Last updated: 24 June 2026
1.1. This Privacy Policy explains how Ledger Syndicate S.A., a sociedad anónima organised under the laws of the Republic of Panama, which operates the "Agra" platform ("Agra", "we", "us", "our"), processes personal data in connection with the website-hosted user interface at app.agra.gg and related services (the "Interface" and the "Services", as defined in our Terms and Conditions).
1.2. Agra is the data controller for the processing described in this Policy. For the purposes of Panama's Law 81 of 26 March 2019 on the Protection of Personal Data and its Executive Decree 285 of 2021 ("Law 81"), Agra is the responsable del tratamiento.
1.3. Contact. For any privacy matter, or to exercise your rights, contact us by email at privacy@agra.gg. A dedicated privacy email satisfies the "contact details" requirement under Law 81 and the GDPR; a postal address is available on request.
2.1. The Services are non-custodial and, by default, do not require you to create an account or to provide your name, email, date of birth, government identification, or other identity documents. We do not perform routine KYC on ordinary users.
2.2. Blockchain data is public and permanent. When you transact through the Protocol, your wallet address and transaction details are recorded on a public blockchain that we do not own or control. We cannot alter, delete, or erase data once it is recorded on a blockchain. Any information you make public on a blockchain is outside our control.
We process the following categories of personal data:
3.1. Blockchain and wallet data. Your public wallet address and associated on-chain activity (transactions, deposits, withdrawals, balances, and interactions with the Protocol) when you connect a Wallet to, or transact through, the Interface. We use this primarily in aggregate to understand and improve the Services, and to screen for prohibited or illicit activity; we do not use it to build profiles of identified individuals beyond what is described in this Policy.
3.2. Technical and device data. IP address, approximate location derived from it, device and browser type, operating system, language, referring/exit pages, timestamps, and similar log data. We use IP-derived location to enforce the access restrictions in our Terms (for example, blocking Restricted Territories).
3.3. Usage data. Pages and features viewed, interactions, session information, and preferences, including data stored locally on your device (see Section 9, Cookies).
3.4. Communications data. Information you provide when you contact us for support or otherwise, including the contents of your messages and any feedback or survey responses.
3.5. Compliance data (situational only). Where we exercise our reserved right to conduct enhanced screening or KYC under our Terms (for example, due to risk flags, transaction patterns, or legal requirements), we may collect identity and source-of-funds information and the results of Sanctions and illicit-activity screening. We collect this only where necessary and treat it as confidential. Some such information may constitute sensitive data and is processed only on a lawful basis and with heightened protection.
We do not knowingly collect special categories of data or biometric data in the ordinary operation of the Services.
We process personal data for the following purposes, relying on the legal bases indicated (Law 81, Art. 6 and Decree 285, Art. 17; and, where applicable, GDPR Art. 6):
| Purpose | Legal basis |
|---|---|
| Providing, operating and maintaining the Interface and Services | Performance of a contract (our Terms with you); our legitimate interests in operating the Services |
| Enforcing access restrictions, screening for Sanctions and illicit activity, fraud and security | Compliance with legal obligations (incl. AML/CFT under Panama Law 23 of 2015); legitimate interests in security and legal compliance |
| Analytics and improving the Services | Your consent (where required for cookies/trackers); legitimate interests |
| Responding to your communications and support requests | Performance of a contract; legitimate interests |
| Conducting KYC / enhanced due diligence where triggered | Compliance with legal obligations; your consent where applicable |
| Complying with legal, regulatory and law-enforcement requests | Compliance with legal obligations |
Where we rely on consent, you may withdraw it at any time (Section 7); withdrawal does not affect processing carried out before withdrawal.
We do not sell your personal data. We may share it with:
5.1. Service providers / processors acting on our instructions, including our software development and technical service providers, hosting and infrastructure providers, RPC/node providers, and analytics providers (Google Analytics and PostHog);
5.2. Compliance providers, including our blockchain analytics and Sanctions/illicit-activity screening provider, Chainalysis;
5.3. Professional advisers (legal, accounting, audit);
5.4. Authorities and third parties where we believe in good faith it is necessary to comply with Applicable Law, a legal or regulatory request, or to protect our rights, users, or the public, or to prevent harm or illegal activity; and
5.5. Successors in connection with a merger, acquisition, reorganisation, or sale of assets, subject to this Policy.
We are based in Panama and may transfer personal data to service providers and recipients located in other countries, which may have data-protection laws different from yours. Where we transfer personal data internationally, we do so on a lawful basis permitted by Law 81 (Art. 33; Decree 285, Arts. 51–53) and, for transfers subject to GDPR, under an appropriate safeguard such as the European Commission's Standard Contractual Clauses, adequacy, or your consent. You may request information about the safeguards we use using the contact details in Section 1.
7.1. Panama (Law 81 — "ARCO" rights and portability). Subject to Law 81, you have the rights of Access, Rectification, Cancellation (deletion), Opposition, and Portability in respect of your personal data. We provide these free of charge and will respond to access requests within ten (10) business days, and to rectification requests within five (5) business days, as provided by Law 81. If you are not satisfied, you may lodge a complaint with the Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI), Panama's supervisory authority.
7.2. EEA/UK (GDPR), where applicable. You have the rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and to lodge a complaint with your local data-protection authority. Where decisions are made solely by automated means with legal or similarly significant effect, you have rights under Article 22 GDPR.
7.3. California (CCPA/CPRA), where applicable. If you are a California resident and the CCPA applies, you have the rights to know, access, delete, correct, and to opt out of the "sale" or "sharing" of personal information, and to limit use of sensitive personal information, free from discrimination. We honour Global Privacy Control (GPC) signals as opt-out requests. We do not sell your personal information for money.
7.4. Limits. Some rights are subject to exceptions, including where we must retain data to comply with a legal obligation (such as AML/CFT record-keeping) or where data resides immutably on a public blockchain and cannot technically be altered or erased (in which case we will, where feasible, delete or de-link associated off-chain data).
7.5. How to exercise. Use the contact details in Section 1. We may need to verify your request, which for blockchain-related data may involve demonstrating control of the relevant wallet address.
We retain personal data only for as long as necessary for the purposes described in this Policy or as required by Applicable Law, after which we delete or anonymise it. Where the law specifies a period — for example, AML/CFT records retained for the minimum period required under Panama Law 23 of 2015 (five (5) years) — we retain data accordingly. Data recorded on a public blockchain is permanent and outside our control. Specific or criteria-based retention periods are available on request.
We and our providers use cookies, local storage, and similar technologies to operate the Interface, remember your preferences, and analyse usage. Where required by law, we obtain your consent for non-essential cookies and trackers. You can manage your preferences at any time through our cookie-consent controls and your browser settings.
We implement technical and organisational measures designed to protect personal data, consistent with Decree 285, Art. 36. No method of transmission or storage is completely secure, and you are responsible for securing your own Wallet, private keys, and devices.
Where required by Law 81 (Decree 285, Arts. 37–38) or other Applicable Law, we will notify ANTAI and affected individuals of a qualifying personal-data breach within seventy-two (72) hours of becoming aware of it, in clear language and with the prescribed information.
The Services are not directed to, and may not be used by, anyone under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly process the personal data of children.
We may update this Policy from time to time. We will post the updated version through the Interface and revise the "Last updated" date. Material changes will be notified as required by Applicable Law. We review and update this Policy at least once every twelve (12) months.
For any question or to exercise your rights, contact us at privacy@agra.gg or at the postal address in Section 1.