HomeLog In

Security & Compliance

Last updated: July 4, 2026

This page explains in plain language how AutoTrader protects your data and where we stand on compliance. It is informational and does not create warranties or modify our Terms of Service or Privacy Policy, which are the binding documents.

Non-Custodial by Design

AutoTrader never holds your money or cryptoassets. Your funds stay in your own exchange account (Binance, MEXC, or Coinbase) at all times. Bots trade through API keys or OAuth authorization that you create, you control, and you can revoke at any moment — directly on your exchange, independently of us.

  • We instruct you to create API keys with trading permission only — withdrawals disabled. Even in a worst-case compromise, such a key cannot move funds off your exchange account.
  • Disconnecting an exchange in the app deletes the stored credentials; deleting the key on your exchange revokes our access instantly.
Encryption & Key Handling
  • Exchange API keys, per-bot webhook tokens, and two-factor secrets are encrypted at rest with AES-256.
  • All traffic between your browser, our servers, and the exchanges is encrypted in transit (TLS/HTTPS).
  • Secrets stay server-side: API responses never include decrypted keys, 2FA secrets, or backup codes.
  • Encryption keys and webhook secrets are generated uniquely per environment and are never reused across systems.
Account Protection
  • Authentication is handled by Google Firebase Authentication — we never see or store your password.
  • Two-factor authentication (TOTP) is required — and enforced on the server, not just in the interface — before you can connect an exchange or create a bot.
  • Backup codes are stored only as hashes and can be regenerated at any time.
Signal & Trade Integrity
  • Incoming webhooks are authenticated with secret tokens compared in constant time (timing-safe), and are rate-limited by IP and per bot.
  • Per-bot webhook tokens can be rotated by you at any time; rotation immediately invalidates the old token.
  • Duplicate protection at two levels: signals are de-duplicated on arrival, and every order carries a unique trade ID that exchanges reject if replayed — so a retry or crash cannot double-spend.
  • Every signal, order, and fill is logged and visible to you in your trade history.
Data Protection & Your Rights

We collect only the data the Service needs to run, we do not use advertising trackers, and we never sell personal data. Where the EU/UK GDPR applies, you can access, correct, export, or delete your data and object to processing by emailing contact@YOUR-DOMAIN.com. Full details — what we store, why, for how long, and who we share it with — are in the Privacy Policy.

Regulatory Status

AutoTrader is a software automation tool, not a financial institution. We are not a broker, exchange, custodian, or investment adviser, and we are not registered with or licensed by any financial regulator. Trades are executed by your own exchange under your own exchange agreement and its regulatory framework.

  • Our Terms of Service prohibit using the platform for money laundering, sanctions evasion, or market manipulation, and we may suspend accounts involved in such activity.
  • You are responsible for ensuring that automated crypto trading is lawful in your jurisdiction and for reporting and paying your own taxes.
  • We do not currently hold third-party certifications such as SOC 2 or ISO 27001 and do not claim to.
Reporting a Vulnerability

If you believe you have found a security vulnerability in AutoTrader, please email contact@YOUR-DOMAIN.com with the details before disclosing it publicly. We will acknowledge your report, investigate promptly, and keep you informed. Please do not access other users' data or disrupt the Service while researching. A machine-readable contact is published at /.well-known/security.txt.

Questions

Security or compliance questions: contact@YOUR-DOMAIN.com

AutoTrader
Terms of ServicePrivacy PolicySecurity & Compliance© 2026 AutoTrader