Privacy Policy

SignalBot, Inc. ("we," "us," "our") operates SignalBot (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and what rights you have regarding your data.

We are committed to transparency and to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Account data. When you register, we collect:

• Email address (required for login, notifications, and billing).
• Display name (optional, used in the dashboard).
• Password hash (bcrypt — your raw password is never stored).
• Account creation timestamp, last login, and activity metadata.

Exchange credentials. To execute trades on your behalf, we collect:

• Exchange API keys and secrets (Binance, Bybit, KuCoin). These are encrypted at rest using AES-256 before being stored and are never logged in plain text.
• Exchange labels and connection configuration (e.g., testnet mode, which assets to trade).
• Live balance snapshots fetched from your exchange — cached briefly (30 seconds) to reduce API calls and deleted automatically after the session.

Trade and signal data. As part of the core service:

• All trade events — entry, take-profit hits, stop-loss moves, and close prices.
• Realised and unrealised PnL, fees, and position size per trade.
• Raw signal messages received from groups you subscribe to.
• Parse results, confidence scores, and parser metadata per signal.
• Pending order queue entries and expiry events.

Risk profile and settings. Your configured risk rules (max risk %, TP split, trailing stop settings, confidence thresholds, pending-order TTL) are stored to power the execution engine.

Usage and log data. We automatically collect:

• IP address, user agent, and browser type when you log in or access the dashboard.
• Request logs (API endpoints accessed, timestamps, HTTP status codes).
• Error logs containing stack traces and metadata (no personal data is included where avoidable).
• Daily usage counters (trades placed, signals received) for plan-limit enforcement.

Device tokens. If you opt in to push notifications, we store your device FCM token via Firebase Cloud Messaging.

Billing data. Payment information (card numbers, billing address) is handled entirely by Paddle and is never stored on our servers. We receive only billing status metadata (subscription tier, renewal date, invoice IDs).

We use the data we collect strictly to:

• Create and manage your account and authenticate your sessions.
• Execute trade orders on connected exchanges according to your rules.
• Parse and validate incoming signals from your subscribed groups.
• Calculate analytics, performance reports, and daily summaries.
• Send transactional notifications (trade executed, TP hit, SL moved, daily summary).
• Enforce subscription plan limits (groups, exchanges, daily trades).
• Detect fraud, abuse, and security incidents.
• Comply with legal obligations and resolve disputes.
• Improve the Service through aggregate, anonymised analytics.

We do not sell your personal data to third parties. We do not use your exchange credentials or trade data for purposes other than providing the Service to you.

Databases. Your data is stored in a PostgreSQL database hosted on infrastructure that we control. Database access is restricted by network-level firewall rules and requires private key authentication.

Encryption at rest. Exchange API keys and secrets are encrypted with AES-256-CBC before being written to the database. The encryption key is stored separately from the data and is rotated periodically.

Encryption in transit. All communication between your browser and our servers uses TLS 1.2+. Communication with exchange APIs uses their official HTTPS endpoints.

Cache layer. Redis is used to cache short-lived data such as live exchange balances (30-second TTL), session tokens, and rate-limit counters. Redis data is not persisted to disk for sensitive values.

Access controls. Access to production systems is restricted to authorised personnel. We follow the principle of least-privilege. We do not give third-party vendors direct access to your personal data or API credentials.

We share limited data with third-party providers solely to operate the Service. Each provider is bound by data processing agreements consistent with GDPR requirements.

Paddle (payments). Processes all subscription payments, issues invoices, and handles tax compliance. Receives your email and billing address. Paddle is a Merchant of Record — they are responsible for payment data security. See Paddle Privacy Policy.

Exchange APIs (Binance, Bybit, KuCoin). We transmit trade instructions to these exchanges on your behalf. By providing API keys, you also agree to each exchange's own terms of service and privacy policy.

Anthropic Claude (AI parsing). Raw signal text messages may be sent to Anthropic's Claude API to assist with signal parsing when our regex parser falls back to AI. Messages do not include your personal details (name, email, API keys). Anthropic does not train on API requests by default — see Anthropic Privacy Policy.

Firebase Cloud Messaging (push notifications). If you opt in to push notifications, your device token is registered with Google Firebase. We only store the token; Google processes the notification delivery. See Firebase Privacy.

Resend (transactional email). Sends password-reset, verification, and notification emails. Receives your email address and the content of the email being sent. See Resend Privacy Policy.

SignalBot uses a minimal set of browser storage technologies:

• localStorage — stores your JWT access and refresh tokens client-side to maintain your authenticated session. These are not accessible to third-party scripts.
• Session cookies — used to maintain state for the Paddle checkout overlay. These are first-party cookies set by Paddle's JavaScript SDK.
• Analytics — we do not currently use any third-party analytics scripts (e.g., Google Analytics). All usage metrics are computed from server-side logs.

We do not use tracking pixels, cross-site trackers, or advertising cookies. You can clear your localStorage at any time by logging out or using your browser's developer tools.

If you are located in the European Economic Area, United Kingdom, or California, you have specific rights regarding your personal data:

• Right to access. Request a copy of the personal data we hold about you.
• Right to rectification. Ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"). Request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction. Ask us to stop processing your data while a dispute is resolved.
• Right to data portability. Receive your data in a machine-readable format (JSON or CSV) to transfer to another service.
• Right to object. Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent. Where processing is based on consent (e.g., push notifications), you may withdraw consent at any time.
• Right to lodge a complaint. You may file a complaint with your local supervisory authority (e.g., ICO in the UK, your EU member state's DPA).

To exercise any of these rights, contact us at privacy@signalbot.io. We will respond within 30 days. We may request identity verification before processing your request.

CCPA (California). California residents may additionally request disclosure of third parties with whom we shared data in the past 12 months and opt out of any sale. We do not sell personal data, so no opt-out is required.

We retain data for as long as necessary to provide the Service and comply with legal obligations:

• Account data — retained for the lifetime of your account, plus up to 90 days after deletion to allow for account recovery and dispute resolution.
• Trade history and signals — retained indefinitely while your account is active (you need this data for tax and performance analysis). Deleted within 90 days of account closure unless you request earlier deletion.
• Exchange API keys — deleted immediately upon your request, upon connection deletion, or within 90 days of account closure.
• Server logs — retained for 30 days for security monitoring, then automatically purged.
• Billing records — retained for 7 years as required by accounting and tax law. Paddle retains payment data per their own retention policy.

SignalBot, Inc. is incorporated in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the United States or other countries where our infrastructure providers operate.

For transfers from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) with our sub-processors to ensure an adequate level of data protection.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user under 18 has created an account, we will promptly delete the account and associated data. If you believe a child has provided us with data, please contact us at privacy@signalbot.io.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. We will notify you of material changes by email and by updating the "Last updated" date at the top of this page.

Your continued use of the Service after a policy update constitutes your acceptance of the revised policy. If the changes are material and you disagree, you may delete your account before the revised policy takes effect.

For privacy enquiries, GDPR requests, or data-related concerns, please contact our privacy team:

For general support enquiries, visit our help centre or email support@signalbot.io. We respond to all enquiries within 5 business days.