cuff.fun

Privacy Policy

What we collect, why we collect it, who we share it with, and how to exercise your rights.

Last updated: 27 May 2026 · Version 2026-05-27

The short version. We collect the data we need to run the Service — your wallet address, your profile, the characters you create, the messages you send, and the voice clip you upload to clone. Voice and embedding data are sensitive; we treat them as such. We never sell your personal data. You have rights, and we honour them.

1. Who we are

The data controller is ATG Solutions(“cuff.fun”, “we”, “us”). You can reach our privacy team at privacy@cuff.fun.

If we are required to appoint a representative in the EU or UK under Article 27 of the GDPR, we will publish their name and address here and on our Contact page.

2. What we collect

Data you give us directly

  • Wallet address. The public Solana address you sign in with. Wallet addresses are considered personal data under the GDPR because they identify you, even though they look like random text.
  • Profile data. Optional username, bio, avatar image.
  • Authentication metadata. From our auth provider Privy: an email address if you log in by email, an OAuth identifier if you log in via Google or X, the type of wallet you use.
  • Character creator data. Names, tickers, descriptions, personality prompts, photos, and voice clips you upload when creating a character.
  • Voice clip. The audio sample you upload to clone a character's voice. This is biometric data under GDPR Article 9. We process it only with your explicit consent (the consent checkbox in the creator flow) and only for the purpose you provided it for: producing the cloned voice and saving the resulting Cartesia voice ID.
  • Chat content. The text of messages you send to a character, the model's replies, and any voice notes the model produces. Chats are persisted so the thread survives reload.
  • Memory embeddings. When you chat with a character, the model summarises durable facts about you into short third-person statements (“User's dog is named Rex”) and converts them to vector embeddings stored in our database. They're used to make future conversations feel continuous.
  • Activity. Follows, watchlists, comments, callouts, on-chain trade history that we mirror into our database.
  • Support correspondence. Anything you send us by email or contact form.

Data we collect automatically

  • Device and connection. IP address, browser type, operating system, referring page, timestamps. Used for security, abuse detection and rough geographic routing.
  • Session cookies. An HMAC-signed session cookie keeps you logged in. Other cookies remember your sidebar state, your board sort/view choice, and whether you've dismissed the testnet banner.
  • Analytics events. Pageviews and aggregate funnel events through Vercel Analytics, which is cookieless — it sets no cookies and stores no identifier on your device.

On-chain data

Anything you sign on-chain — trades, transfers, contract calls — is recorded on the Solana blockchain and is permanently public. We cannot edit, delete, or take it down. Our database mirrors a copy for performance; even if you ask us to delete the mirror, the on-chain record remains.

3. Why we use it, and our legal basis (GDPR)

Run the Service
We process your account, profile, characters, chats and trades to give you the product you signed up for. Legal basis: performance of a contract (GDPR Art 6(1)(b)).
Clone the voice
We process the voice clip you upload only to produce the cloned voice and persist the resulting voice ID. Legal basis: explicit consent for special-category data (GDPR Art 9(2)(a)), recorded at upload time via the consent checkbox.
Generate replies & memory
We send your message and recent context to large-language-model providers to generate replies. Durable facts are extracted and embedded to improve continuity. Legal basis: performance of a contract.
Moderate content
Our team manually reviews characters and uploaded content, and acts on user reports, to take down content that breaks the rules. Legal basis: legitimate interests (Art 6(1)(f)) — keeping the platform safe for users and meeting our legal obligations to remove illegal content.
Prevent fraud and abuse
IP and device data, rate-limit signals, and on-chain history are used to detect and stop fraud, sybil attacks, and other abuse. Legal basis: legitimate interests + legal obligation.
Comply with law
Where required, we respond to lawful requests from courts, regulators and law enforcement. Legal basis: legal obligation (Art 6(1)(c)).
Analytics
Aggregated, cookieless product-usage analytics (no device identifier). Legal basis: legitimate interests (Art 6(1)(f)) — understanding and improving the Service.

4. Who we share it with

We don't sell your personal data. We share it only with processors that help us run the Service, and only for the purposes listed above. Current sub-processors:

Vercel
Hosting, CDN, edge functions, cookieless analytics.
Supabase
Database, file storage, realtime channels, vector embeddings.
Privy
Authentication, embedded wallet provisioning.
Cartesia
Voice cloning and text-to-speech.
OpenRouter, xAI
LLM providers powering chat and content generation.
fal.ai
Image generation and processing.
Pinata / IPFS
Public token metadata pinning.
Upstash
Rate-limiting and ephemeral state (Redis).
Sentry
Error monitoring.
Helius
Solana RPC and webhook infrastructure.

We have data-processing agreements (DPAs) in place with each sub-processor where required by law. A current list is maintained on this page; if it changes materially we will update it.

We may also share data with professional advisors (lawyers, accountants, auditors), with a buyer in a corporate transaction (sale, merger, financing) under appropriate confidentiality, and with authorities in response to a valid legal request.

5. International data transfers

Several of our sub-processors are based in the United States or other countries outside the EEA / UK / Switzerland. When personal data of EEA, UK or Swiss residents leaves these regions, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-US Data Privacy Framework (where the importer is certified), and additional safeguards as required.

6. How long we keep it

Account data
For as long as your account exists, plus up to 12 months after deletion for legal, accounting and abuse-prevention reasons.
Voice clips
Original uploaded clips are deleted within 30 days of cloning; the cloned voice ID is retained for as long as the character exists, then deleted.
Chat history
Kept for as long as the character exists. You can request deletion of your own messages from any character thread.
Memory embeddings
Deleted when you delete your account or when you ask us to clear them.
On-chain data
Permanent and public on the Solana blockchain; we have no ability to delete it.
Server logs
Up to 90 days, then aggregated or deleted.
Support correspondence
Up to 36 months.

7. Your rights

Depending on where you live, you may have some or all of the following rights:

  • Access. Get a copy of the personal data we hold about you.
  • Rectification. Have inaccurate or incomplete data corrected.
  • Erasure. Ask us to delete personal data we no longer need. On-chain data cannot be deleted.
  • Restriction. Ask us to pause processing while a complaint is investigated.
  • Portability. Receive a structured, machine-readable copy of data you gave us.
  • Object. Object to processing based on legitimate interests, including for direct marketing.
  • Withdraw consent. Where processing is based on consent (e.g. voice biometrics), withdraw consent at any time. Withdrawal does not affect prior lawful processing.
  • Not be subject to automated decisions that produce legal or similarly significant effects. Decisions to remove content or limit an account are made by our team, not by an automated system; if you think we got it wrong, email us and a person will take another look.
  • Lodge a complaint with your local data-protection authority — in the EU, the supervisory authority where you live or work; in the UK, the ICO.

California, Colorado, Connecticut, Texas, Virginia and similar US state laws give you analogous rights (access, deletion, correction, opt-out of sale/share — we don't sell, but the right exists). To exercise any of these rights — including deleting your account, getting a copy of your data, or clearing your memory embeddings — email privacy@cuff.fun. We may need to verify your identity first, and we action verified requests within one month (30 days), the period the GDPR allows; if a request is complex we may extend that and will tell you. We do not sell your personal data; our analytics are cookieless and aggregate, and you can object to that processing at any time by emailing us.

8. Children

cuff.fun is for adults only. We do not knowingly collect data from anyone under 18. If you believe a child is using the Service, contact us at privacy@cuff.fun and we will investigate and delete promptly.

9. Security

We protect your data with encryption in transit (TLS) and at rest where supported by our processors, scoped service-role access, rate-limiting, and human review for content and high-risk operations. No system is impenetrable; we cannot guarantee absolute security. Report a vulnerability to security@cuff.fun.

10. Cookies

See our Cookie Policy for a full list of cookies we use, including what is strictly necessary and what is set only with your consent.

11. Changes to this policy

We will update this policy when our processing changes. The version and last-updated date at the top of the page reflect the current version. If a change is material we will give you a heads-up in the Service.

Draft notice.This policy is a working draft for review by counsel once cuff.fun's operating entity and jurisdiction are confirmed. The lead supervisory authority and any EU / UK representative are set at incorporation.