Legal · GDPR / DSGVO
Privacy Policy
How we collect, use, and protect personal data on moonhydra.com and the @moonhydrabot Telegram trading bot. Written for GDPR (Regulation (EU) 2016/679) compliance, last updated 2026-05-27.
1. Data controller
The data controller per Art. 4 (7) GDPR is the natural-person operator of moonhydra.com and the @moonhydrabot Telegram trading bot. For privacy questions or data subject requests, message us on Telegram at @moonhydrabot and we will respond within the GDPR-mandated 30-day window.
2. Data we collect on moonhydra.com
Server-side hosting (Cloudflare Pages)
The marketing site is served by Cloudflare Pages. Cloudflare processes IP addresses, user-agent strings, and request metadata as a data processor to deliver the site and protect against abuse. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a functioning website). See Cloudflare's privacy policy .
Google Analytics 4 (consent-gated)
We use Google Analytics 4 (property G-WF6WS2B5F8) with Google Consent Mode v2 set to default-deny. For EU/EEA traffic this means GA4 sends only anonymised, cookieless pings until you actively grant consent. We do not currently ship a cookie banner; analytics_storage, ad_storage and personalization_storage all remain denied for every visitor. Legal basis: Art. 6 (1) (f) GDPR for the anonymised aggregate metrics.
Error monitoring (Sentry)
Frontend errors may be reported to Sentry to keep the site reliable. Reports include URL, browser, and stack trace — they do not include form input or sensitive identifiers. Legal basis: Art. 6 (1) (f) GDPR (operating a stable service).
No cookies set without consent
The marketing site itself sets no marketing or tracking cookies. Only strictly necessary technical state (e.g. a cookie-banner dismissal flag if one ships) would be stored, under Art. 6 (1) (f) GDPR.
3. Data we collect in the @moonhydrabot Telegram bot
When you interact with the bot we process:
- Your Telegram user ID and username (to identify you to the bot).
- The chat messages and commands you send the bot.
- Trade settings, positions, limit orders, alerts and other configuration you create.
- The encrypted private keys of the burner wallets ("Hydra Heads") you generate or import — AES-256-GCM encrypted at rest with a master key held only in the operator's environment.
- Optionally: a withdrawal password (scrypt-hashed) and a TOTP secret if you enable 2FA.
Legal basis: Art. 6 (1) (b) GDPR (performance of the service you requested). We never sell, share, or commercialise this data.
4. Third parties the bot routes traffic through
- Telegram (Telegram FZ-LLC): chat transport. Required to use the bot.
- Helius: Solana RPC for reading on-chain state and broadcasting transactions.
- Jupiter Aggregator: route quotes and swap routing for every trade.
- Jito Block Engine: MEV-protected bundle submission (when enabled).
- Railway / managed Postgres + Redis: our hosting and storage layer.
- RugCheck (rugcheck.xyz): token-safety scoring (public data).
These vendors process traffic on our behalf as data processors or as public infrastructure. No personally identifying data is transmitted beyond what each protocol fundamentally requires (e.g. wallet addresses for on-chain calls, IP for HTTPS routing).
5. Storage duration
Bot account data is kept for as long as the account is active. You can request deletion at any time (see §7). Server logs containing IP addresses are rotated within 30 days.
6. International transfers
Some processors (Cloudflare, Google, Telegram) operate infrastructure outside the EU/EEA. They self-certify under valid transfer mechanisms (Standard Contractual Clauses and/or the EU-US Data Privacy Framework as applicable).
7. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data corrected (Art. 16).
- Have your data deleted (Art. 17) — for the bot this means deleting your account, including the encrypted wallet records.
- Restrict or object to processing (Art. 18, 21).
- Receive your data in a portable format (Art. 20).
- Withdraw consent at any time without affecting prior lawful processing.
- Lodge a complaint with a supervisory authority (Art. 77).
To exercise any of these rights, message us on Telegram at @moonhydrabot from the Telegram account associated with your data so we can verify the request.
8. Security
Private keys for burner wallets are encrypted with AES-256-GCM before being written to the database; the master key is held only in the operator's environment. All requests use HTTPS / TLS. Logs are scrubbed of secrets before they leave the application.
9. Changes
We will revise this page when our data practices change. Material changes will be noted at the top of this page and, where appropriate, surfaced inside the bot.