Privacy Policy
What we collect
- Account data: email, username, hashed authentication data (via AWS Cognito).
- Exchange API keys: stored encrypted (AES-256-GCM); decrypted only transiently in memory to execute the actions you configure. We never see or store keys in plaintext at rest.
- Usage & trading records: bots, trades, analyses, and quota counters needed to run the Service and show your history.
- Technical logs: IP address, user agent, and request metadata for security and debugging (retained ≤30 days in operational logs).
- Payments: handled by payment providers; we store subscription status and tier, not card or wallet credentials.
What we don't do
We do not sell personal data. We do not request exchange withdrawal permissions. We do not use your data to trade against you.
Where data lives
Amazon Web Services (us-east-1), with Cloudflare in front of web traffic. Payment data is processed by our payment providers under their policies.
Legal bases & rights
We process data to perform our contract with you, for legitimate security interests, and to comply with law. Depending on your jurisdiction (e.g. GDPR/UK GDPR), you may have rights to access, correct, export, or delete your data, and to object to processing. Contact support@guac.fi; deletion requests remove your account data and encrypted keys, subject to records we must keep by law.
Retention
Account and trading records are kept while your account is active and deleted upon verified account-deletion requests. Operational logs expire automatically (≤30 days). Daily portfolio snapshots expire after 2 years.
Changes & contact
Material changes will be announced in-product. Contact: support@guac.fi.