Privacy Policy

ReplayState (“we”, “us”) provides a Solana slot-fidelity replay and simulation platform. The Service deterministically re-executes historical Solana blocks against archival ground truth, then runs Monte Carlo shadow-runs that quantify inclusion probability, fee efficiency, and MEV exposure for user-supplied transactions.

The data controller for personal data processed through the Service is ReplayState. For privacy questions, contact legal@replaystate.com.

We collect only what we need to operate the Service:

• Account & access data. If you register for a pilot or production account, we store your work email, organization, role, hashed API key identifiers, and the IP ranges you allowlist.
• API request metadata. Timestamps, endpoint, HTTP status, request ID, rate-limit context, request size, and the API key prefix that initiated the request. We do not log full request bodies in production by default.
• Simulation inputs. Transaction signatures, slot numbers, scenario configuration, parameter values, and any uploaded fixtures you submit to the backtest, fee tracker, alerts, or API surfaces.
• Public blockchain data. We ingest Solana block, account, and transaction data from archival RPC endpoints, snapshot stores we operate, and our own validator telemetry. This data is already public.
• Operational logs. Structured JSON logs, distributed traces, and metrics required for reliability, debugging, abuse prevention, and incident response.
• Demo telemetry. The public demo UI records anonymous tab views and scenario selections so we can measure feature use. The demo does not require an account and does not collect names, emails, or wallet identities.

We do not collect biometric data, government identifiers, payment card data, or wallet private keys. We never request a private key, seed phrase, or signing material for any reason.

• To deliver simulation, fee analysis, alerting, evidence export, and API functionality you have explicitly requested.
• To enforce authentication, rate limits, and abuse controls on protected endpoints.
• To investigate incidents, debug failures, and meet our security obligations to other customers and to the broader network.
• To produce aggregated, non-identifying analytics that inform roadmap and capacity decisions.
• To comply with legal obligations, respond to lawful requests, and defend against claims.

We do not sell personal data. We do not use customer simulation inputs to train third-party machine-learning models.

For users in the European Economic Area or United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR:

• Contract. Providing the Service you or your organization signed up for.
• Legitimate interests. Operating, securing, and improving the Service; preventing fraud and abuse; understanding aggregate use.
• Legal obligation. Tax, audit, anti-money-laundering, and lawful disclosure requirements.
• Consent. Optional cookies and opt-in product communications, where applicable.

Retention windows depend on the environment and data type. Defaults shown below apply unless your contract specifies stricter limits.

• Demo simulation inputs and results: up to 30 days, then purged.
• API request metadata and logs: 90 days, then aggregated or deleted.
• Pilot and production simulation artifacts: retained for the contract term, then deleted within 30 days of termination unless a longer period is required by law.
• Account records and billing data: retained as long as required to meet tax, audit, and contractual obligations.
• Public blockchain data and content-addressed snapshot blobs: kept indefinitely, since they are public, immutable, and shared across customers.

The Service runs in a single primary region on infrastructure we control, supplemented by a small set of vendors necessary for operation. Categories include:

• Cloud and bare-metal hosting providers.
• Archival Solana RPC and validator telemetry providers.
• Object storage providers for content-addressed snapshot and evidence storage.
• Email delivery and customer support tooling.
• Error monitoring and aggregated product analytics.

A current subprocessor list, including entity names and locations, is available to pilot and production customers under NDA. Material changes are notified to active customers at least thirty days in advance, except where a faster change is required for security.

Data may be processed in jurisdictions other than your own, including the United States. Where transfers from the EEA, UK, or Switzerland take place, we rely on Standard Contractual Clauses and equivalent safeguards, and apply technical controls including encryption in transit and at rest.

We operate the Service with controls appropriate to the sensitivity of the data we process:

• TLS 1.2+ for all client and inter-service connections.
• Authenticated API boundaries, rotating API keys, and per-tenant rate limits.
• Workers execute in sandboxed subprocesses (Linux namespaces, seccomp, cgroup v2) with read-only access to content-addressed storage.
• SHA-256 content addressing and signed manifests provide integrity verification for snapshot blobs and evidence artifacts.
• Role-based access to production systems, with separate credentials for each engineer and audit logging on privileged actions.
• Documented incident-response runbook with notification commitments defined in your contract.

No system is perfectly secure. We commit to disclosing material incidents that affect your data, in accordance with applicable law and your contract.

Depending on where you live, you may have the right to access, correct, export, restrict, object to, or delete personal data we hold about you, and to withdraw consent at any time. To exercise these rights, email legal@replaystate.com from the address associated with your account. We will respond within 30 days, or sooner if required by local law.

If you believe we have not handled your data appropriately, you may lodge a complaint with the data protection authority in your jurisdiction.

The Service is built for institutional and developer users. It is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe we have, contact us and we will delete the data.

The public demo uses a small number of first-party cookies and local storage entries strictly required to remember your selected tab, scenario, and theme. The pilot and production consoles additionally use authentication cookies. We do not run third-party advertising trackers. Product analytics, where enabled, are anonymized and aggregated.

We will update this Policy when the Service or applicable law changes. The effective date at the top reflects the latest version. For material changes, we will notify active pilot and production customers through the channel agreed in their contract.

Privacy questions, deletion requests, and data-protection inquiries: legal@replaystate.com. Postal address available on request.