> ## Documentation Index > Fetch the complete documentation index at: https://whitepaper.neurobro.ai/llms.txt > Use this file to discover all available pages before exploring further. # LEGAL TODO # Legal TODO Tracking legal elements/pages that need to be added, updated, or completed. Items marked **⚠ COUNSEL** require a legal/business decision before publishing. Items checked `[x]` were applied to `terms-of-use.mdx` (v0.7) / `privacy-policy.mdx` (v0.8); latest pass 2026-05-22. Analytics: PostHog replaced with self-hosted, open-source Matomo (in-house); Google Analytics and Sentry retained. ## Affiliate / Exchange Disclosure * [x] **Affiliate Disclosure page** — `legal/affiliate-disclosure.mdx` finalized (May 22, 2026): removed the draft TODO, discloses commission + geo-gating in FTC-clear wording, cross-links to ToS/PP, contact set to info\@. Per owner request the page is kept generic — it does NOT name the exchanges or state live scope; those specifics live in ToS §5.3. Counsel sign-off still recommended. * [x] **Exchange naming** — handled in ToS §5.3 and PP §6 (affiliate page intentionally defers to them). * [ ] **Affiliate page per-exchange policy links** — optionally add direct links to each exchange's terms/privacy/AML on the affiliate page (currently cross-linked via ToS §3.5 / PP §6). * [x] **Name all six exchanges** — Binance, OKX, Bybit, KuCoin, Indodax, Tokocrypto disclosed individually in ToS §3 and PP §6 (each a separate legal entity / independent data controller). * [ ] **Affiliate links live only for Bybit & KuCoin** — business/counsel to confirm scope before launch (no longer stated on the affiliate page). Binance/OKX/Indodax/Tokocrypto links currently disabled. * [ ] **⚠ COUNSEL — placeholder benefit figures** — do NOT publish placeholder promo figures (e.g. "-20% fees", "\$10,000 rewards"); replace with contractually accurate terms or risk advertising-law exposure. * [x] **Update Terms of Use affiliate section** — ToS §5.3 (formerly §4.3) updated: names the six exchanges, discloses commission, adds geo-gating; uses "affiliate" terminology throughout. ## Exchange Legal-Document Links * [x] **Embed exchange legal links** — referenced in ToS §3.5 (exchange Terms) and PP §6 (exchange Privacy Policies). Links verified working on 2026-05-19; re-check before publishing. Note: only Terms (ToS) and Privacy (PP) are embedded; AML/compliance links are not embedded in the user-facing docs (most exchanges have no standalone AML URL — see notes below). | Exchange | Document | URL | | ---------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Binance | Terms of Use | [https://www.binance.com/en/terms](https://www.binance.com/en/terms) | | Binance | Privacy Portal | [https://www.binance.com/en/about-legal/privacy-portal](https://www.binance.com/en/about-legal/privacy-portal) | | Binance | Compliance / AML (Binance.US) | [https://www.binance.us/compliance](https://www.binance.us/compliance) | | OKX | Terms of Service | [https://www.okx.com/help/terms-of-service](https://www.okx.com/help/terms-of-service) | | OKX | Privacy Notice | [https://www.okx.com/help/privacy-policy-statement](https://www.okx.com/help/privacy-policy-statement) | | OKX | Risk & Compliance Disclosure (AML) | [https://www.okx.com/help/risk-compliance-disclosure](https://www.okx.com/help/risk-compliance-disclosure) | | Bybit | Terms of Service | [https://www.bybit.com/en/legal/terms-of-service](https://www.bybit.com/en/legal/terms-of-service) | | Bybit | Privacy Policy | [https://www.bybit.com/en/legal/policies-and-rules/privacy-policy](https://www.bybit.com/en/legal/policies-and-rules/privacy-policy) | | Bybit | User Protection & Compliance (AML) | [https://www.bybit.com/en/promo/global/user-protection](https://www.bybit.com/en/promo/global/user-protection) | | KuCoin | Terms of Use | [https://www.kucoin.com/legal/terms-of-use](https://www.kucoin.com/legal/terms-of-use) | | KuCoin | Privacy Policy | [https://www.kucoin.com/legal/privacy-policy](https://www.kucoin.com/legal/privacy-policy) | | Indodax | Terms and Conditions | [https://help.indodax.com/hc/en-us/articles/4416650994585-Terms-and-Conditions](https://help.indodax.com/hc/en-us/articles/4416650994585-Terms-and-Conditions) | | Indodax | Privacy Notice | [https://help.indodax.com/hc/en-us/articles/19751527469721-Privacy-Notice](https://help.indodax.com/hc/en-us/articles/19751527469721-Privacy-Notice) | | Tokocrypto | User Agreement (Terms of Service) | [https://support.tokocrypto.com/hc/en-us/articles/360004044971-Tokocrypto-User-Agreement](https://support.tokocrypto.com/hc/en-us/articles/360004044971-Tokocrypto-User-Agreement) | | Tokocrypto | Privacy Policy | [https://support.tokocrypto.com/hc/en-us/articles/21694168727565-Privacy-Policy](https://support.tokocrypto.com/hc/en-us/articles/21694168727565-Privacy-Policy) | | Tokocrypto | AML/CFT Policy | [https://support.tokocrypto.com/hc/en-us/articles/4812240530317-AML-CFT-Policy-in-Tokocrypto](https://support.tokocrypto.com/hc/en-us/articles/4812240530317-AML-CFT-Policy-in-Tokocrypto) | Notes on gaps (no standalone, verifiable AML-policy URL exists): * **Binance** — no global standalone AML page; AML is inside the Terms. The dedicated compliance page exists only on the US entity. The global Privacy Notice is jurisdiction-specific, so the Privacy Portal is the canonical entry point. * **Bybit** — no standalone canonical AML document; the User Protection & Compliance page is the closest official page. AML obligations are also embedded in the Terms. * **KuCoin** — no standalone public AML/CTF URL; AML/CTF content is incorporated into the Terms of Use and Privacy Policy. * **Indodax** — no standalone AML page; AML/CFT is covered within the Terms and Privacy Notice. Help-center pages are bot-protected (HTTP 403 to automated browsers) but confirmed published. * **Tokocrypto** — all three documents (incl. a dedicated AML/CFT policy) confirmed via the help-center API. ## Privacy Policy updates * [x] **Disclose exchange/portfolio financial data collected** — PP §2 now covers credentials, balances/holdings, full trade/order/transfer/ledger history, open positions & PnL, net-worth history, public wallet addresses and on-chain transaction IDs, with a sensitivity warning. * [x] **Sub-processor list** — PP §6 "Third Parties and Sub-Processors" lists the 6 exchanges, AWS, Alchemy, CoinGecko, the LLM providers, and the existing analytics/payment processors. * [x] **AI provider transparency** — PP §7 names the LLM providers (OpenAI, Anthropic, Google, Groq, xAI, DeepSeek), discloses that portfolio data is sent as context, and notes routing varies by tier/backend. * [ ] **⚠ COUNSEL — DeepSeek routing** — decided (disclosed in PP §7) & applied; counsel still to confirm acceptability of China-based routing of financial data for EU/UK users. * [ ] **⚠ COUNSEL — full-history ingestion** — lawful basis stated as Contract in PP §2 & applied; counsel to confirm (GDPR Art. 6). * [ ] **⚠ COUNSEL — retention period** — event-based retention adopted & applied in PP §4 (retained until disconnect/account deletion); counsel to confirm against GDPR Art. 5(1)(e) storage limitation. * [x] **Document deletion mechanics** — PP §5 "Erase" extended: disconnect hard-deletes that exchange's data; account deletion cascades to all portfolio data. Cross-references `legal/account-deletion.mdx`. * [x] **Net-worth snapshot retention** — disclosed in PP §2 and §4 (retained for the life of the account, deleted on account deletion). * [x] **International data transfer disclosure** — PP §8 "Third-Party Processing" updated for the new sub-processors and the EU/US/Singapore/China jurisdictions. * [x] **Per-exchange data-coverage differences** — noted in PP §2 (some connected exchanges provide spot-only data). ## Terms of Service / Terms of Use updates * [x] **Read-only API key / non-custodial disclaimer** — ToS §3 "Read-Only Exchange Connections" added: read-only keys only, no order-execution/trading/withdrawal capability. * [x] **No financial advice for AI portfolio commentary** — ToS §4.4 added covering AI-generated commentary on the user's connected portfolio. * [x] **NFA / DYOR disclaimer** — extended in ToS §4 (informational only, not advice, DYOR, consult professionals). * [x] **Jurisdiction / eligibility clause** — ToS §5.3 documents affiliate-link geo-gating (sanctions: Iran/North Korea/Cuba/Syria; UK FCA regime; per-exchange blocks) and clarifies it affects affiliate-link display only. ## Critical review findings (2026-05-22) — counsel / engineering required From the four-agent legal review of PR #77. These are NOT pure wording fixes — each needs a legal or engineering decision before launch. * [ ] **⚠ COUNSEL — EU & UK Art. 27 representatives (MISSING)** — a US-only controller serving/monitoring EU/UK users must appoint, and disclose, both an EU and a UK representative. Neither is named. Standalone GDPR breach. * [ ] **⚠ COUNSEL — DeepSeek/China transfer mechanism** — bare "SCCs where applicable" is likely indefensible for China (no adequacy; Schrems II TIA; live DPA bans on DeepSeek in Italy/Germany). Exclude DeepSeek for EU/UK users or hold a documented TIA. (Strengthens the existing DeepSeek item.) * [ ] **⚠ COUNSEL — UK FCA core-service exposure** — ToS §5.3 states geo-gating does not restrict the core Services, but promoting \$BRO + AI Alpha to UK consumers may itself be a regulated financial promotion (criminal exposure) regardless of affiliate links. Decide: geo-block core promotional/AI Alpha/token surface for the UK, or obtain a lawful route. ToS currently understates this. * [ ] **⚠ COUNSEL — consumer arbitration clause** — ToS §13 mandatory Delaware arbitration is likely unenforceable against EU/UK consumers (UCTD/Brussels Ia) and omits a US class-action waiver. Add a class-action waiver + EU/UK/Canada consumer carve-out. * [ ] **⚠ COUNSEL — CCPA/CPRA California section** — add notice-at-collection, California consumer rights, and the SPI right-to-limit (exchange API credentials = Sensitive Personal Information under CPRA). Currently only one line. * [ ] **⚠ COUNSEL — Art. 22 profiling/ADM disclosure** — disclose the existence, logic, and significance of AI profiling of user portfolios (AI Alpha, portfolio commentary). * [ ] **⚠ COUNSEL — lawful-basis reconciliation** — ToS §9.2 grants a "perpetual license … for training" while PP §7 says LLM data is used "solely to generate the response you requested." Reconcile, and give training/improvement its own basis (consent or LI + balancing test). * [ ] **⚠ COUNSEL — ePrivacy cookie/analytics consent** — GA/Matomo/Sentry client SDKs require prior opt-in consent in EU/UK; PP labels analytics "legitimate interest" in places. Confirm the cookie banner is prior, granular, opt-in and align the stated basis. * [ ] **⚠ COUNSEL — MSB/custody framing** — ToS §2 states "not a money-services business / not a custodian" as fact. Soften to a position and obtain a FinCEN + state-MTL + \$BRO buy-back-mechanic memo. * [ ] **⚠ COUNSEL — AML/sanctions reconciliation** — ToS §1.2 and §5.3 carry two different sanctions lists; reference the live OFAC program rather than enumerating, and align the "we screen users" claim with the identity data actually collected (social/email login + read-only key, no KYC). * [ ] **⚠ COUNSEL — Indonesia PDP Law cross-border transfer** — transfers of Indonesian users' financial data to the US/China need a PDP-compliant mechanism (in addition to the PSE/ITSK reviews below). * [ ] **⚠ COUNSEL — DPIA** — perform and document a Data Protection Impact Assessment (large-scale sensitive financial data + portfolio monitoring + China transfer trigger Art. 35). * [ ] **In-product affiliate disclosure (FTC)** — FTC 16 CFR Part 255 requires a clear-and-conspicuous disclosure adjacent to each affiliate link in-product, not only on the policy page. * [ ] **Per-exchange data-coverage table** — current disclosure is a light inline note; consider a per-exchange breakdown of what data each exchange exposes. ## Data Security Statement (new document — not yet started) * [ ] **Create a Data Security Statement** — new legal page describing the security model. * [ ] **Encryption model** — exchange credentials protected with AWS KMS envelope encryption (AES-256-GCM), a unique per-record data-encryption key, encrypted blob stored as binary in PostgreSQL; production-isolated CMK (`alias/neurobro-exchange-credentials-prod`); supports in-place credential rotation with key-version audit trail. * [ ] **Read-only access model** — no execution capability (`supports_execute = False` hardcoded; sandbox/paper-trading disabled). * [ ] **Transport & scoping** — HTTPS/TLS in transit; all data user-scoped; cascading deletion. * [ ] **Describe memory handling honestly** — credentials held in memory only for the duration of a single connect/sync operation; do not overstate (Python cannot guarantee explicit memory zeroization). * [ ] **Self-hosted observability** — note that the memory sync service uses no third-party error-tracking SDK; observability there is self-hosted (Loki). (Product analytics is also self-hosted via Matomo.) ## Regulatory / jurisdiction reviews * [ ] **Indonesia PSE / foreign ESO registration** — review whether registration as a foreign Electronic System Operator (PSE) is required. * [ ] **OJK ITSK framework** — review applicability of the OJK ITSK framework (covers technology innovation affecting products, activities, services, or business models in the digital financial ecosystem). * [ ] **⚠ COUNSEL — confirm country blocklists** — code blocklists are "starter data from 2026-05-18 legal research" and must be counsel-confirmed before launch; specifically flagged: Indonesia, the UK FCA regime, and Bybit-in-Malaysia. * [ ] **⚠ COUNSEL — core-service jurisdiction restriction** — decide whether the core portfolio/exchange-connect service (not just affiliate links) needs country-based access control. ## Product documentation * [ ] **API key creation guidelines** — add per-exchange API key creation guidelines, broken down by supported region, covering required permissions (read-only) and regional availability. ## Engineering prerequisites (block accurate legal copy) * [ ] **Scrub Sentry SQL parameters** — SQLAlchemy integration may capture SQL query parameters (user IDs, financial values) despite `send_default_pii=False`; add explicit scrubbing before claiming no financial data leaves systems for monitoring. * [ ] **Sanitize exchange error logs** — raw exchange error messages (`str(exc)`) can contain balance amounts or masked API-key fragments; sanitize before launch. * [ ] **Enforce `REDIS_PASSWORD` in production** — the sync queue is unauthenticated if unset. * [ ] **Decide on a retention-purge job** — confirm/decide whether old trade/order/ledger/transfer history is purged on a schedule.