Privacy Policy

1. Information We Collect

We collect information that you provide directly, as well as information collected automatically when you use the Service.

1.1 Information You Provide

• Account Information: Name, email address, and password when you register for an account.
• Exchange API Keys: Cryptocurrency exchange API keys that you provide to connect your exchange accounts. These are encrypted using AES-256-GCM encryption before storage.
• Bot Configurations: Trading strategy settings, bot parameters, and preferences you configure within the platform.
• Support Communications: Messages and information you provide when contacting our support team.

1.2 Information Collected Automatically

• Technical Data: IP address, user agent, browser type and version, operating system, and device information.
• Login History: Timestamps, IP addresses, and user agents associated with account access.
• Trading Activity: Execution logs, order history, and performance metrics generated by your use of the Service.

1.3 Payment Information

Payment processing is handled by Stripe. We do not directly collect or store your credit card numbers, bank account details, or other financial payment information. Stripe's collection and use of your payment information is governed by their Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain the Service: Execute trading strategies, manage bot operations, and deliver platform functionality.
• Process payments: Manage subscriptions, process billing, and handle payment-related communications via Stripe.
• Send notifications: Deliver service-related alerts, trading notifications, and account updates.
• Improve the platform: Analyze usage patterns to enhance features, fix bugs, and optimize performance.
• Security monitoring: Detect and prevent fraudulent activity, unauthorized access, and other security threats.
• Customer support: Respond to your inquiries, troubleshoot issues, and provide assistance.
• Legal compliance: Fulfill legal obligations and enforce our Terms of Service.

3. Data Storage & Security

We implement robust security measures to protect your data, including:

• API Key Encryption: All exchange API keys are encrypted using AES-256-GCM, an industry-standard authenticated encryption algorithm, before storage in our database.
• Password Hashing: Account passwords are hashed using bcrypt and are never stored in plain text.
• Transport Security: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Cookie Security: Authentication cookies are configured as HttpOnly and Secure to prevent cross-site scripting attacks.
• Content Security Policy: We enforce strict Content Security Policy (CSP) headers to mitigate injection attacks.
• Access Controls: Internal access to user data is restricted to authorized personnel on a need-to-know basis.

While we employ industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

• Stripe (Payment Processing): We share necessary billing information with Stripe to process subscription payments.
• Exchange APIs (Trading Execution): Your API keys are used to communicate with your connected cryptocurrency exchanges to execute trades. Only the minimum required data is transmitted.
• Sentry (Error Tracking): Anonymized error and performance data may be shared with Sentry for debugging and service improvement purposes. No personally identifiable information is intentionally included.
• Law Enforcement: We may disclose your information when required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Where these third parties process personal data on our behalf, we have entered into Data Processing Agreements (DPAs) in accordance with GDPR Article 28 to ensure your data is handled with appropriate safeguards and contractual protections.

5. Cookies & Tracking

We use the following types of cookies and similar technologies:

• Authentication Cookies: Essential HttpOnly cookies used to maintain your login session and authenticate API requests. These are strictly necessary for the Service to function.
• Preference Cookies: Used to remember your theme selection and display preferences.

We do not use third-party advertising cookies or tracking pixels. We do not serve targeted advertisements or share browsing data with advertising networks.

6. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Performance of Contract (Art. 6(1)(b)): Account registration, trading bot execution, exchange API connectivity, subscription management, and customer support. These are necessary to provide the Service you signed up for.
• Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, non-essential tracking, and third-party data sharing. You can withdraw consent at any time through your Privacy Settings.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring (login history, IP logging, device tracking), error tracking via Sentry, platform improvement analytics, and fraud prevention. We balance these interests against your rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Tax and financial record-keeping for subscription payments, responding to lawful data access requests, and complying with applicable Portuguese and EU regulations.

7. Your Rights (GDPR/CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Deletion: Request deletion of your personal data, subject to certain legal exceptions.
• Right to Data Portability: Request an export of your data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing: Request that we limit the processing of your personal data under certain circumstances.
• Right to Object: Object to the processing of your personal data for direct marketing or other purposes.
• Right to Opt-Out of Marketing: Unsubscribe from marketing communications at any time by clicking the unsubscribe link in any email or by contacting us.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

California Residents (CCPA): You have the right to know what personal information we collect about you, request its deletion, and opt out of any sale of personal information. We do not sell personal information.

8. Data Retention

We retain your data according to the following guidelines:

• Account Data: Retained for as long as your account remains active and for a reasonable period thereafter to fulfill legal obligations.
• Login History: Retained for 90 days for security monitoring purposes, then automatically purged.
• Trading Execution Logs: Retained for the duration of your account activity to provide performance analytics and historical reporting.
• Deleted Accounts: Upon account deletion, all personal data, API keys, and associated records are permanently purged within 30 days. Anonymized, aggregated data may be retained for analytics purposes.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to promptly delete that information. If you believe a child under 18 has provided us with personal data, please contact us at [email protected].

10. International Data Transfers

BlockbotX is operated from Portugal (EU). Your data may be transferred to and processed in the following jurisdictions:

• European Union: Our primary database and application infrastructure are hosted within the EU.
• United States: Stripe (payment processing) and Sentry (error tracking) process certain data in the US under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).
• Variable (Exchange APIs): When you execute trades, data is transmitted to Binance or OKX servers in their respective operating jurisdictions. Only the minimum data required for trade execution is sent.
• Variable (Notification Services): If you enable Telegram or Discord notifications, message data is processed by those platforms under their respective privacy policies.

For all transfers outside the EU/EEA, we rely on EU-approved transfer mechanisms including Standard Contractual Clauses (SCCs), adequacy decisions, or the EU-US Data Privacy Framework as applicable. You may request a copy of the relevant safeguards by contacting us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account and/or by posting a prominent notice on the Service prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

12. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

Data Protection Officer (DPO): For GDPR-related inquiries, you may reach our Data Protection Officer at [email protected] with the subject line "DPO Inquiry."