Legal

Privacy Policy

Last updated · May 13, 2026

This Privacy Policy describes how Dusk Labs, Inc. (“Dusk Labs,” “Engine,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you access or use the Engine website, the Engine application, the Engine strategy marketplace, and any related services (collectively, the “Services”). It applies in addition to our Terms of Service.

Plain summary. We collect the information we need to authenticate you, run your strategies on Hyperliquid, keep the Services secure, and improve them. We do not sell personal information and we do not share it for targeted advertising. Most trading activity is on a public blockchain, and we cannot delete what is on-chain.

1. Information We Collect

1.1 Information you provide

  • Account and identity. When you sign up through our authentication provider, we receive a wallet address and, if you choose to link them, an email address, phone number, or social-login identifier. We may collect a display name, avatar, and handle if you publish to the Marketplace.
  • Strategies and content. The text of any STRATEGY.md you author, fork, or subscribe to; comments, ratings, and other user-generated content; any feedback or support messages you send us.
  • Communications. Emails, chat messages, and support tickets you send to us, including their contents and attachments.
  • Payment information. If you pay for premium features or receive payouts as a Strategy author, our payment processor will receive the information needed to complete the transaction. We do not store full payment card numbers ourselves.
  • KYC and sanctions information where we are required to collect it, including jurisdiction of residence, government-issued identifiers, and screening results.

1.2 Information collected automatically

  • Device and technical data. IP address, approximate geographic location derived from IP, device identifiers, browser type, operating system, language, and crash logs.
  • Usage data. Pages visited, features used, buttons clicked, session duration, referrer, and the timing and result of agent actions.
  • Trading and on-chain activity associated with your wallet, including deposits to and withdrawals from your Vault, orders submitted by the Agent on your authority, fills, fees, P&L, and ledger entries. On-chain activity is public.
  • Cookies and similar technologies for authentication, preferences, security, and analytics. You can manage cookies through your browser; some cookies are required for the Services to function.

1.3 Information from third parties

  • Our authentication provider (Privy) shares with us the wallet address you sign in with and any optional identity proofs you connect.
  • Our infrastructure providers (including Google Cloud and Supabase) share operational logs, performance data, and security signals.
  • Hyperliquid and the public blockchain reveal trade activity tied to your wallet address.
  • Analytics providers (such as PostHog) share aggregated usage data and product telemetry.
  • Sanctions and fraud-prevention providers may share screening results.

2. How We Use Information

We use personal information for the following purposes:

  • Provide the Services. Authenticate you, run the Agent against your Strategy, render dashboards, route orders, and journal activity to the transparency terminal.
  • Operate the Marketplace. Publish your Strategy at your request, attribute it to your handle, and calculate any payouts.
  • Safety, security, and integrity. Detect, prevent, and respond to fraud, abuse, market manipulation, sanctions evasion, security incidents, and breaches of our Terms.
  • Compliance. Comply with applicable laws and regulations, including anti-money-laundering, sanctions screening, tax-information reporting, and responding to lawful requests from authorities.
  • Improve the Services. Understand how features are used, debug issues, improve the Agent and our models, and develop new features.
  • Communicate. Send transactional messages (security, billing, account notices), and, if you have opted in, product updates and marketing.
  • Research and aggregation. Aggregate or de-identify information for analytics, benchmarking, and research. Aggregated and de-identified data is not personal information.

2.1 AI training

We do not use the contents of your private Strategies, your account balances, or your support communications to train foundation models for third parties. We may use de-identified, aggregated, or operational data to improve our own Agent and routing logic. Strategies you publish to the public Marketplace, and any comments or ratings you post publicly, are public content and may be used to improve and rank Marketplace functionality.

3. How We Disclose Information

We disclose personal information only as described below. We do not sell it.

  • Service providers that process information on our behalf under contractual confidentiality and data-protection obligations, including our authentication, infrastructure, database, email, payments, analytics, and fraud-prevention providers.
  • Trading venue. The Venue (currently Hyperliquid) necessarily receives the order instructions the Agent submits on your authority, signed by your wallet. The Venue is independent of Engine and has its own privacy practices.
  • On-chain disclosure. Deposits, withdrawals, and certain trade activity are published to a public blockchain. This is inherent to the technology and is not reversible by us.
  • Strategy authors and subscribers. If you publish a Strategy, your handle and the Strategy contents are public to other users. If you subscribe to a third-party Strategy, the Strategy author may receive aggregate statistics about subscriber performance.
  • Business transfers. If we engage in a merger, acquisition, financing, or sale of assets, personal information may be transferred subject to the receiving party agreeing to honor commitments at least as protective as those in this Policy.
  • Legal and safety. To comply with law, court orders, or other valid legal process; to enforce our Terms; to protect the rights, property, or safety of Dusk Labs, our users, or others; and in connection with sanctions and fraud investigations.
  • With your direction. When you ask us to disclose information to a third party (for example, by connecting a wallet, exporting your data, or linking a social account).

4. Data Retention

We retain personal information for as long as we need it to provide the Services and for the additional periods required for our legitimate business needs, including:

  • financial-records and tax obligations (typically 7 years for transaction records);
  • sanctions-screening evidence and AML records (typically 5 years from the last interaction, or longer if required);
  • security logs and abuse-prevention records (typically 12–24 months);
  • backups, which are deleted on their normal rotation schedule.

After the retention period, we delete or de-identify the information. We cannot delete data that is recorded on a public blockchain.

5. Security

We use commercially reasonable technical, administrative, and organizational measures designed to protect personal information, including encryption in transit and at rest, least-privilege access, audit logging, and isolation of trading credentials. No system is 100% secure; we cannot guarantee that personal information will be protected against all unauthorized access. You are responsible for safeguarding your wallet, your private keys, and your authentication credentials.

6. Children

The Services are not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at privacy@dusk.so and we will delete it.

7. International Transfers

Dusk Labs is based in the United States. By using the Services, you understand that your personal information will be transferred to and processed in the United States and in other countries where our service providers operate. We use appropriate safeguards for cross-border transfers from the EEA, the United Kingdom, and Switzerland, including the EU Standard Contractual Clauses and the UK addendum.

8. Your Rights and Choices

Depending on your jurisdiction, you may have some or all of the following rights with respect to the personal information we hold about you: access, correction, deletion, portability, restriction or objection to processing, withdrawal of consent (where we process on the basis of consent), and the right to complain to a supervisory authority.

To exercise a right, email privacy@dusk.so from the email associated with your account or include your wallet address so we can verify the request. We may decline a request that we cannot verify or that would conflict with a legal obligation (for example, a sanctions or tax-records retention requirement). We do not discriminate against users who exercise their rights.

8.1 European Economic Area, United Kingdom, and Switzerland

Where the EU or UK General Data Protection Regulation applies, the legal bases on which we rely include: performance of a contract with you (to provide the Services); legitimate interests (to secure, improve, and operate the Services in a privacy-respecting way, and for direct marketing where permitted); compliance with a legal obligation (sanctions, AML, tax); and consent (for certain cookies and marketing communications).

8.2 California

Under the California Consumer Privacy Act (CCPA/CPRA), California residents have the rights described above and the right to know what personal information we have collected, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising. We do not use sensitive personal information for any purpose requiring a right to limit. We do not have actual knowledge that we sell or share the personal information of consumers under sixteen years of age.

8.3 Nevada

Nevada residents may submit a request that we not sell their personal information by contacting privacy@dusk.so. We do not currently sell information as defined under Nevada law.

8.4 Other U.S. states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and similar states that grant consumer-privacy rights may exercise their access, deletion, correction, portability, opt-out, and appeal rights by emailing privacy@dusk.so.

9. Marketing Preferences

You can opt out of promotional emails using the unsubscribe link in any such email or by emailing privacy@dusk.so. We will still send you transactional messages (security, billing, and account notices) while you have an active account, as those are required to operate the Services.

10. Cookies and Tracking

We use a small number of cookies and similar technologies for authentication, security, preferences, and analytics. We do not use cookies for cross-context behavioral advertising. Most browsers let you control or block cookies; if you do, some features of the Services may not work.

11. Third-Party Links

The Services may contain links to third-party websites (including the Venue and your wallet provider). We are not responsible for those sites or their privacy practices. Read their policies before sharing information with them.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice through the Services or by email at least seven (7) days before the changes take effect, unless the change is required by law or addresses an urgent security issue. The “Last updated” date at the top reflects the most recent version.

13. Contact

Dusk Labs, Inc. · Delaware, USA · privacy@dusk.so. For data-protection requests in the EU/UK, you may also contact our designated representative at the same address.