Privacy Policy

1. Data We Collect

We collect the following information when you use AnalogTrader:

• Account information: Email address, full name, and authentication credentials.
• Exchange API credentials: Trade-only API keys, API secrets, and passphrases provided by you for trade execution. These are encrypted at rest using AES-256-GCM. We never request or store withdrawal-enabled API keys.
• Trading data: Order history, positions, and performance metrics generated through the platform.
• Technical data: IP address, browser type, and access logs for security and operational purposes.

2. How We Use Your Data

• To execute trading strategies on your connected exchange and broker accounts.
• To provide account management, analytics, and performance reporting.
• To send transactional notifications (trade alerts, account status, security events).
• To improve service reliability, security, and performance.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

2.1 Legal Basis for Processing

• Contract performance: Account information and trading data are processed to provide the service you subscribed to.
• Explicit consent: Exchange API keys, secrets, and passphrases are processed solely on the basis of your explicit consent, obtained at the point of submission. You may withdraw this consent at any time by deleting your API credentials from the platform.
• Legitimate interest: Technical data (IP, logs) is processed for security, fraud prevention, and service reliability.

3. Data Storage and Security

• All data is stored on servers located in the European Union (Hetzner, Germany and Finland).
• Broker API keys and secrets are encrypted at rest using AES-256-GCM with per-user encryption keys.
• Passwords are hashed using bcrypt with a minimum cost factor of 12.
• All connections use TLS 1.3 encryption in transit.
• Access to production systems is restricted to authorized personnel via SSH key authentication.

4. Third-Party Services

We use the following third-party services to operate the platform:

• Brevo (Sendinblue): Transactional email delivery (verification, password reset, notifications).
• Exchange APIs: OKX, Binance, Bybit, and other exchanges as connected by the user. Credentials are transmitted directly to exchange servers.
• Google OAuth: Optional authentication provider. We receive only your email and name from Google.

5. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request permanent deletion of your account and all associated data.
• Data portability: Request an export of your data in a machine-readable format.
• Withdraw consent: Withdraw consent for data processing at any time by deleting your account.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

6. Data Retention

Account data is retained for the duration of your active account. Upon account deletion, all personal data and stored credentials are permanently removed within 30 days. Anonymized trading metrics may be retained for service improvement purposes.

7. Cookies

We use essential cookies and local storage for authentication session management. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (KVKK Board / EU DPA) within 72 hours of becoming aware of the breach (GDPR Article 33)
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights (GDPR Article 34, KVKK Article 12)
• Document all breaches including their effects and remedial actions taken

Security contact: [email protected]

9. Contact

For privacy-related inquiries, contact us at [email protected].