> For the complete documentation index, see [llms.txt](https://spread-hunter.gitbook.io/spread-hunter-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://spread-hunter.gitbook.io/spread-hunter-docs/english/privacy.md). # Privacy Policy **Version:** 1 · **Effective from:** June 17, 2026 This Policy explains what personal data the **Spread Hunter** service (`spreadhunter.app`, hereinafter the "**Service**") collects, the Service being operated by **the Spread Hunter team — the owner(s) and project team** (hereinafter "**we**", the "**Operator**"; the data controller). For what purpose, on what basis, how long we retain it, and what rights you have. If you are in the EU/EEA, the **GDPR** applies to the processing; in Ukraine, the Law of Ukraine "On the Protection of Personal Data". *** ## 1. What data we collect **Account data:** email; password (only a cryptographic hash — we **cannot see** it); 2FA settings; password-reset/confirmation tokens (temporary). **Data for the Bot's operation:** the **API keys** of your exchange accounts — stored **encrypted** (at-rest), used solely for executing trades according to your settings; bot configuration, trade/cycle history, P\&L metrics. **Payment and referral data:** wallet addresses and transaction identifiers (txid) on the BNB Smart Chain network; referral relationships and accruals. **Technical data:** IP address, device/browser type, access and security-event logs; cookie files (section 7). **Integrations (optional):** Telegram ID/handle and the fact of membership in the community, and access/exclusion events — if you link your account to the Telegram community. > Blockchain transactions are public and immutable; linking a txid to your account creates a financial profile, which we protect as personal data. We deliberately do not collect special categories of data (Art. 9 GDPR) and do not require KYC, unless and until it becomes mandatory by law. ## 2. How we obtain data Directly from you (registration, settings, adding keys); automatically during use (logs, cookies); from the blockchain (confirmation of payments via public data); **and also from the user who referred you** (the fact of a referral relationship). ## 3. Purpose and legal bases of processing | Purpose | Basis (GDPR) | | ------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | Provision of the Service, operation of the Bot, execution of trades | Performance of a contract (Art. 6(1)(b)) | | Processing of payments, subscriptions, and referral payouts | Performance of a contract | | Account security, prevention of fraud/abuse | Legitimate interest (Art. 6(1)(f)) — an interest in protecting the Service and users from fraud, unauthorized access, and abuse; you may object (section 8) | | Transactional/security notifications (email) | Performance of a contract | | Optional notifications on Telegram | Consent (may be withdrawn at any time) | | Compliance with legal requirements | Legal obligation (Art. 6(1)(c)) | **Consequences of not providing data:** without an email/password and API keys, the paid features and the Bot will not work. ## 4. Recipients of data We **do not sell** your personal data. Data may be processed by: * **Processors** (acting on our instructions, under a data-processing agreement): the hosting/VPS provider, the email-distribution service, and the documentation hosting service. * **Independent controllers / public systems** (under their own policies): crypto exchanges (when the Bot executes trades through your keys — orders are transmitted to them), public blockchain networks (payment transactions are public by nature), Telegram. * **Competent authorities** — if required by law. ## 5. Storage and retention periods | Category | Indicative period | | -------------------------------- | ---------------------------------------------- | | Account data (email, settings) | until account deletion + 30 days | | API keys (encrypted, trade-only) | until deleted by you or until account deletion | | Trade history / P\&L | 12 months after account closure | | Payment / blockchain records | 3 years (tax/accounting obligation) | | Security logs / IP | 90 days | | Tick/spread history | 30 days | | Community events (Telegram) | 90 days | | Referral cookies | 30 days | | Reset/2FA tokens | until used / TTL | After an account is deleted, we delete or anonymize the data, **except** for that which we are obliged to retain by law or which is needed to defend legal claims. ## 6. Security and breaches We apply technical and organizational measures: encryption of API keys (at-rest), hashing of passwords, access restrictions, logging of security events, off-site backups; we recommend trade-only keys without withdrawal rights (see the [Agreement](/spread-hunter-docs/english/terms.md) §5). Despite this, **no method is absolutely secure**. In the event of a breach that poses a risk to your rights, we will notify the supervisory authority and, where necessary, you — in accordance with Art. 33–34 GDPR. ## 7. Cookie files | Cookie | Purpose | Type | Basis | | ---------- | -------------------------------------------------------------------- | ---------- | ----------------------------- | | Session | Login/authentication | Necessary | Performance of a contract | | CSRF token | Protection against request forgery | Necessary | Legitimate interest | | Referral | Attribution of a referral (set only after following a referral link) | Functional | Consent / legitimate interest | Necessary cookies do not require consent. For non-technical (referral) cookies, where required (EU/ePrivacy), we obtain **consent via a cookie banner** before setting them. Without the necessary cookies, login and the paid features will not work. ## 8. Your rights Depending on your jurisdiction, you have the right to **access**, **rectification**, **erasure**, **restriction**, **objection** to processing (in particular on the basis of legitimate interest — Art. 21), **data portability**, and to **withdraw consent**. To exercise these, write to **** — we respond **free of charge within one month** (with a possible extension of a further two months for complex requests, of which we will inform you). **Right to lodge a complaint.** In Ukraine — with the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua). In the EU/EEA — with the data protection authority of your place of residence, work, or the place of the alleged infringement. ## 9. Automated decision-making The Bot executes trades **solely according to your settings** and is not automated decision-making concerning you within the meaning of Art. 22 GDPR. Certain security/anti-fraud decisions (e.g. blocking an account, cancelling referral payouts) may be partly automated; you have the right to **human review** — write to . ## 10. International transfers Data may be processed on servers that may be located outside your country, and by the service providers engaged. For transfers outside the EEA we rely on the **Standard Contractual Clauses (SCC)** of the European Commission or, where applicable, on an adequacy decision. A copy of the relevant safeguards may be requested at . ## 11. EU representative and DPO No separate DPO has been **appointed** (there is no large-scale systematic monitoring under Art. 37 GDPR); for all data-protection matters — . If applicable under Art. 27 GDPR (systematic offering of services to subjects in the EU), we will appoint an EU representative and provide their contact details here. ## 12. Children The Service is intended **only for persons aged 18 and over**. We do not knowingly collect data of persons under 18; if we learn of such a case, we will delete it. If you believe a child has provided us with data, write to . ## 13. Changes to the Policy We may update this Policy. The current version is always available here, with the date and version number. We will notify you of **material changes** by email and/or within the Service **in advance** of their entry into force; if the consent basis changes, we will request new consent. ## 14. Contacts For privacy and data-protection matters: ****. Data controller: the Spread Hunter team. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://spread-hunter.gitbook.io/spread-hunter-docs/english/privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.