharing with service providers may qualify under CCPA’s broad definition.

• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights.

To exercise these rights, California residents may contact [email protected] with the subject line "California Privacy Rights Request".

13. European Privacy Rights (GDPR)

If and when CavachFi expands services to the European Economic Area (EEA), UK, or Switzerland, the following applies.

Legal basis for processing

• Contractual necessity: To provide Platform services you have requested

• Legitimate interests: For security, fraud prevention, and Platform improvement

• Consent: Where you have explicitly agreed (marketing communications and optional features)

• Legal obligations: To comply with applicable laws

Data subject rights

You have the right to access, rectification, erasure, restriction, portability, and objection (as described in Section 8). You also have the right to lodge complaints with supervisory authorities and not to be subject to automated decision-making with significant effects.

Data Protection Officer

For GDPR-related inquiries: [email protected] (to be established upon EU expansion)

EU representative

To be appointed if/when services expand to EU residents.

14. Changes to This Privacy Policy

14.1 Updates and Notifications

We may update this Privacy Policy periodically to reflect:

• Changes in our practices or services

• Legal or regulatory requirements

• User feedback and best practices

• Technological developments

Notification methods

• Material changes: Notified via email (if provided) and a prominent Platform notice at least 30 days before the effective date

• Non-material changes: Updated "Last updated" date at the top of this policy

• Version control: Version numbers indicate significant revisions

14.2 Continued Use

Your continued use of CavachFi after Privacy Policy updates constitutes acceptance of the revised terms. If you disagree with changes, you may discontinue use and request data deletion (subject to legal retention requirements).

14.3 Version History

• Current version: 1.0 (December 16, 2025)

• Previous versions will be archived and available upon request.

15. Contact Information

15.1 Privacy Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

• Email: [email protected]

• Subject line: "Privacy Inquiry"

Postal address

Omis Labs UK Ltd 124 City Road, London, United Kingdom, EC1V 2NX

15.2 Response Timeframes

We aim to respond to privacy inquiries within:

• General questions: 5 business days

• Access requests: 30 days

• Deletion requests: 30 days

• Security incidents: 72 hours (as required by law)

15.3 Community Channels

For general (non-privacy-specific) inquiries:

• X (Twitter): @CavachFi

• Documentation: docs.cavachfi.com

• Website: cavachfi.com

16. Definitions

• Coverage: The loss protection mechanism that recovers 70–90% of liquidation losses for protected positions.

• Credit Score: A 0–100 numerical assessment of trader risk based on historical behavior, determining coverage terms and premiums.

• DEX: Decentralized exchange—platforms for cryptocurrency trading without central intermediaries (e.g., Hyperliquid, Avantis).

• Coverage Wallet: A separate wallet used exclusively for coverage premiums, success tax payments, and claim receipts.

• Liquidation: Forced closure of a leveraged position when collateral falls below maintenance margin requirements.

• Personal Information: Information that identifies, relates to, describes, or could reasonably be linked to an individual.

• Platform: The CavachFi trading terminal, smart contracts, APIs, and related services.

• Pool: The collective reserve of USDC funds that provides loss coverage, funded by stakers seeking yield.

• Success Tax: The 10% fee on profitable covered trades that flows to the protection pool.

• Staker: A user who deposits USDC into the protection pool to earn yield from coverage premiums and success taxes.

17. Disclaimer and Limitations

17.1 Non-Custodial Nature

CavachFi is a non-custodial protocol. We do not hold, control, or have access to your private keys or cryptocurrency assets. You maintain complete custody and responsibility for your wallet and funds.

17.2 Blockchain Immutability

Blockchain transactions are permanent and irreversible. Once data is recorded on Arbitrum or other blockchains, it cannot be deleted, modified, or hidden by CavachFi or anyone else.

17.3 No Absolute Security

Despite our security measures, no system is completely immune to attacks or breaches. Use CavachFi at your own risk, and never stake funds you cannot afford to lose.

17.4 Not Financial or Privacy Advice

This Privacy Policy describes our data practices but does not constitute legal, financial, or privacy advice. Consult qualified professionals for guidance specific to your situation.

18. Acknowledgment and Acceptance

By connecting your wallet, accessing the Platform, or using CavachFi services, you acknowledge that:

• You have read and understood this Privacy Policy

• You agree to the collection, use, and disclosure of information as described

• You understand the blockchain nature of transactions (public and permanent)

• You accept responsibility for securing your wallet and private keys

• You meet the age requirement (18+ years old)

• You are not accessing from a restricted jurisdiction

If you do not agree to these terms, you must immediately discontinue use of CavachFi.

© 2025 CavachFi Foundation & CavachFi Labs Inc. All rights reserved.

This Privacy Policy was created with the highest standards of transparency and user protection in mind. We are committed to evolving our practices to serve our community while building the future of protected decentralized trading.