When you create an account, we collect your email address and authentication credentials (managed by Supabase Auth). When you connect an exchange, we store your encrypted API keys. We do not store passwords — authentication is handled by our identity provider.
Exchange API keys are encrypted using AES-256-GCM with per-user authenticated additional data before storage. Keys are decrypted only in server memory during trade execution and are never sent to the browser or logged. We require trade-only permissions with withdrawals disabled.
We do not sell your personal data. We share data only with:
Account data is retained while your account is active. You may request deletion of your account and associated data by contacting support. Trade history and execution logs are retained for audit and compliance purposes.
We use session cookies for authentication (sb_token, sb_refresh). We do not use tracking or advertising cookies.
You may access, update, or delete your personal data at any time. You may revoke exchange API keys from your Settings page. Contact us at support@bosstrade.app for data requests.
We may update this policy from time to time. Material changes will be communicated via the dashboard or email.