1. What we collect
Email, encrypted Bitfinex API credentials, payment method (via our payment processor). Operational metadata: login times, session IP for fraud detection (30 days retention), feature usage (aggregated, opt-in). For Google Ads conversion measurement we record ad-click/conversion signals such as conversion value, currency, and transaction id. We do not collect: contacts, browsing history, precise location, device fingerprints.
2. How we use it
Service delivery: authenticate you, execute your strategies, send you statements and alerts. Security: detect anomalous logins, comply with abuse reports. Improvement: aggregate usage metrics to inform roadmap (opt-in). Advertising measurement: attribute paid subscriptions back to Stratum ads so we can understand acquisition cost. We never sell personal data or use Bitfinex/API-key data for advertising.
3. Your rights
Under GDPR Article 15-22 and CCPA, you may request a full data export (JSON + CSV), correct inaccurate records, delete your account and all associated data, restrict processing, port to another service, and object to processing. Reach us at [email protected] — we respond within 30 days, usually within 72 hours.
4. Security & subprocessors
Data is encrypted in transit (TLS) and API key secrets are encrypted at rest with AES-256-GCM, never logged in plaintext. We run on cloud infrastructure in the EU with encrypted backups. We use a small number of subprocessors — a payment processor and a transactional email provider — and keep the current list available on request at [email protected].
5. Retention & deletion
Active accounts: indefinite while in use. Deleting your account deactivates access immediately — we cancel your open offers, disconnect your API keys, and revoke your sessions. We retain the records we need for accounting and security unless you request erasure; erasure requests are handled within the legal response window, except records we are required to keep. Billing/tax records: 7 years (legal requirement). Logs: 30-90 days depending on category. Some regulatory categories (KYC of the payment provider) cannot be deleted before their retention period ends.