Legal

Privacy Policy

Last updated: 25 April 2026

This Privacy Policy explains what personal data Arbor collects, how we use and protect it, and the choices you have. We aim for minimum collection: we don’t want data we don’t need.

1. Data we collect

1.1 Account data

  • Email address, display name, and a hashed password (we never see your plaintext password).
  • If you sign in with Google: your Google-verified email and profile name.
  • Account timestamps and login activity (for security audits).

1.2 Binance API keys

Your Binance API key and secret are encrypted at rest using authenticated encryption (AES-GCM) with a key stored outside our database. They are decrypted only briefly inside your own isolated trading container at runtime. We require only Spot Trading and Read permissions — withdrawal permissions are strongly discouraged and never required.

1.3 Trading data

  • Trades your bot executes (symbol, quantity, price, timestamp, realised P&L).
  • Current open positions.
  • Daily statistics, cooldowns, engine performance metrics.

This data lives in a per-user SQLite database inside your trading container and in our main Postgres database. It is used to show you your own dashboard, calculate performance, and improve the service.

1.4 Payment data

Subscription billing is handled by Stripe. We never see or store your full card number. Stripe stores a customer ID that we associate with your account to enable subscription management (upgrade, downgrade, cancel, portal access).

1.5 Technical & operational data

  • Standard web-server logs (IP address, user agent, request path, response code) kept for a limited window for security and debugging.
  • Error reports via Sentry (if enabled) — stack traces and request metadata, scrubbed of request bodies and headers that could contain secrets.
  • Aggregate, anonymous usage metrics.

2. Data we do NOT collect

  • We don’t take custody of your crypto. Your funds live in your Binance account at all times.
  • We don’t collect biometric, health, or government-ID data.
  • We don’t sell, rent, or monetise your personal data in any way.
  • We don’t run third-party advertising or analytics trackers on the dashboard.

3. How we use data

  • Provide the service: run your trading bot, display your dashboard, handle billing.
  • Operate safely: rate-limit abuse, detect fraud, recover from incidents, comply with law.
  • Communicate with you: password resets, security alerts, subscription and service emails.
  • Improve reliability: aggregate error reporting, performance tuning, capacity planning.

4. Third parties

We rely on a small number of service providers that process data on our behalf:

  • Binance — executes your trades. We send signed API requests with your keys; Binance’s privacy practices apply to your exchange account.
  • Stripe — payment processing and subscription management.
  • AWS / EC2 — hosting and data storage in the European region.
  • Anthropic (Claude API) — used by the shared signal service to classify news headlines and tweets. We do not send personal data — only public market data and public tweets.
  • Sendgrid/SMTP provider — delivery of transactional emails (password reset, receipts).
  • Sentry (optional) — error tracking when enabled.

We do not transfer personal data outside the EU/EEA except as required to provide these services (for example, Stripe and Anthropic may process data in the US under Standard Contractual Clauses).

5. Security

  • API keys encrypted at rest; only decrypted inside your isolated container.
  • Passwords hashed with bcrypt — never stored or logged in plaintext.
  • All traffic over TLS (HTTPS).
  • Per-user containers with CPU/memory limits, separate data volumes, no cross-access.
  • Daily encrypted database backups with 7-day retention.
  • Regular dependency updates and security reviews.

No system is 100% secure. If you believe your account has been compromised, email us immediately and rotate your Binance API keys.

6. Data retention

  • Account and trading data: kept while your account is active, and for up to 12 months after cancellation for tax/compliance purposes.
  • Server logs: rolled off after 30 days.
  • Backups: 7-day rolling window.
  • You may request deletion at any time (see “Your rights” below).

7. Your rights (GDPR)

If you are in the EU/EEA/UK, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to legal retention obligations).
  • Export your data in a portable format.
  • Object to or restrict processing.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email hello@arrbor.com. We’ll respond within 30 days.

8. Cookies

We use strictly-necessary cookies for authentication (session tokens) and security (CSRF protection). No advertising or cross-site tracking cookies.

9. Children

Arbor is not intended for users under 18. We do not knowingly collect data from minors. If we learn that we have, we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and on the platform.

11. Contact

Privacy questions? hello@arrbor.com