← Back to Home

Privacy Policy

Last updated: February 26, 2026

1. Introduction

This Privacy Policy explains how trading.bot (“Company,” “we,” “us,” or “our”) collects, uses, stores, and discloses your personal information when you use our platform and services (“Service”). We are committed to protecting your privacy and handling your data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

  • Email address — Used for account creation, authentication, and communications.
  • Full name — Used for account identification and billing.
  • Password hash — Your password is salted and hashed using bcrypt. We never store your plaintext password.

2.2 Wallet and Key Data

  • Polymarket wallet address — Your public wallet address, used to monitor positions and execute trades. We consider wallet addresses to be personal data under GDPR as they can be linked to an identified individual.
  • Encrypted private key — If you enable live trading, your Polymarket private key is encrypted using AES-256-GCM before storage. See Section 6 for details.

2.3 Trading Activity

  • Paper trading history, positions, and performance metrics.
  • Live trading history, executed transactions, and outcomes.
  • Whale follow lists and copy-trading configuration settings.
  • AI analysis request history and generated insights.

2.4 Technical Data

  • IP address — Collected for security monitoring, fraud prevention, and sanctions compliance.
  • Session tokens — Used for authentication and maintaining your logged-in state.
  • Browser type, operating system, device information.
  • Timestamps of access, feature usage, and page views.

2.5 Payment Data

Payment card details are collected and processed exclusively by Stripe. We do not store, access, or process your credit or debit card numbers. We receive from Stripe only a payment confirmation, subscription status, and the last four digits of your card for display purposes.

3. How We Use Your Data

We process your personal data for the following purposes:

  1. Service delivery. Operating the platform, executing paper and live trades, and providing AI analysis.
  2. Account management. Authentication, authorization, and customer support.
  3. Billing. Processing subscription payments and managing your billing cycle.
  4. Security and compliance. Fraud prevention, sanctions screening, and abuse detection.
  5. Communication. Sending transactional emails (trade confirmations, billing receipts) and, with your consent, marketing communications.
  6. Product improvement. Aggregated and anonymized analytics to improve features and performance.

Our legal bases for processing under GDPR include: performance of a contract (Service delivery), legitimate interest (security, analytics), legal obligation (sanctions compliance), and consent (marketing communications).

4. Third-Party Data Processors

We share personal data with the following third-party processors, each bound by data processing agreements:

Stripe (Payments)

Stripe processes all payment transactions and stores payment method details. We share your email, name, and subscription details with Stripe for billing purposes.

Privacy policy: stripe.com/privacy

Anthropic (AI Analysis)

We use Anthropic’s AI models to provide market analysis and trading insights. Anonymized market data and aggregated trading signals are sent to Anthropic for analysis. We do not send your private key, wallet address, or personally identifiable information to Anthropic.

Privacy policy: anthropic.com/privacy

Polymarket (Trading)

When live trading is enabled, we interact with the Polymarket protocol to execute trades on your behalf. Your wallet address and transaction data are transmitted to the Polymarket protocol as required for trade execution. All on-chain transactions are publicly visible on the blockchain.

Privacy policy: polymarket.com/privacy

5. Cookies and Session Management

We use a minimal cookie policy. The Service uses a single session cookie to maintain your authenticated state. This cookie:

  • Is strictly necessary for the Service to function.
  • Contains an encrypted session token only.
  • Is set as HttpOnly and Secure (transmitted only over HTTPS).
  • Expires when you log out or after your session times out.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

6. Private Key Handling

Your private key receives the highest level of protection in our system.

  • Encryption at rest. Your private key is encrypted using AES-256-GCM, an authenticated encryption standard, before it is stored in our database.
  • Decryption only during execution. Your private key is decrypted in an isolated memory context solely at the moment of trade execution. The decrypted key is never written to disk, logged, or persisted outside of the execution context.
  • Access controls. Encryption keys are stored separately from the encrypted data, with strict access controls and audit logging.
  • Deletion on request. You may remove your private key from our system at any time through your account settings. Removal disables live trading immediately.

7. Wallet Addresses as Personal Data

Under the GDPR, blockchain wallet addresses constitute personal data when they can be linked to an identified or identifiable natural person. Because we associate your Polymarket wallet address with your account, we treat your wallet address as personal data and apply the same protections and rights described in this policy.

Please note that blockchain transactions are publicly recorded. Once a transaction is executed on-chain, the transaction details (including wallet addresses and amounts) are permanently and publicly available on the blockchain, and we cannot delete or modify this on-chain data.

8. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  1. Right of access. You may request a copy of the personal data we hold about you.
  2. Right to rectification. You may request correction of inaccurate or incomplete personal data.
  3. Right to erasure. You may request deletion of your personal data, subject to legal retention obligations. Note that on-chain transaction data cannot be deleted from the blockchain.
  4. Right to restriction. You may request that we restrict processing of your personal data in certain circumstances.
  5. Right to data portability. You may request your personal data in a structured, commonly-used, machine-readable format (JSON or CSV).
  6. Right to object. You may object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
  7. Right to withdraw consent. Where processing is based on consent (e.g., marketing communications), you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@trading.bot. We will respond within thirty (30) days.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Data CategoryRetention Period
Account informationDuration of account + 30 days after deletion request
Trading historyDuration of account + 12 months for compliance
Encrypted private keyUntil removed by user or account deletion
Payment records7 years (tax and legal compliance)
IP address logs90 days
Session tokensUntil logout or session expiration

10. Security Measures

We implement the following technical and organizational measures to protect your personal data:

  • AES-256-GCM encryption for private keys and other sensitive data at rest.
  • TLS 1.3 encryption for all data in transit.
  • Bcrypt password hashing with per-user salts.
  • Strict access controls with principle of least privilege for internal systems.
  • Regular security audits and vulnerability assessments.
  • Isolated execution environments for private key decryption.
  • Audit logging of all access to sensitive data.
  • Incident response procedures and breach notification within 72 hours as required by GDPR.

11. International Data Transfers

If you are located outside the United States, your personal data may be transferred to and processed in the United States. We use Standard Contractual Clauses approved by the European Commission to provide adequate safeguards for international transfers of personal data from the EEA, UK, or Switzerland.

12. Children’s Privacy

The Service is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least fourteen (14) days before they take effect. The “Last updated” date at the top of this policy indicates the most recent revision.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:

Data Protection Inquiries

Email: privacy@trading.bot

For GDPR-specific requests, please include “GDPR Request” in the subject line.