Privacy Policy

Sylum ("Company," "we," "us," or "our") operates the YorN platform, a no-code AI agent builder for prediction market trading. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, and related services (collectively, the "Service"). This policy applies to all users globally and includes provisions specific to residents of the European Economic Area (GDPR) and California (CCPA/CPRA).

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Full name and email address
• Password (stored as a salted, bcrypt-hashed value — we never store plaintext passwords)
• Profile preferences and notification settings
• Subscription tier and billing information
• Phone number (if provided for SMS alerts)

1.2 Trading and Financial Data

To enable AI agent trading on prediction markets, we collect and process:

• API keys for connected exchanges (Kalshi, Polymarket) -- encrypted at rest in the platform credential vault
• Trade history, open positions, order fills, and portfolio performance data received from exchanges
• Agent configurations, strategy code, parameters, and performance metrics
• Paper trading and live trading activity logs, including timestamps and amounts
• Self-learning mutation history, including proposed and applied strategy changes
• Agent playbook lessons, evolution memory, approval events, evidence summaries, and decision rationale that explain learned agent behavior
• Crowd simulation configurations and results
• Backtest results, Monte Carlo simulations, and walk-forward analysis outputs

1.3 AI Interaction Data

When you use AI-powered features (Strategy Lab, Trade Builder, agent chat), we collect:

• Your natural language prompts and messages sent to AI systems
• AI-generated responses, strategy code, and analysis outputs
• Tool call logs (which AI tools were invoked and their results)
• Conversation history for session continuity

This data is used to provide the Service and is not used to train third-party AI models. When your prompts are sent to third-party LLM providers (Anthropic, OpenAI), they are processed according to those providers' enterprise API data policies, which typically do not use API inputs for model training.

1.4 LLM Provider Credentials

If you choose to provide your own LLM API keys (OpenAI, Anthropic, etc.), these keys are:

• Encrypted at rest in the platform credential vault
• Used solely to make API calls on your behalf
• Permanently deleted when you remove them from your account
• Never shared with other users or third parties

1.5 Usage Data

We automatically collect certain information when you access the Service:

• Device type, browser version, and operating system
• IP address and approximate geolocation (city-level, not precise)
• Pages visited, features used, and session duration
• Referral source and navigation patterns
• WebSocket connection status and terminal activity timestamps

1.6 Biometric Data

The YorN mobile application may use device biometric authentication (Face ID, fingerprint) as an optional security feature. Biometric data is processed entirely on your device by the operating system and is never transmitted to or stored on our servers.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the YorN platform
• Execute trades on your behalf through AI agents you configure
• Display performance analytics and portfolio dashboards
• Process subscription payments and manage your account
• Send transactional notifications (trade confirmations, alerts, security notices)
• Analyze usage patterns to improve the product experience
• Detect and prevent fraud, abuse, or unauthorized access
• Comply with legal obligations and regulatory requirements

3. Data Security

We take the security of your data seriously, especially given the financial nature of our platform. Our security measures include:

• Fernet-backed encryption for stored API keys and exchange credentials
• A secure credential vault isolated from the main application database
• TLS 1.3 encryption for all data in transit
• Regular security audits and penetration testing
• Role-based access controls and principle of least privilege for internal systems
• Automated monitoring for suspicious activity and unauthorized access attempts

While we implement industry-standard protections, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

4. Third-Party Services

YorN integrates with and may share data with the following third-party services:

• Kalshi — Regulated prediction market exchange where your agents execute trades. Subject to Kalshi's own privacy policy and terms.
• Polymarket — Decentralized prediction market platform. Trades executed here are subject to Polymarket's policies.
• Stripe — Payment processing for subscriptions. We do not store your full credit card number; Stripe handles this per PCI-DSS standards.
• Analytics providers — We use privacy-respecting analytics to understand platform usage. Data is aggregated and not sold to advertisers.

We encourage you to review the privacy policies of any third-party service you connect to through YorN.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specifically:

• Account data is retained until you request deletion
• Trade history and performance data is retained for the lifetime of your account, and for up to 12 months after account closure for regulatory compliance
• API keys are permanently deleted upon disconnection of an exchange or account closure
• Agent playbook and evolution memory are included in account export. On account erasure, future prompt influence is removed, prompt-bearing lessons are soft-deleted, lesson/prompt/code/analysis text is scrubbed, and only minimal audit hashes, states, ids, timestamps, and erased markers may remain where needed for governance integrity.
• Usage logs are retained for up to 90 days for security and debugging purposes
• Billing records are retained as required by applicable tax and financial regulations

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your personal data, subject to legal retention requirements
• Portability — Request your data in a structured, machine-readable format (JSON or CSV)
• Evolution export — Account export includes agent playbook lessons, learning episodes, mutations, evidence summaries, approvals, and decision rationale for your agents
• Restriction — Request that we limit processing of your data under certain circumstances
• Objection — Object to processing of your data for specific purposes

To exercise any of these rights, contact us at privacy@yorn.ai. We will respond to verified requests within 30 days.

7. Cookies and Tracking

YorN uses cookies and similar technologies for the following purposes:

• Essential cookies — Required for authentication, session management, and security. These cannot be disabled.
• Functional cookies — Remember your preferences, dashboard layout, and notification settings.
• Analytics cookies — Help us understand how the platform is used so we can improve the experience. These are anonymized.

We do not use advertising cookies or sell data to third-party advertisers. You can manage cookie preferences through your browser settings.

8. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, our legal basis for processing your personal data depends on the type of data and context:

• Contract Performance — Processing necessary to provide the Service you requested (account management, trade execution, agent deployment)
• Legitimate Interest — Processing for platform security, fraud prevention, product improvement, and analytics (where your interests do not override ours)
• Consent — Processing based on your explicit consent (marketing communications, optional analytics cookies)
• Legal Obligation — Processing required by applicable law (financial record keeping, tax reporting, regulatory compliance)

9. Automated Decision-Making

YorN's AI agents make automated trading decisions based on market data, your configured strategy parameters, and machine learning models. These automated decisions can result in financial transactions with real monetary consequences. You acknowledge that:

• AI agents execute trades autonomously based on your configurations — this constitutes automated decision-making under GDPR Article 22
• You can disable automated trading at any time by pausing or stopping your agents
• You can switch to paper trading mode to prevent real financial consequences
• You may request human review of any automated action by contacting us

Self-learning agents additionally make automated decisions about strategy modifications. You control whether these modifications are applied automatically (auto-mode) or require your manual approval. Learned behavior is not guaranteed, can be wrong, remains user-controlled, and is not financial advice.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA/UK
• Data processing agreements with all sub-processors that include equivalent protections
• Encryption of data in transit and at rest

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete — You may request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale — We do not sell your personal information to third parties. We do not share your data for cross-context behavioral advertising.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights
• Right to Correct — You may request correction of inaccurate personal information

To exercise your CCPA rights, contact us at privacy@yorn.ai or use the data export feature in your account settings. We will verify your identity before processing requests.

Categories of personal information collected: Identifiers (name, email, IP); financial information (exchange API keys, trade history); internet activity (usage logs, browsing); professional information (strategy configurations); inferences (AI-generated analytics).

We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than providing the Service.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@yorn.ai.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-standard interpretation of DNT signals, we do not currently alter our data collection practices in response to DNT signals. We do not track users across third-party websites for advertising purposes.

14. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR)
• Notify relevant supervisory authorities as required by applicable law
• Provide details on the nature of the breach, the data affected, and steps taken to mitigate the impact
• Offer guidance on steps you can take to protect yourself (e.g., rotating exchange API keys)

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email for significant changes
• Display a prominent notice on the platform
• Where required by law, obtain your consent before applying material changes

Your continued use of YorN after any changes constitutes acceptance of the updated policy.

16. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about our data practices, you can reach us at:

EEA/UK users also have the right to lodge a complaint with their local data protection supervisory authority.