Last updated: May 21, 2026 · Plain-English summary at the top, full legal text below.
We collect the following categories of data: account data (company name, admin email, password hash), employee data (names, emails, departments, onboard tokens you generate for them), credentials (exchange API keys + secrets, encrypted with AES-256-GCM before storage), wallet addresses (public on-chain identifiers you submit), derived data (balances, transactions, NFTs, DeFi positions we fetch on your behalf), audit data (logs of dashboard actions for compliance purposes), and technical data (IP addresses, request timestamps, user-agent strings).
To provide the compliance-monitoring service you contracted us for. The lawful basis is contract performance under GDPR Article 6(1)(b) — we cannot deliver Vigatra without this data. For audit logging specifically, the basis is legitimate interest under Article 6(1)(f) for security and accountability.
Retention is configurable per customer firm and aligns with the financial-record retention requirements of your jurisdiction (e.g. SEC Rule 17a-4 mandates 6 years for broker-dealers in the US). When you cancel your subscription, we retain your data for 90 days for transition purposes, then delete it. Audit logs are retained for the full contract term.
Only the sub-processors listed on our security page. We require contractual data-protection commitments from each of them. We do not share data with marketers, advertisers, social-media platforms, or law enforcement absent a valid legal demand.
If you are an employee being monitored, your rights flow through your employer (the Controller). Submit GDPR/CCPA/equivalent requests to your firm's compliance officer. If you are a Vigatra customer firm, you can export or delete data via the dashboard or by contacting [email protected].
Privacy questions: [email protected]. Security incidents: [email protected].