Privacy Policy

Last updated: 2026-05-02

Orca ("we", "us") operates a crypto trading automation platform. This policy explains what we collect, how we use it, and your rights.

1. Data we collect

Account: email, password (hashed with Argon2), full name, optional avatar URL.
Authentication: session tokens, IP address, last-login timestamp, optional 2FA secret.
Exchange API keys: Binance API key + secret, encrypted at rest with AES-256-GCM. We never request withdrawal permissions.
Trading data: orders, trades, bot state, P&L history, audit events. Stored to render your dashboard and compute reports.
Notification routing: Telegram chat ID, Discord webhook URL, push subscription endpoints — only what you provide.
Operational logs: error traces (Sentry), API call counters. Personal data is redacted (passwords, tokens, secrets).

2. How we use it

To execute the bots you create on the exchange of your choice.
To send you the notifications you opted into.
To bill subscriptions and process crypto payments via CoinPayments.
To prevent abuse, fraud, and to keep the service running (rate limits, kill switch).

3. What we do NOT do

We do not sell or rent your personal data.
We do not place trades using your funds without your explicit bot configuration.
We do not store your exchange API secret in plaintext, ever.
We do not share your trading history with other users (unless you publish a strategy on the marketplace).

4. Third-party processors

Binance — exchange execution.
CoinPayments — crypto subscription billing.
Resend — transactional email delivery.
Telegram, Discord, browser push services — notification delivery (only when you enable them).
Sentry — error tracking (PII redacted).

5. Retention

We keep your trading history while your account is active. Logs are kept for a maximum of 90 days. On account deletion, all personal data is purged within 30 days, except where law requires retention.

6. Your rights

You may request export or deletion of your data at any time — see GDPR. For questions, contact privacy@orca.local.