Privacy Policy
The Forge Ltd (Smeltor) · Cayman Islands
This Privacy Policy explains how The Forge Ltd (a company in the process of incorporation in the Cayman Islands), which operates the Smeltor platform ("Company", "we", "us", "our"), collects, uses, discloses, and protects information in connection with the Smeltor API, developer documentation, and website (collectively, the "Platform"). It should be read together with our Terms of Use, into which it is incorporated by reference.
1. Who We Are and Our Role
The Company operates a non-custodial DeFi routing API under the Smeltor brand. We never hold funds, never control wallets, and never take custody of Digital Assets or private keys. For the limited personal data we process (described below), the Company acts as the data controller. Where Third-Party Services process data on our behalf, they act as our processors under their own terms. Contact: legal@smeltor.com.
2. Information We Collect
2.1 API Usage Data
When you call the API, we collect: your IP address (for rate limiting, security, and geoblocking); request parameters such as action type, chain, token symbols, and amount ranges; the response data generated; and request timestamps. We do not collect or have access to wallet private keys, seed phrases, or signing credentials at any point.
2.2 Wallet Addresses
Public wallet addresses provided in API requests are processed solely to compute Routes and generate Calldata. Wallet addresses and on-chain transaction hashes are public blockchain data. We do not link a wallet address to your real-world identity unless you voluntarily provide that link (for example, by contacting support).
2.3 Technical and Log Data
We collect standard server log data including user agent, referrer, request headers, approximate location derived from IP, and diagnostic information, for security monitoring, abuse prevention, and debugging.
2.4 Communications
If you contact us (for example, at legal@smeltor.com), we collect the information you provide in that communication, including your email address and the content of your message.
2.5 What We Do Not Collect
We do not collect or store: private keys, seed phrases, wallet credentials, biometric data, payment card data, government identifiers, or any data that would allow us to access or control your Digital Assets.
3. How We Use Information
- To compute Routes and generate API responses;
- To enforce rate limits and prevent abuse;
- To apply geoblocking and comply with jurisdiction restrictions;
- To monitor for security threats, fraud, and illicit activity;
- To debug, maintain, and improve the Platform;
- To respond to your communications and support requests; and
- To comply with Applicable Laws and lawful requests from Governmental Authorities.
4. Lawful Bases for Processing
Where data protection laws such as the EU/UK General Data Protection Regulation apply to our processing, we rely on the following lawful bases: (a) our legitimate interests in operating, securing, and improving the Platform and preventing abuse and fraud, balanced against your rights; (b) compliance with a legal obligation, including AML/CFT and sanctions screening; and (c) where required, your consent, which you may withdraw at any time. Note that the Platform is not directed to or available in the European Union or United Kingdom; these bases are stated for completeness in the event your data is nonetheless processed.
5. How We Share Information
We do not sell personal data. We share information only as follows:
- Service providers and processors: infrastructure, hosting, analytics, and security providers acting on our behalf under contractual confidentiality obligations.
- Legal and regulatory: where required by Applicable Laws, court order, or a lawful request from a Governmental Authority, or to protect the rights, safety, or property of the Company, Users, or others.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
6. Third-Party Services
The Platform integrates with Third-Party Services that operate under their own privacy policies, which we do not control:
- Wallet Infrastructure Providers — third-party providers of wallet connectivity and embedded wallet infrastructure, including but not limited to WalletConnect and Privy; each provider's own privacy policy governs. These providers are designed so that only the wallet owner can access their keys (for example, embedded wallet providers use secure hardware trusted execution environments). The specific providers integrated with the Platform may change from time to time.
- Protocols — the third-party DeFi protocols, smart contracts, and trading venues to which the API routes (such as swap aggregators, lending protocols, bridges, and trading venues), which may change from time to time; each Protocol's own policy governs interactions with its contracts.
- RPC and node providers — Alchemy, Infura, and similar; used to query Blockchain Networks.
When you connect a Wallet or execute a transaction, you also interact directly with these Third-Party Services and Blockchain Networks. We encourage you to review their privacy practices.
7. Cookies and Analytics
The website may use strictly necessary cookies and similar technologies for core functionality and security, and limited analytics to understand aggregate usage. We do not use cookies to build advertising profiles. Where required by Applicable Laws, we will request consent for non-essential cookies. You can control cookies through your browser settings; disabling some cookies may affect functionality.
8. International Data Transfers
The Company is based in the Cayman Islands, and our service providers may process data in other jurisdictions. Where personal data is transferred across borders and data protection laws require it, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms. By using the Platform, you understand that your information may be processed outside your country of residence.
9. Data Retention
We retain API request logs and technical data for up to ninety (90) days for security, abuse prevention, and debugging, after which they are deleted or anonymised, except where a longer period is required by Applicable Laws or to resolve disputes. Aggregated, anonymised data that does not identify you may be retained indefinitely. Public blockchain data is immutable and cannot be deleted by us.
10. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. To exercise these rights, contact legal@smeltor.com. We will respond within thirty (30) days, subject to verification of your request and any exemptions under Applicable Laws. Note that public blockchain data (wallet addresses, transaction hashes) is immutable and outside our control, and cannot be erased.
11. Children's Data
The Platform is not directed to, and may not be used by, anyone under eighteen (18) years of age. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it. If you believe a child has provided us data, contact legal@smeltor.com.
12. Data Security
We implement reasonable, industry-standard technical and organisational measures to protect information against unauthorised access, alteration, disclosure, and destruction. However, no system is perfectly secure. Because the Platform is non-custodial, a security breach affecting our systems cannot result in loss of your Digital Assets — the maximum exposure is to plan-generation and log data, not custody.
13. Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights, we will notify affected Users and any relevant Governmental Authority where and to the extent required by Applicable Laws, without undue delay.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be indicated by the version and date above and announced through the Platform. Your continued use after an update constitutes acceptance of the revised policy.
15. Contact
For any question, request, or complaint regarding this Privacy Policy or your data, contact legal@smeltor.com. You may also have the right to lodge a complaint with a data protection authority in your jurisdiction.