HomeLog In

Privacy Policy

Last updated: July 4, 2026

1. Introduction

This Privacy Policy explains what personal data AutoTrader ("we", "us") collects when you use our website and trading automation service (the "Service"), how we use and protect it, and the rights you have over it. The data controller is the operator of AutoTrader, reachable at contact@YOUR-DOMAIN.com. By using the Service you also agree to our Terms of Service.

2. Data We Collect

We collect only what the Service needs to function:

  • Account data — username and email address. Passwords are handled by Google Firebase Authentication; we never see or store your password. If you sign in with Google, we receive your name, email, and profile picture from Google.
  • Two-factor authentication data — your TOTP secret and hashed backup codes, stored encrypted and never sent to your browser.
  • Exchange credentials — the API keys you connect (Binance, MEXC) or OAuth tokens (Coinbase). These are encrypted at rest with AES-256 and are used exclusively to execute the trades your bots are configured for. We never ask for your exchange login password.
  • Trading data — your bot configurations, trade and order history, signals received, profit/loss statistics, and webhook activity logs.
  • Technical and security data — IP addresses (used for rate limiting and abuse prevention), timestamps, and server logs.
  • Push notification subscriptions — if you opt in to browser notifications, the push endpoint your browser provides.
  • Communications — any messages you send us for support.

We never hold your funds or cryptoassets, we cannot withdraw from your exchange account, we do not use advertising trackers, and we never sell your personal data.

3. How We Use Your Data
  • To provide the Service: authenticate you, relay trading signals to your exchange using your credentials, and show you your trade history and statistics.
  • To secure the Service: enforce two-factor authentication, rate-limit requests, detect abuse and unauthorized access, and de-duplicate webhook signals.
  • To notify you: trade execution and service notifications, in-app and (if you opt in) via push notifications.
  • To communicate with you about your account and important service or legal changes.
  • To comply with legal obligations and respond to lawful requests from authorities.

Where the EU/UK GDPR applies, our legal bases are: performance of our contract with you (providing the Service), our legitimate interests (security, abuse prevention, service improvement), your consent (push notifications), and compliance with legal obligations.

4. Who We Share Data With

We share data only where necessary to run the Service:

  • Your exchange (Binance, MEXC, or Coinbase) — order instructions produced by your bot configurations, sent under your authorization with your own credentials.
  • Infrastructure providers — Google Firebase (authentication), our database and hosting providers, and browser push services (operated by your browser vendor). They process data on our behalf under their own security and data-processing commitments.
  • Authorities — if required by law, court order, or to protect the rights, safety, or property of users or the Service.
  • Business transfer — if the Service is acquired or merged, your data may transfer to the successor, which must honor this policy.
5. How We Protect Your Data
  • Exchange API keys, webhook tokens, and 2FA secrets are encrypted at rest with AES-256.
  • All traffic is encrypted in transit with TLS/HTTPS.
  • Sensitive actions (connecting an exchange, creating a bot) require two-factor authentication, enforced server-side.
  • Secrets never leave the server: API responses exclude 2FA secrets, backup codes, and decrypted keys.
  • Webhooks are authenticated with secret tokens using timing-safe comparison and are rate-limited.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the competent authorities as required by applicable law.

6. Data Retention

We keep your data while your account is active. If you delete your account or disconnect an exchange, the associated credentials are deleted. Trade history and security logs may be retained for a limited period after account closure where we have a legitimate interest (fraud and abuse prevention, dispute resolution) or a legal obligation to keep them, after which they are deleted or anonymized. Temporary records such as webhook de-duplication entries expire automatically.

7. Your Rights

Depending on where you live (including under the EU/UK GDPR), you have the right to access, correct, delete, or receive a copy of your personal data, to restrict or object to certain processing, and to withdraw consent at any time (for example, disabling push notifications). To exercise any right, email contact@YOUR-DOMAIN.com. We will respond within the timeframe required by law. You also have the right to lodge a complaint with your local data protection authority.

8. International Transfers

Our infrastructure providers may store or process data in countries other than your own. Where data is transferred out of the EU/UK, we rely on providers that offer appropriate safeguards, such as standard contractual clauses or an adequacy decision.

9. Cookies and Local Storage

We use only what is strictly necessary to operate the Service: authentication tokens (via Firebase), your session state, and service-worker caching so the app can work as an installable PWA. We do not use third-party advertising or analytics cookies.

10. Children

The Service is not directed to anyone under 18, and we do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.

11. Changes to This Policy

We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, notify you in the app or by email.

12. Contact

Privacy questions or requests: contact@YOUR-DOMAIN.com

AutoTrader
Terms of ServicePrivacy PolicySecurity & Compliance© 2026 AutoTrader