PRIVACY POLICY

Last Updated: November 3, 2025

TunaLabs LLC • Semi Auto Trade Bot

Table of Contents

1. Introduction 2. Information We Collect 3. How We Use Your Information 4. How We Share Information 5. Data Security 6. Your Privacy Rights 7. Cookies and Tracking 8. Data Retention 9. International Data Transfers 10. Children's Privacy 11. Changes to This Policy 12. Contact Us

1. Introduction

Welcome to Semi Auto Trade Bot, operated by TunaLabs LLC ("we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our automated trading bot subscription service.

By accessing or using Semi Auto Trade Bot, you agree to the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our service.

Key Points:

  • We collect only necessary information to provide our trading bot services
  • Your payment information is securely processed by Stripe
  • Your trading API keys are encrypted with industry-standard AES-256 encryption
  • You have full control over your data and can request deletion at any time

2. Information We Collect

We collect several types of information to provide and improve our service to you.

2.1 Account Information

When you register for an account, we collect:

Data Type Purpose Storage Method
Email Address Account identification, communication, login Encrypted database (PostgreSQL)
Password Account security and authentication Hashed with bcrypt (never stored as plain text)
Account Status Subscription management Database (pending, completed, verified)
Session Data Maintain logged-in state JWT tokens (2-hour expiry)

2.2 Financial Information

For subscription billing, we collect:

  • Payment Information: Processed and stored securely by Stripe (our payment processor). We do not store your credit card details on our servers.
  • Stripe Customer ID: Used to link your account with Stripe
  • Subscription Information: Plan type (monthly/yearly), subscription status, renewal dates
  • Transaction History: Payment amounts, dates, invoice IDs, payment status for record-keeping

2.3 Trading API Credentials

To enable automated trading, you provide:

  • Binance API Keys: Encrypted with AES-256-CBC before storage
  • Binance API Secrets: Encrypted with AES-256-CBC before storage
  • Telegram Username: For trading notifications and bot communication (optional)

Security Note:

Your Binance API credentials are stored using military-grade AES-256-CBC encryption with unique encryption keys. We never have access to your plain-text API secrets.

2.4 Cookies and Local Storage

We use the following cookies and browser storage:

Name Type Purpose Expiration
access_token HTTP-only Cookie JWT authentication token 2 hours
userEmail Cookie Store user email for convenience 2 hours
isLoggedIn localStorage Track login state Until manually cleared
user localStorage Store user email locally Until manually cleared
pendingUserEmail localStorage Temporary storage during registration Until payment completion

2.5 Communication Data

We collect data related to our communications with you:

  • Email Verification Codes: 6-digit codes (10-minute expiry)
  • Password Reset Tokens: Secure tokens (1-hour expiry)
  • Email Correspondence: Payment confirmations, subscription reminders, account notifications

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

  • Create and manage your user account
  • Authenticate and authorize access to our services
  • Execute automated trading operations on your behalf
  • Provide trading notifications via Telegram
  • Maintain session security and prevent unauthorized access

3.2 Payment Processing

  • Process subscription payments and renewals
  • Handle refunds and plan changes
  • Send payment confirmations and receipts
  • Manage subscription billing cycles
  • Maintain transaction records for accounting and legal compliance

3.3 Communication

  • Send email verification codes and password reset links
  • Provide subscription reminders before expiration
  • Notify you of payment issues or failed transactions
  • Send welcome emails and subscription updates
  • Respond to your inquiries and support requests

3.4 Security and Fraud Prevention

  • Monitor for suspicious activity and unauthorized access
  • Implement rate limiting (20 requests per minute per IP)
  • Enforce session expiry and automatic re-verification
  • Protect against fraudulent transactions
  • Comply with legal obligations and prevent illegal activities

3.5 Service Improvement

  • Analyze usage patterns to improve functionality
  • Identify and fix technical issues
  • Develop new features based on user needs
  • Optimize system performance and reliability

Legal Basis for Processing (GDPR):

  • Contractual Necessity: Processing is necessary to provide our services under our Terms of Service
  • Consent: You provide explicit consent when creating an account and using our services
  • Legitimate Interests: Fraud prevention, security, and service improvement
  • Legal Compliance: Meeting financial reporting and tax obligations

4. How We Share Information

We do not sell, rent, or trade your personal information. We only share your data with trusted third-party service providers necessary to operate our service.

4.1 Third-Party Service Providers

Stripe (Payment Processing)

  • Purpose: Subscription billing, payment processing, and refunds
  • Data Shared: Email address, customer ID, payment information
  • Privacy Policy: https://stripe.com/privacy
  • Compliance: PCI DSS Level 1 certified

SendGrid (Email Delivery)

  • Purpose: Transactional email delivery (verification, receipts, notifications)
  • Data Shared: Email addresses and email content
  • Privacy Policy: https://www.twilio.com/legal/privacy
  • Compliance: GDPR and SOC 2 compliant

Binance (Trading Platform)

  • Purpose: Execute trading operations via API
  • Data Shared: Your encrypted API keys (you control permissions)
  • Privacy Policy: https://www.binance.com/en/privacy
  • Note: You maintain full control over API permissions

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders, subpoenas, or other legal processes
  • Government or regulatory requests
  • Requests to protect our rights, property, or safety
  • Investigations of fraud, security breaches, or illegal activities
  • Compliance with tax and financial reporting obligations

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email before any such transfer and provide options for account deletion if desired.

5. Data Security

We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

5.1 Encryption and Hashing

Data Type Protection Method Standard
Passwords bcrypt hashing with salt 10 salt rounds
Binance API Keys AES-256-CBC encryption 256-bit encryption key
Session Tokens JWT with signature HS256 algorithm
Database Connections TLS/SSL encryption TLS 1.2+
Cookies HTTP-only, Secure, SameSite Production: Secure flag enabled

5.2 Access Controls

  • Rate Limiting: 20 requests per minute per IP address to prevent abuse
  • Session Management: Automatic expiry after 2 hours of inactivity
  • Forced Re-verification: Expired sessions require email verification
  • Password Requirements: Minimum security standards enforced
  • Two-Factor Authentication: Email-based verification codes

5.3 Infrastructure Security

  • Database: PostgreSQL with encrypted connections and shadow databases
  • Job Queue: Redis with secure configuration
  • API Endpoints: HTTPS/TLS encryption for all communications
  • CORS Protection: Restricted to authorized domains only
  • Regular Backups: Automated database backups for disaster recovery

5.4 Security Monitoring

  • Continuous monitoring for suspicious activity
  • Automated detection of failed login attempts
  • Regular security audits and vulnerability assessments
  • Logging of authentication and authorization events

Important Security Notice:

While we implement robust security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. Never share your password or API keys with anyone. Contact us immediately at tuna@semiautotradebot.app if you suspect unauthorized access.

6. Your Privacy Rights

Under various privacy laws including GDPR (for EU residents) and other applicable regulations, you have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you, including account information, transaction history, and stored preferences.

Right to Deletion

Request deletion of your account and associated data. We will delete your information within 30 days, subject to legal retention requirements.

Right to Rectification

Update or correct inaccurate personal information through your profile settings or by contacting us.

Right to Data Portability

Export your transaction history and account data in a machine-readable format (CSV/JSON).

Right to Object

Object to certain processing of your data, such as marketing communications or automated decision-making.

Right to Withdraw Consent

Cancel your subscription and withdraw consent for data processing at any time through the Stripe customer portal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

  • Email: tuna@semiautotradebot.app
  • Subject Line: "Privacy Rights Request - [Your Name]"
  • Include: Your registered email address and specific request details

We will respond to your request within 30 days. For security purposes, we may need to verify your identity before processing certain requests.

Account Deletion Process

To delete your account:

  1. Cancel your subscription through the Stripe customer portal
  2. Email us at tuna@semiautotradebot.app requesting account deletion
  3. We will confirm deletion within 30 days and remove:
    • Your account credentials
    • Encrypted API keys
    • Personal preferences and settings
    • Session data and cookies
  4. Transaction records may be retained for legal/accounting compliance (typically 7 years)

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our service. This section explains what cookies we use and how you can control them.

7.1 Essential Cookies

These cookies are necessary for the website to function and cannot be disabled:

Cookie Name Purpose Duration Type
access_token Authentication and session management 2 hours HTTP-only, Secure
userEmail Store user email for convenience 2 hours Standard cookie

7.2 Local Storage

We use browser localStorage to store non-sensitive data:

  • isLoggedIn: Boolean flag to track authentication state
  • user: User email for quick access
  • pendingUserEmail: Temporary storage during registration process

7.3 Third-Party Cookies

Our service integrates with third-party services that may set their own cookies:

  • Stripe: Payment processing and fraud prevention
  • Flowbite: UI component library (no tracking)

7.4 Analytics and Tracking

We currently do not use analytics or tracking cookies (e.g., Google Analytics). If this changes in the future, we will update this policy and provide opt-out options.

7.5 Managing Cookies

You can control cookies through your browser settings:

  • Delete Cookies: Clear existing cookies from your browser
  • Block Cookies: Configure your browser to reject cookies
  • Note: Blocking essential cookies will prevent you from using our service

Browser-specific instructions: www.allaboutcookies.org

8. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations.

8.1 Retention Periods

Data Type Retention Period Reason
Active Account Data While subscription is active Service provision
Inactive/Cancelled Accounts Until deletion requested Allow account reactivation
Pending Users (Unpaid) Retained until account deletion requested Allow payment completion at any time
Transaction Records 7 years Tax and legal compliance
Verification Codes 10 minutes Security and expiry
Password Reset Tokens 1 hour Security and expiry
Session Data 2 hours Session timeout
Email Logs 90 days Delivery verification

8.2 Automatic Data Deletion

Our system automatically removes certain data:

  • Expired Sessions: Session tokens expire and are cleared after 2 hours
  • Temporary Codes: Verification and reset codes expire automatically
  • Failed Logins: Rate-limiting records reset after 1 minute

8.3 Legal Retention

Some data must be retained to comply with legal obligations:

  • Financial Records: Transaction history retained for 7 years per IRS requirements
  • Fraud Prevention: Records of fraudulent activity retained indefinitely
  • Legal Disputes: Relevant data retained until disputes are resolved

Data Deletion Request:

When you request account deletion, we will delete all personal data except where retention is legally required. Transaction records will be anonymized by removing personally identifiable information while preserving financial records for compliance.

9. International Data Transfers

TunaLabs LLC operates from Wyoming, United States. We serve users globally, including in the European Union, Turkey, and other international locations.

9.1 Data Location

  • Primary Servers: United States
  • Database: PostgreSQL hosted in secure US data centers
  • Backup Systems: Geographically distributed for redundancy

9.2 Cross-Border Transfers

When you use our service from outside the United States, your data may be transferred to and processed in the US. We ensure adequate protection through:

  • Encryption: All data is encrypted in transit and at rest
  • Access Controls: Strict authentication and authorization measures
  • Contractual Safeguards: Data processing agreements with third-party providers
  • GDPR Compliance: We honor GDPR rights for EU users regardless of data location

9.3 Third-Party International Transfers

Our third-party service providers may also transfer data internationally:

  • Stripe: Complies with GDPR and uses Standard Contractual Clauses (SCCs)
  • SendGrid: Operates globally with GDPR-compliant data centers
  • Binance: Your API keys connect to Binance's global infrastructure

9.4 EU User Rights

For users in the European Economic Area (EEA), UK, and Switzerland:

  • You have all rights outlined in Section 6 (Your Privacy Rights)
  • We process your data based on consent, contractual necessity, and legitimate interests
  • You may lodge complaints with your local data protection authority
  • We use appropriate safeguards for international data transfers

10. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10.1 Age Restriction

  • You must be at least 18 years old to use Semi Auto Trade Bot
  • Cryptocurrency trading requires legal adult status in most jurisdictions
  • Payment processing through Stripe requires users to be 18+

10.2 Parental Notice

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at tuna@semiautotradebot.app. We will delete such information within 30 days of verification.

10.3 COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect information from children under 13. Our Terms of Service explicitly prohibit use by minors.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

11.1 Notification of Changes

When we make changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Send email notification to registered users for material changes
  • Display a prominent notice on our website
  • Require re-acceptance for significant changes affecting your rights

11.2 Your Acceptance

By continuing to use our service after changes are posted, you accept the updated Privacy Policy. If you do not agree with the changes, you may:

  • Cancel your subscription through the Stripe customer portal
  • Request account deletion
  • Stop using our service

11.3 Version History

We maintain a record of privacy policy versions. Previous versions are available upon request by emailing tuna@semiautotradebot.app.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

TunaLabs LLC

Mailing Address:

30 N Gould St Ste N
Sheridan, WY 82801
United States

Response Time

We aim to respond to all privacy-related inquiries within:

  • General Inquiries: 2-3 business days
  • Data Access Requests: 30 days (as required by GDPR)
  • Deletion Requests: 30 days with confirmation
  • Security Concerns: 24 hours for urgent matters

Regulatory Authorities

If you are located in the European Economic Area and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority.

Effective Date

This Privacy Policy is effective as of November 3, 2025 and applies to all users of Semi Auto Trade Bot services.

Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions. Any disputes arising from this policy shall be resolved in the courts of Wyoming.

For users in the European Union: This does not affect your rights under GDPR or your ability to lodge complaints with local data protection authorities.