Privacy Policy

RugSlayer ("we", "us", "our") operates rugslayer.com, the RugSlayer browser extension, the DrainBrain API, and the @RugSlayerScanBot Telegram bot. Our products provide AI-powered risk analytics for Solana tokens.

Contact: j@rugslayer.com

Account Data (when you sign up):

• Email address (via Supabase Auth — email or Google OAuth)
• Subscription tier and payment method
• Solana wallet address (if you connect one for USDC payments or swaps)

Scan Data:

• Token mint addresses you scan
• Risk scores, feature vectors, and AI verdicts generated from scans
• Scan timestamps and response times

Browser Extension Data:

• Your DrainBrain API key (stored locally in chrome.storage.sync)
• Token mint addresses extracted from DEX pages you visit
• Scan results cached locally (chrome.storage.local, 5-minute TTL)
• Auto-scan preference setting

The extension does NOT collect browsing history, personal data, keystrokes, or any information from non-DEX websites. It only activates on supported Solana DEX sites (Jupiter, Raydium, pump.fun, DexScreener, BullX, Photon, GMGN, Axiom, Birdeye).

Payment Data:

• Stripe processes card payments — we never see or store your card number
• USDC payments: transaction signature and wallet address (verified on-chain)

Notification Preferences (Pro+ users):

• Telegram chat ID, Discord webhook URL, SMS phone number
• These are encrypted at rest with AES-256-GCM

Usage Data:

• HMAC-hashed IP addresses (not stored in plaintext) for rate limiting
• API usage counts per key (DrainBrain API users)

• Private keys or seed phrases — never, under any circumstances
• Wallet balances or token holdings (unless you explicitly use Portfolio scanning)
• Browsing history outside of supported DEX sites
• Personal identity documents
• Credit card numbers (Stripe handles this)

• Generate risk scores and AI verdicts for requested token scans
• Improve our ML models (DrainBrain ensemble) using aggregated, anonymized scan data
• Enforce rate limits and prevent abuse
• Process subscription payments
• Send alerts via your configured notification channels
• Display published accuracy metrics (aggregated, no personal data)

The RugSlayer browser extension:

• Runs only on DEX sites — content scripts are injected only on the 11 supported Solana DEX domains listed in the manifest
• Extracts token mints from page URLs/DOM — only Solana token mint addresses (base58, 32-44 chars) are extracted and sent to our API
• Pre-swap safety check — intercepts wallet transaction signing to show a risk warning before you confirm. The extension never modifies, blocks, or redirects your transactions
• Local storage only — API key and cached scan results are stored in chrome.storage (local to your browser). We do not sync this data to our servers
• No tracking or analytics — the extension contains no analytics SDKs, tracking pixels, or telemetry

• Supabase — database and authentication (US East region)
• Stripe — payment processing (PCI DSS compliant)
• Upstash Redis — rate limiting (no personal data stored)
• Helius — Solana RPC and blockchain data
• xAI (Grok) — AI verdict generation (token data only, no personal data)
• Vercel — hosting and serverless functions
• Resend — email alert delivery
• Telnyx — SMS alerts (critical severity only)
• Jupiter — swap execution (when you use the Swap feature)

• Scan history: 90 days, then automatically deleted
• Read alerts: 90 days, then automatically deleted
• Accuracy logs: 1 year, then automatically deleted
• Token data: retained indefinitely for ML model improvement (no personal data)
• API usage logs: retained for billing and abuse prevention
• Extension local cache: 5-minute TTL, automatically cleared

• All API communication over HTTPS/TLS
• Notification preferences encrypted with AES-256-GCM at rest
• IP addresses HMAC-hashed (never stored in plaintext)
• Webhook secrets verified with timing-safe comparison
• Row-level security (RLS) on all Supabase tables
• API keys stored as SHA-256 hashes (plaintext never persisted)
• USDC payments verified on-chain with transaction signature replay prevention

You can:

• Delete your account — Settings page or DELETE /api/account/delete. This cascades: cancels Stripe subscription, deletes all database records, clears Redis cache, and removes your auth account
• Export your data — contact j@rugslayer.com for a data export
• Revoke API keys — via the DrainBrain dashboard or API
• Disconnect wallet — via Settings page
• Uninstall extension — right-click the extension icon and select "Remove from Chrome." All local data is deleted immediately

The website uses Supabase auth cookies for session management. No third-party tracking cookies are used. The browser extension uses chrome.storage.local and chrome.storage.sync (not cookies).

RugSlayer is not intended for users under 18. We do not knowingly collect data from minors.

We may update this policy as our products evolve. Material changes will be announced via the website. Continued use after changes constitutes acceptance.

Questions about this policy? Email j@rugslayer.com