Privacy Policy
This Privacy Policy describes how Kolmen Strategies (“we,” “us,” or “our”) handles information in connection with your use of The GAO — Gemini Agentic Observer (the “App”) and the website at thegao.app (the “Site”).
[BRACKETS] throughout this document must be replaced with verified, attorney-approved values before publication. This template was drafted to meet or exceed the published Privacy Policy requirements of Apple App Store Review Guidelines §5.1 and Google Play’s User Data and Data Safety policies, but neither template language nor any AI-generated text substitutes for review by qualified counsel familiar with your jurisdiction, product scope, and applicable financial-services regulations. Remove this notice before going live.
Contents
- At-a-glance summary
- Scope of this Policy
- Data we collect
- How data is stored
- How we use data
- Sharing & disclosure
- Third-party services
- Future account features
- Subscriptions & payments
- Security
- Data retention
- Your rights & choices
- California privacy rights
- Other US state rights
- International users (GDPR / UK)
- Children’s privacy
- Cookies on the Site
- App store privacy labels
- Changes to this Policy
- Contact us
01 At-a-glance summary
We have designed The GAO around a minimum-data principle. The most important things to know:
- Your Gemini Exchange API key and secret are stored only on your device, inside the operating system’s secure credential store (Android Keystore on Google Play; the iOS Keychain on Apple devices). They are never transmitted to or stored by us.
- The App communicates directly with Gemini Exchange’s servers using your credentials. We do not act as an intermediary, custodian, or financial institution.
- We do not currently maintain user accounts or a backend service that holds personal information about you.
- Subscriptions, when offered through the app stores, are managed by Apple or Google. We do not see, store, or process your payment-card information.
- In the future we plan to introduce optional account features using Sign in with Google or Sign in with Apple. When that happens, this Policy will be updated and you will be notified before any new data collection begins.
The rest of this Policy explains the same points in more detail and addresses your rights under applicable law.
02 Scope of this Policy
This Privacy Policy applies to:
- The GAO mobile application distributed through the Google Play Store and the Apple App Store (the “App”);
- The marketing website published at thegao.app and any successor URL (the “Site”); and
- Email or other written correspondence you send to us at the addresses listed in section 20.
This Policy does not apply to any third-party service you choose to use through the App, including without limitation Gemini Exchange, Apple, Google, or any future single sign-on provider. Each of those parties has its own privacy policy, and we strongly encourage you to read them.
03 Data we collect
3.1 Information you provide directly to the App
The App requires you to provide:
- A Gemini Exchange API key and API secret, which you generate yourself in your Gemini account.
These credentials are stored on your device (see section 4) and used only to make authenticated requests to Gemini Exchange’s public API on your behalf. They are never transmitted to Kolmen Strategies and never stored on any server we operate.
3.2 Information automatically collected by the App
The current version of the App does not automatically collect, transmit, or store on our servers:
- Personal identifiers (name, email address, phone number);
- Device identifiers (advertising IDs, IMEI, MAC address);
- Precise or coarse location;
- Photos, contacts, calendars, or files;
- Health, fitness, or biometric information;
- Browsing or search history;
- Audio, microphone, or camera input;
- Crash logs containing personal information.
The App does request the following permissions for app functionality only, and does not transmit the underlying data to us:
- Internet — required to communicate with Gemini Exchange.
- Notifications — to alert you when an order is placed or filled or when an agent rule triggers.
- Foreground service / background execution — to keep the agent polling reliably while the app is running, including when the screen is off (Android only).
- Wake lock — to prevent the device from suspending the polling loop during an active agent session (Android only).
3.3 Information collected on the Site
The Site is a static marketing page. It does not currently use behavioral analytics, advertising trackers, fingerprinting, or third-party cookies. Standard server access logs may briefly retain IP addresses and request timestamps for fraud, security, and operational diagnostics; see section 11 for retention.
04 How data is stored
4.1 On-device secure storage
Your Gemini API credentials are stored exclusively on your device, inside the secure credential store provided by your operating system:
- Android (Google Play installs): the Android Keystore system, which uses hardware-backed encryption on supported devices and is protected by the device’s screen-lock credential.
- iOS (Apple App Store installs, when available): the iOS Keychain, encrypted with class-A protection and bound to the device passcode.
We rely on the platform-provided cryptographic protections in both ecosystems. Where the App uses additional encryption at the application layer (AES-256), the encryption key is generated on-device and is itself stored in the platform secure store.
4.2 Local agent rules and logs
Agent rules you create (Stop Loss, Take Profit, Sell the Rally, Buy the Dip), the local agent log, and any cached price or order data are stored in the App’s private application sandbox on your device. This data is not transmitted to us.
4.3 No server-side database
We currently do not operate a backend database that stores user-identifying information about you. No data described in section 3.1 or 4.2 leaves your device through our infrastructure.
05 How we use data
Because we do not currently collect personal information about you on our servers, we do not use such information for any purpose. To the extent any data is processed locally on your device by the App, it is used solely to:
- Authenticate your requests to Gemini Exchange;
- Display your account balances, holdings, orders, and trade history fetched from Gemini Exchange;
- Evaluate and execute the agent rules you have created;
- Deliver in-app and operating-system notifications you have enabled;
- Maintain a local agent log so you can audit triggered rules.
If we collect data in the future (see section 8), we will update this Policy and disclose specific purposes before that collection begins.
06 Sharing & disclosure
We do not sell, rent, or trade personal information. We do not disclose personal information to third parties for their own marketing or behavioral-advertising purposes.
To the extent any data is shared with third parties, that sharing is initiated by the App on your behalf and limited to:
- Gemini Trust Company, LLC (Gemini Exchange): The App makes authenticated REST API and WebSocket calls to Gemini using credentials you supply. Data flows directly between your device and Gemini.
- Apple Inc. and Google LLC: When you install or update the App through the App Store or Google Play, the platform operator may collect data per its own privacy policy.
- Lawful disclosures: If we are legally compelled by valid subpoena, court order, or comparable legal process to produce information in our possession, we will do so in compliance with applicable law and, where lawful, will notify the user. Because we do not store user-identifying information centrally today, the practical scope of such disclosures is limited to records of correspondence you have sent to us.
07 Third-party services
7.1 Gemini Exchange
Gemini Trust Company, LLC operates Gemini Exchange. The App is an independent third-party tool and is not affiliated with, endorsed by, or operated by Gemini. Your account, your assets, your trade execution, and your custody relationship are governed entirely by Gemini’s own user agreement and privacy notice. See Gemini’s Privacy Policy.
7.2 Apple and Google platforms
The App is distributed through the Apple App Store and the Google Play Store. Use of those platforms is governed by their respective privacy policies:
08 Future account features
We plan to introduce optional account functionality that uses Sign in with Google or Sign in with Apple. These features are not yet enabled in the current version of the App.
When and if account features are released, the following will apply:
- Sign-in is opt-in. The App will continue to be usable without an account in the on-device, key-only mode described in this Policy.
- If you choose to sign in, the third-party identity provider (Apple or Google) will return a limited identifier and, where applicable, your name and email. We will collect only what is necessary to operate the account feature.
- Apple’s “Hide My Email” feature will be honored in full.
- Account-related data we collect will be stored in a hosted database operated by us or a vetted infrastructure provider. We will update this Privacy Policy and the in-App disclosures, and we will provide notice in-app, before that data collection begins.
- You will retain the rights described in sections 12–15 with respect to any account information.
09 Subscriptions & payments
If you purchase a paid plan (Monthly, Annual, Lifetime, or Enterprise) through the App or our Site, payment processing is handled by the third-party platform native to the venue of purchase:
- Apple App Store: Apple handles billing through your Apple ID. Apple’s privacy practices apply to the transaction.
- Google Play Store: Google handles billing through Google Play Billing. Google’s privacy practices apply to the transaction.
- Web (if offered): [PAYMENT PROCESSOR — e.g., Stripe] handles billing. Their privacy policy applies to the transaction.
We receive only the minimum information necessary to verify your purchase and entitlement (for example, an anonymized purchase token or transaction identifier). We do not see, receive, or store your full payment-card number, CVV, or bank-account details.
To manage, cancel, or request a refund for a subscription, please use the subscription-management tools native to your purchase venue:
- Apple: Settings → [your name] → Subscriptions, or via the App Store app.
- Google Play: Play Store app → Account → Payments & subscriptions.
10 Security
We implement administrative, technical, and physical safeguards designed to protect the information processed by the App. Specifically:
- Encryption at rest: API credentials are stored only inside the platform secure credential store (Android Keystore or iOS Keychain), with hardware-backed encryption where the device supports it, and protected by the device’s screen-lock credential.
- Encryption in transit: All communication between the App and Gemini Exchange uses TLS 1.2 or higher with certificate validation.
- Application-layer encryption: Where additional AES-256 encryption is applied within the App, the keys are generated on-device and stored in the platform secure store.
- No long-lived server-side credential storage: Because we do not operate a backend that stores your API credentials, there is no central credential store on our infrastructure to be breached.
- Permission minimization: The App requests only the operating-system permissions necessary for stated functionality.
No method of electronic storage or transmission is perfectly secure. We cannot guarantee absolute security. The single most important security action you can take is to keep your device passcode strong, install operating-system security updates promptly, and revoke your Gemini API key on Gemini’s website if your device is lost or compromised.
11 Data retention
Because most data described in this Policy is stored locally on your device, the retention period is determined by you: data is retained until you delete the App, sign out, manually clear it, or factory-reset the device. Reinstalling the App does not, by itself, restore prior data.
For the limited categories of data we may handle directly:
- Site server logs: retained for up to 30 days for security and operational diagnostics, then deleted or anonymized.
- Email correspondence with us: retained for up to 24 months from the date of last contact, after which we will delete or anonymize unless we are required to retain it for legal, tax, or compliance purposes.
- Subscription receipts and entitlement records: retained as required by applicable financial-recordkeeping and tax law (typically up to 7 years).
12 Your rights & choices
Subject to applicable law, you may have the following rights with respect to information about you that we hold:
- Access: request a copy of personal information we hold about you.
- Correction: request that we correct inaccurate information.
- Deletion: request that we delete personal information.
- Portability: request a copy of your information in a structured, machine-readable format.
- Objection or restriction: object to, or request restriction of, certain processing.
- Withdraw consent: where processing is based on consent, withdraw it at any time.
- Lodge a complaint: file a complaint with your local data-protection authority.
To exercise any of these rights, contact us using the details in section 20. We will respond within the timeframe required by applicable law and may need to verify your identity before fulfilling the request.
Because we do not currently maintain user accounts or a centralized database of personal information, the practical scope of access, correction, and portability requests is limited. To delete on-device data, uninstall the App or use the in-App “Disconnect” / “Sign Out” control.
13 California privacy rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), provides additional rights, including:
- The right to know what categories of personal information we have collected, the sources, the business purpose, and the categories of third parties to whom it has been disclosed.
- The right to delete personal information we have collected.
- The right to correct inaccurate personal information.
- The right to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell or share personal information for behavioral advertising and have no plans to do so.
- The right to limit the use and disclosure of sensitive personal information beyond what is necessary to provide the App.
- The right to non-discrimination for exercising any of the above rights.
To exercise these rights, contact us as described in section 20. You may designate an authorized agent to make a request on your behalf, subject to identity verification.
14 Other US state privacy rights
Residents of certain other US states, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, and others, may have analogous rights under state privacy laws. Where such rights apply, you may contact us as described in section 20 to exercise them. We will respond consistent with each state’s requirements.
15 International users (GDPR & UK GDPR)
If you are accessing the App from the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (“GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and the Swiss Federal Act on Data Protection may apply to limited processing we perform.
Legal bases for processing
Where we process personal data, we rely on one or more of the following legal bases:
- Contract (Art. 6(1)(b) GDPR): processing necessary to provide the App you have requested.
- Legitimate interests (Art. 6(1)(f) GDPR): ensuring the security and reliability of the App and protecting against fraud or abuse.
- Legal obligation (Art. 6(1)(c) GDPR): complying with applicable law, including financial recordkeeping and tax obligations.
- Consent (Art. 6(1)(a) GDPR): for any processing for which we explicitly request your consent.
International data transfers
Kolmen Strategies operates in the United States. To the extent we collect personal data from individuals located in the EEA, UK, or Switzerland in the future, we will rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another mechanism authorized under applicable law.
Your rights
In addition to the rights listed in section 12, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.
16 Children’s privacy
The App is not directed to children under the age of 18. Cryptocurrency trading is an adult activity, and access to a Gemini Exchange account requires that the holder be at least 18 years old (and 21 in some jurisdictions).
We do not knowingly collect personal information from children under 13 (or, where applicable, the equivalent minimum age set by local law, including 16 in some EU member states). If we learn that we have inadvertently collected personal information from a child under the applicable age, we will delete it promptly. Parents or guardians who believe a child has provided us with personal information may contact us at the address in section 20.
17 Cookies on the Site
The Site does not currently set behavioral, advertising, or third-party tracking cookies. The Site may use only strictly necessary first-party storage to remember user-interface preferences (such as a theme toggle) where such functionality exists. If we add analytics or advertising cookies in the future, we will update this Policy and provide an in-Site consent control where required by law.
18 App store privacy labels
To assist you in comparing this Policy against the App’s app-store privacy disclosures, the table below summarizes the data categories. The on-device storage of API credentials is handled exclusively by the platform secure credential store and is not considered “data linked to you” or “data collected” by the App developer for app-store-disclosure purposes, because it is not transmitted off-device.
Apple — App Privacy summary
| Category | Collected | Linked to you | Used for tracking |
|---|---|---|---|
| Contact info | No | N/A | No |
| Health & fitness | No | N/A | No |
| Financial info | No (held on-device) | N/A | No |
| Location | No | N/A | No |
| Sensitive info | No | N/A | No |
| Contacts | No | N/A | No |
| User content | No | N/A | No |
| Browsing & search history | No | N/A | No |
| Identifiers | No | N/A | No |
| Purchases | Anonymous receipt only | No | No |
| Usage data | No | N/A | No |
| Diagnostics | No | N/A | No |
Google Play — Data Safety summary
| Question | Answer |
|---|---|
| Does this app collect or share user data? | No data is collected by the developer. Anonymous purchase receipts are processed by Google Play Billing. |
| Is data encrypted in transit? | Yes — TLS 1.2+. |
| Can users request data deletion? | Yes — uninstalling the App or using the in-App Sign Out / Disconnect control deletes locally stored data. Contact us for any other requests. |
| Does the app follow Google Play’s Families Policy? | The App is rated for adult audiences (18+) and is not directed to children. |
19 Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Effective Date” and “Last Updated” values at the top of this page;
- Post a notice on the Site;
- Where required by law or where the change materially expands collection, use, or sharing of your personal information, provide a more prominent in-App notice and, where required, request your consent.
Your continued use of the App or Site after the effective date of an updated Policy constitutes your acceptance of the updates, except where applicable law requires affirmative consent.
20 Contact us
For privacy questions, requests under section 12, or any other concerns about this Policy, contact:
Kolmen Strategies
Privacy Officer
Email: privacy@kolmenstrategies.com
Postal: [STREET ADDRESS], [CITY], [STATE] [ZIP], United States
Entity: [ENTITY TYPE — e.g., a Delaware limited liability company]
For EEA, UK, or Swiss residents who would prefer to contact a designated representative under Article 27 GDPR or comparable law, please email the address above and we will provide current designated-representative information if applicable.