Privacy Policy
Last updated: 2026-05-18
This Policy describes how CopyTrail collects, uses, and protects your data. We comply with GDPR, CCPA, and the Korean Personal Information Protection Act.
1. Data We Collect
- Required: email, password hash
- Payment: Stripe Customer ID (we never store card details — Stripe handles it directly)
- Trading ops: Polymarket username, wallet address, AES-256-GCM encrypted private key
- Automatically collected: IP, browser info, trade history (for service operation)
2. Purposes
- Running the copy-trading bot
- Processing payments and managing subscriptions
- Legal compliance (tax, dispute resolution)
- Security (anomaly detection)
3. Sub-processors
- Supabase (auth, DB) — US-hosted
- Stripe (payments) — US / Ireland
- Vercel (web hosting) — global edge
- Fly.io (bot hosting) — Tokyo region
- Alchemy/Quicknode (Polygon RPC)
- Telegram (operator alerts — optional)
4. Retention
- Account: signup until 30 days after cancellation (incl. backups)
- Trade history: 5 years (tax records)
- Encrypted private key: permanently deleted on member request
- Logs: 90 days (security, debugging)
5. Your Rights (GDPR / CCPA / K-PIPA)
- Right to access, rectify, or erase your data
- Right to withdraw consent
- Right to data portability (JSON export)
- Right to object to automated decision-making
Request via: privacy@copytrail.io
6. Security
- All traffic HTTPS / TLS 1.3
- Wallet private keys: AES-256-GCM (+ optional AWS KMS)
- Passwords: bcrypt hash (Supabase Auth)
- Admin access: IP whitelist + separate vault password + audit log
7. Cookies
Essential cookies (session, language) work without consent. Analytics cookies load only with your explicit opt-in via the consent banner.
8. Minors
We do not knowingly collect data from anyone under 18. Such accounts are terminated immediately.
Contact: privacy@copytrail.io