AutoQube — Privacy Policy
This Privacy Policy explains what personal data AutoQube ("we", "us") collects when you use the AutoQube app and related services (the "Service"), why we collect it, and the rights you have over it.
1. Data We Collect
| Data | Purpose | Notes |
|---|---|---|
| Email address | Account creation, sign-in (one-time codes), essential service emails | The only identity data required to register |
| Display name (optional) | Personalization | You may leave it empty |
| Device and push token | Delivering notifications you enable (template events, execution updates for your own account) | Platform (iOS/Android), app version, push token |
| IP address and derived country | Compliance only: enforcing geographic restrictions (including Türkiye and U.S. persons), security, and abuse prevention | Country code is logged with compliance-relevant actions |
| Eligibility and acceptance records | Legal compliance: your country declaration, risk-disclosure acceptance, terms acceptance, and each template activation (template, capital allocation, leverage cap, timestamp, document version) | Retained as evidence of consent |
| Subscription status | Determining plan access and limits | Payment card data is never collected by us (see Section 3) |
| Exchange API keys | Executing automation templates on your own exchange account | See Section 2 — special handling |
| Support messages | Responding to your requests | |
| Technical logs | Security, debugging, service operation | Kept short-term |
We do not collect government IDs, payment card numbers, precise location, or advertising identifiers, and we do not sell personal data or use it for advertising.
2. Exchange API Keys — Special Handling
- API keys are transmitted over TLS and are stored only in our execution engine, encrypted at rest (Fernet symmetric encryption). They are not stored and not logged in our API layer or analytics.
- Keys must be trade-only; keys with withdrawal permission are rejected and not retained.
- Deletion: your API keys are deleted from our systems when you disconnect your exchange, when your subscription ends and automation is deactivated, or when you delete your account — whichever comes first. You can additionally revoke the key at your exchange at any time, which immediately disables all access.
3. Third Parties (Processors)
We share data only with processors needed to run the Service:
| Provider | Role | Data involved |
|---|---|---|
| Heroku (Salesforce) | Cloud hosting of our API and execution engine (data at rest and in transit) | All service data listed above |
| Stripe (planned, at paid launch) | Card payments and billing | Email, subscription status; card data goes directly to Stripe and never touches our servers |
| RevenueCat (planned, at paid launch) | App Store / Google Play subscription management | App user ID, subscription status |
| Postmark (planned) | Transactional email delivery (sign-in codes) | Email address |
| Exchange(s) you connect (e.g. Binance, Bybit) | Order execution on your account | API calls made with your key; governed by the exchange's own privacy policy |
| Apple / Google push services (via FCM) | Push notification delivery | Push token, notification content |
We do not use third-party advertising or cross-site tracking SDKs.
4. Legal Bases
Where GDPR or similar laws apply, we process data on the bases of: contract performance (providing the Service), legal obligation / legitimate interest (geo-compliance, security, record-keeping of acceptances), and consent (push notifications, which you can withdraw in system settings).
5. Retention
- Account data: for the life of the account.
- Acceptance/compliance records (risk disclosure, terms, template activations): retained after account closure for as long as required to evidence compliance (target: 7 years), then deleted.
- Exchange API keys: deleted as described in Section 2 — not retained after disconnection or account deletion.
- Technical logs: short-term rotation.
6. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data, restrict or object to processing, and withdraw consent. In-app tools: data export (Profile → Export) and account deletion (Profile → Delete account). For anything else, contact us (Section 9). We respond within the timeframe required by applicable law.
7. Security
TLS for all transport; encryption at rest for exchange API keys; hashed sign-in codes and session tokens; HMAC-signed internal service communication; access limited to what operation of the Service requires. No method of storage or transmission is 100% secure; we cannot guarantee absolute security.
8. Children
The Service is not directed to persons under 18, and we do not knowingly collect data from them.
9. Contact
Data controller: AutoQube — [legal entity name and address to be inserted upon incorporation]
Email: privacy@autoqube.app
10. Changes
We will notify you of material changes in the app or by email. The version identifier at the top of this document changes with each revision; certain changes may require renewed acceptance in the app.