Privacy Policy
1. Who we are
The Service “Avalant” is operated by [LEGAL ENTITY NAME], registered at [ADDRESS], [JURISDICTION]. We are the data controller for personal data we collect when you use the Service.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account | Username, email, hashed password, plan, registration date | You, at sign-up |
| 2FA | TOTP secret (encrypted), hashed recovery codes, last-used timestamp | You, when enabling 2FA |
| Telegram | TG user ID, chat ID, username (if linked) | Telegram, when you connect |
| Exchange API keys | API key, secret, passphrase, address (Fernet-encrypted at rest) | You, when adding a key |
| Portfolio data | Balance snapshots, addresses, transaction history | Fetched from exchanges/chains via your keys |
| Trading data | Orders placed via the Service, positions, P&L, fills | The Service, when you execute trades |
| Payments | Plan purchase records, promo codes used, referral commissions | CryptoCloud webhook + the Service |
| Operational | IP address, user-agent (server logs), audit-log of admin actions | Server-side |
We do not collect: your private keys, seed phrases, withdrawal permissions, or payment-card data.
3. How we use it
- To run the Service — fetch balances, run trades you initiated, surface analytics, send alerts;
- To operate your subscription (renewal reminders, plan changes);
- To prevent abuse (rate limiting, login throttling, honeypot probes);
- To comply with legal obligations and respond to enforcement requests;
- To improve the Service (aggregated, anonymized usage metrics).
4. Legal basis (GDPR)
If you are in the EU/EEA, we process your personal data under the following GDPR legal bases:
- Contract (Art. 6(1)(b)) — account, API keys, portfolio data, trades, payments. Necessary to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — operational logs, abuse prevention, fraud detection, basic anonymized analytics.
- Consent (Art. 6(1)(a)) — optional features you opt into (e.g. linking Telegram, marketing announcements).
- Legal obligation (Art. 6(1)(c)) — record-keeping where law requires.
5. Sharing with third parties
We do not sell your personal data. We share it only with the processors necessary to run the Service:
- Cryptocurrency exchanges & DEXs — your API keys talk directly to them; we don’t intermediate the credentials beyond storing them encrypted;
- Telegram (Telegram Messenger Inc.) — for bot login & alerts you opt into;
- CryptoCloud — for payment processing of subscription plans;
- Hosting / infrastructure — [HOSTING PROVIDER NAME] provides server hosting in [REGION];
- Law enforcement — when legally required by court order or subpoena.
6. Cookies & local storage
We use only essential cookies and localStorage:
sessioncookie (HttpOnly, Secure, 30 days) — your authenticated session;- localStorage keys for UI preferences (theme, screener filters, anonymous-preview timer, dismissed popups).
We do not use third-party tracking cookies, advertising pixels, or analytics scripts that profile individual users.
7. Retention
- Account data — retained while your account is active;
- Balance / trade history — kept for as long as you have the account, archived after account deletion for up to 30 days, then permanently deleted;
- Audit logs and operational logs — 90 days;
- Payment records — retained for the legally required period (typically 5–7 years for tax purposes);
- Backups — overwritten on a rolling schedule (no longer than 90 days).
8. Security
We implement industry-standard safeguards:
- Exchange credentials and TOTP secrets are encrypted at rest using
Fernet(AES-128-CBC + HMAC-SHA256) with a key derived fromENCRYPTION_KEYvia PBKDF2-SHA256 (260,000 iterations); - Passwords are hashed with
bcrypt(workfactor 12); - All traffic is TLS 1.2+ with HSTS;
- Per-account login lockout, rate limiting, optional 2FA with single-use recovery codes;
- Strict CSP, X-Frame-Options DENY, no third-party trackers.
No system is 100% secure. If you suspect unauthorized access to your account, change your password and contact us immediately.
9. Your rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access — get a copy of the personal data we hold. Download a machine-readable JSON archive from /profile → “Export my data”, or call
GET /api/auth/me/data-export; - Rectification — correct inaccurate data via /profile;
- Erasure (“right to be forgotten”) — delete your account from /profile → Danger Zone. We delete within 30 days, except for legally retained records;
- Restriction — temporarily restrict processing while you contest accuracy or object to processing;
- Portability — receive your data in a structured, commonly used, machine-readable format (JSON via the export endpoint);
- Object — to processing based on legitimate interests; we will assess your specific situation;
- Withdraw consent — for processing based on consent (e.g. disconnect Telegram via /profile);
- Complain — lodge a complaint with your local data-protection authority.
Logged-in users can download a full JSON archive of everything we hold on you. One click, one file.
Open profile10. International transfers
Our servers are located in [REGION]. If you access the Service from outside this region, your personal data is transferred to and processed there. Where transfers to a country without an adequacy decision occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Children
The Service is not intended for individuals under 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will delete the account.
12. Changes
We may update this Policy. Material changes will be announced via email or in-app banner at least 14 days before they take effect.
13. Contact
Privacy questions / GDPR requests: privacy@avalant.xyz.