Policy

Scope & definitions

What this applies to: This policy applies to fdv.lol and related subdomains/services we operate, including:

• fdv.lol (the web app and token/profile pages)
• These funnel pages (onboard + 1:1 coaching request)
• Cloudflare Workers we operate (e.g., metrics, ledger/leaderboard, RPC proxy)
• Project tooling that may be run locally (CLI/scripts in the repo)

What we are not: We are not an exchange, broker, investment adviser, or custodian. We do not provide KYC/AML services. You remain responsible for your own compliance and decisions.

Age: fdv.lol is intended for adults. Do not use it if you are under 18.

Important: Blockchains are public ledgers. When you use crypto, you may publish data permanently (wallet addresses, transactions, token mints). We do not control the blockchain.

Privacy policy (data practices)

Summary: fdv.lol is primarily a client-side web app. Most market/on-chain reads happen in your browser against third-party endpoints (RPC, aggregators, market data). We try to minimize what we store server-side, but some features require telemetry and abuse prevention.

1) Information you provide

1:1 coaching request: If you request coaching via the funnel, we collect your email address and the message you submit. We do not require your legal name.

Wallet addresses you enter: Some features accept Solana addresses/mints (public keys). If you type or paste these into the app, you are providing them to your own browser session; they may also be sent to third-party APIs you query (see “Third parties”).

2) Automatic information (site + service logs)

CDN/edge logs: Like most websites, requests may generate basic logs at the hosting/CDN layer (e.g., IP address, user agent, request path, referrer, timestamp). These are used for operational security, debugging, and abuse prevention.

Cloudflare Worker logs: Our Worker endpoints may record minimal diagnostic logs (for example, error traces). We avoid logging secrets by design.

3) Feature-specific telemetry (explicit)

Shill links / referral analytics (opt-in by URL parameter): Some token/profile pages support “ref”/slug-based analytics. When enabled, events sent to our metrics service can include:

• Token mint, slug, event name/value, timestamp
• Page path + URL (href), referrer, user agent
• Hashed identifiers: a SHA-256 hash of IP address and user agent (stored as hashes, not raw values)
• A per-client nonce to help deduplicate/spam-control events

Favorites: “Favorite” counters use hashed IP-based controls to reduce spam and enforce caps.

Leaderboard / ledger (opt-in): If you opt in to publishing bot/session metrics, you may submit:

• Your public wallet address (pubkey)
• A signed message proving control of that pubkey (signature + timestamp + nonce)
• Telemetry payloads you choose to send (e.g., session PnL fields, last tx signature, balances), which are sanitized server-side
• IP address may be used for rate limiting/abuse prevention

Important: This leaderboard telemetry is optional. If you don’t want to share it, do not enable/report it.

4) Local storage (your device)

localStorage/sessionStorage: fdv.lol uses browser storage for caching, preferences, and some workflow state. Examples include saved favorites, UI settings, shill link metadata, and RPC configuration.

High-risk local data: Some Auto Trader workflows allow you to import an “Auto Wallet” secret for local signing. If you do this, that secret may be stored in your browser’s localStorage (on your device). We do not receive your private key unless you deliberately send it somewhere else, but localStorage can be exfiltrated by malware, browser extensions, or someone with device access.

Recommendation: Use a burner wallet, keep balances small, and treat any browser-stored key material as hot-wallet risk. Consider using a dedicated browser profile and a clean machine.

5) Third parties we rely on

Depending on what you click/use, fdv.lol may interact with third-party services. These services have their own privacy policies and may collect IP, device info, cookies, and usage data.

• Solana RPC providers: Your RPC endpoint receives your JSON-RPC requests (which can include wallet addresses, signatures, and program calls).
• RPC proxy (optional): We operate an RPC proxy endpoint primarily to support CORS and abuse controls; it forwards JSON-RPC to an upstream provider.
• Jupiter: For quotes/routing and swap-related flows (API + site links).
• Market data: Services like DEXScreener (and similar) for token/market metadata.
• Embeds: YouTube (on the funnel), DEXTools if embedded/linked.
• Comments/discussion: Giscus (GitHub Discussions) if enabled on a page.
• Anti-bot: Cloudflare Turnstile for some gated endpoints.
• Social automation (backend ops): Optional Workers that post updates to X (Twitter) and/or Telegram channels.

Data retention & deletion

Email (coaching requests): We retain emails only as long as needed to handle the request and related operational follow-ups. If you want your email removed, request deletion via the project repo:

• github.com/builders-toronto/fdv.lol/issues

Telemetry (metrics/leaderboard): Retention depends on the feature. For example, leaderboard report records are stored with short TTLs (days) and shill analytics are stored for operational needs and abuse prevention. We do not sell user data.

Security

No system is perfectly secure. Do not send sensitive personal information through the funnel form. Do not paste seed phrases/private keys into any form or DMs.

Security & safety practices

We design for “no custody”: fdv.lol does not run a managed account. You sign transactions locally (in your wallet or via locally stored key material) and broadcast via RPC.

Key handling: The safest pattern is to avoid storing private keys in the browser at all. If you do use an Auto Wallet secret in-browser, treat it like a hot wallet.

• Use a burner Auto Wallet with small balances.
• Keep your main wallet separate (recipient / cold storage).
• Prefer reputable RPC providers and understand they can observe your traffic.
• Beware browser extensions, malware, clipboard hijackers, and fake domains.
• Verify addresses, mints, and links every time (especially on memecoins).

Abuse prevention: Some endpoints include rate limiting, nonce replay protection, and anti-bot challenges. This may involve processing IP addresses (or hashes) and request metadata to keep services usable.

Terms of use (plain language)

Open-source, “as-is”: fdv.lol and related tooling are provided on an “as-is” and “as-available” basis, without warranties of any kind. You are responsible for reviewing the code and understanding what you run.

No custody / no fiduciary relationship: Using fdv.lol does not create a managed account relationship. We do not take custody of your assets, and we do not act as your agent, broker, or adviser.

Third-party dependency: The app depends on third-party networks and APIs (Solana RPC, aggregators, market data). Outages, rate limits, incorrect data, MEV conditions, or upstream changes may break features or cause losses.

Fees: Some workflows may include platform fees (expressed in basis points) as part of on-chain routes. Fees, if any, are visible in the UI and on-chain transaction details. You control whether you execute the transaction.

Acceptable use: You agree not to use fdv.lol for unlawful activity, harassment, abuse of third-party services, or market manipulation (including wash trading, spoofing, or coordinated pump-and-dump activity).

Sanctions / restricted use: Do not use fdv.lol in any way that violates applicable sanctions, export controls, or local laws. If using crypto tooling is restricted where you live, you must not use this site.

Changes: We may update these terms as the project evolves. Material changes will be reflected on this page.

Crypto risk disclosures (read carefully)

Key risks (non-exhaustive)

• Smart contract risk: tokens and programs may be malicious, upgradeable, or exploitable (honeypots, taxes, transfer hooks, frozen accounts).
• Liquidity + slippage risk: low liquidity can cause extreme price impact; quotes can be stale; pools can be drained.
• MEV / sandwiching / priority fees: transactions can be observed and exploited; priority fee dynamics can change execution results.
• Oracle/market data risk: third-party APIs can be wrong, delayed, rate-limited, or manipulated.
• Network/RPC risk: RPC providers can censor, rate-limit, or degrade; outages can prevent exits; proxies can fail.
• Operational risk: wrong mint, wrong recipient, wrong decimals, wrong token program assumptions, or wrong wallet can cause irreversible loss.
• Phishing/social engineering: lookalike domains, fake support, and malicious “updates” are common. Verify the domain and repo every time.
• Regulatory/tax risk: crypto rules vary by jurisdiction and can change. You are responsible for compliance and tax reporting.

Client-side automation specifics

Signing & broadcasting: If you enable automated execution, your device signs transactions and broadcasts them to an RPC endpoint. Anyone who gains access to your signing keys can drain funds.

Two-wallet pattern: We recommend using a dedicated Auto Wallet (burner) and a separate main wallet for receiving/unwinding. This is not a guarantee of safety.

Verification gates: Safety gates can reduce preventable failures, but no filter can guarantee a token is safe or that a trade will succeed.

Contact & requests

Questions, security reports, or deletion requests: The primary support channel is the repository issue tracker.

• github.com/builders-toronto/fdv.lol/issues

Community: For updates and discussion, see Telegram: t.me/fdvlolgroup.