Privacy Policy - DRAFT

1. Data We Collect

• Account data: Your email address and a bcrypt hash of your password. We never store your plaintext password.
• Binance API keys: Stored encrypted at rest using AES-256. Your keys are only decrypted in-memory at the moment they are needed to sign a request to the Binance API.
• Trading history and state: Orders placed, fills received, positions, PnL, budget allocations, bot configurations, and similar data required to operate the Service.
• Technical logs: Request logs, error logs, and diagnostic information necessary to operate and secure the Service.

2. How We Use It

We use the data collected solely to:

• Provide, maintain, and improve the Service.
• Authenticate your account and enforce access control.
• Execute trades, manage positions, and track performance on your behalf.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with applicable legal obligations.

We do NOT use your data for targeted advertising, profiling for third parties, or resale.

3. Data Storage

Data is stored in a PostgreSQL database and on encrypted volumes hosted with DigitalOcean in data centers located in the United States. Backup copies may be held briefly in the same region for disaster recovery.

4. Data Retention

Trading history is retained indefinitely while your account is active, so that historical performance and accounting data remains available to you. You may at any time request deletion of your account and associated personal data by contacting support. Some data may be retained for a limited time after deletion where required for legitimate operational, security, accounting, or legal purposes.

5. User Rights (including GDPR)

If applicable privacy law grants you the following rights, we will honor them upon verified request:

• Right of access / export: Obtain a copy of the personal data we hold about you.
• Right of rectification: Have inaccurate data corrected.
• Right of erasure ("right to be forgotten"): Request deletion of your personal data.
• Right to restrict or object to processing.
• Right to data portability in a machine-readable format.
• Right to lodge a complaint with your local supervisory authority.

6. Cookies

The Service uses strictly-necessary session cookies for authentication and CSRF protection only. We do not use third-party advertising cookies, analytics cookies that identify individuals, or cross-site tracking technologies.

7. Third Parties

The Service interacts with the Binance API on your behalf using the API keys you provide. No personal data is sold, rented, or shared with third parties for marketing purposes. Infrastructure providers (e.g., DigitalOcean) act as data processors on our behalf under their own security commitments. Where legally compelled, we may disclose data to comply with a valid legal order.

8. Security Measures

• API keys encrypted at rest with AES-256.
• Passwords stored as bcrypt hashes.
• All traffic served over HTTPS (TLS) with a valid certificate.
• Role-based access control and per-user isolation of state, keys, and trading data.
• CSRF protection, security headers, and input sanitization on the web layer.
• Regular patching of dependencies and infrastructure.

No system can be guaranteed 100% secure. You must also do your part (strong unique password, Binance API keys with trading-only permissions, account hygiene).

9. Data Breach Process

In the event that we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify affected users and, where required, the competent supervisory authority without undue delay and in any event within 72 hours of becoming aware of the breach, in line with GDPR Article 33/34 timelines.

10. Contact

Privacy requests and questions may be sent to: [PRIVACY CONTACT EMAIL TO BE ADDED]