Privacy Policy
Last updated: March 2026
1. Introduction
Polytrade ("we", "our", "us") is a software tool for automated prediction market trading on Polymarket. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.
Polytrade is a non-custodial service. We never have access to your private keys, and your funds remain under your control at all times. This policy applies to all users of the Polytrade web dashboard, API, and associated services.
By using Polytrade, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our service.
2. Information We Collect
2.1 Account Data
- Email address — required for account creation, notifications, and account recovery.
- Username — required for identification within the platform.
- Wallet address — optional; provided by you if you choose to connect a wallet for trading.
2.2 Authentication Data
- Password — stored only as a bcrypt hash. Your plain-text password is never stored or logged.
- JWT session tokens — used to maintain authenticated sessions. Tokens are short-lived and can be revoked.
- API keys — stored only as SHA-256 hashes. The original key value is shown once at creation and never stored in plain text.
2.3 Trading Data
- Trade history (orders placed, filled, cancelled)
- Open and closed positions
- Strategy configurations and parameters
- Profit and loss (P&L) reports and performance metrics
2.4 Usage Data
- API request logs (endpoint, method, response status)
- Login timestamps and session activity
- IP addresses — used exclusively for security purposes (rate limiting, brute force protection)
2.5 Payment Data
- USDC transaction hashes on the Polygon network
- Payment amounts and subscription history
- Note: Blockchain transactions are public by nature. Transaction details are visible to anyone on the Polygon network.
2.6 What We Do NOT Collect
- Private keys or wallet seed phrases — never transmitted to or stored on our servers
- Wallet balances or holdings beyond what is publicly visible on-chain
- Personal financial information (bank accounts, credit cards, government IDs)
- Biometric data
- Location data (beyond IP-based country detection for security)
3. How We Use Your Information
- Provide and maintain the service — execute trading strategies, display your portfolio, and deliver the core software functionality.
- Process subscription payments — verify USDC payments on the Polygon blockchain and manage your subscription status.
- Send important notifications — account security alerts, billing reminders, subscription status changes, and service announcements.
- Monitor system health and security — rate limiting, brute force protection, anomaly detection, and abuse prevention.
- Improve the software — aggregate, anonymized usage patterns help us identify bugs, improve performance, and prioritize features.
- Comply with legal obligations — respond to lawful requests from authorities and maintain records as required by applicable law.
We do not use your data for advertising, profiling, or selling to third parties.
4. Data Storage and Security
4.1 Server Location
All data is stored on servers located in the European Union (Hetzner Cloud, Germany). Our infrastructure is subject to EU data protection regulations, including the General Data Protection Regulation (GDPR).
4.2 Encryption
- In transit — all connections are encrypted using TLS (HTTPS). Unencrypted HTTP connections are automatically redirected.
- At rest — sensitive data fields are encrypted using Fernet symmetric encryption before storage.
4.3 Database Security
- PostgreSQL database with encrypted, integrity-verified backups (AES encryption, SHA-256 checksums).
- Database access is restricted to the application layer only; no direct external access is permitted.
4.4 Access Controls
- Role-based access controls limit which administrators can access user data.
- Administrative actions are audit-logged.
- Containers run in read-only mode with minimal privileges.
4.5 Credential Storage
- Passwords — bcrypt hashed with per-user salts. Plain-text passwords are never stored, logged, or transmitted after initial hashing.
- API keys — SHA-256 hashed. Only the hash is stored; the original key cannot be recovered.
5. Third-Party Services
We use the following third-party services in the operation of Polytrade. Each service receives only the minimum data necessary for its function.
| Service | Purpose | Data Shared |
|---|---|---|
| Sentry (sentry.io) | Error tracking and performance monitoring | Error messages, request metadata, stack traces. No personal data is intentionally sent. Privacy Policy |
| Anthropic Claude (anthropic.com) | AI model provider for market analysis (invoked via the local Claude CLI) | Market analysis prompts only. No personal user data is included in prompts. Privacy Policy |
| SMTP Provider | Transactional email delivery | Recipient email address and email content (account notifications, security alerts, billing reminders). |
| Polygon Network | Blockchain network for payments | Payment transactions are recorded on a public, immutable blockchain. Transaction details (wallet addresses, amounts, timestamps) are permanently visible. |
| Polymarket | Prediction market platform | Trading activity executed through the platform is visible on-chain. Polymarket may collect additional data per their own privacy policy. |
We do not use any third-party advertising, analytics, or tracking services. Internal metrics are collected server-side using Prometheus and are never shared externally.
Telegram is used solely for internal administrative alerts and does not process any user data.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, username, wallet address) | Retained while your account is active, plus 30 days after a deletion request to allow for account recovery. |
| Trading data (history, positions, strategies) | Retained while your account is active. Deleted upon account deletion (subject to the 30-day grace period). |
| Security logs (IP addresses, login attempts) | 90 days, then automatically purged. |
| Payment records (transaction hashes, amounts) | 7 years, as required for tax and legal compliance. |
| Database backups | 30-day rolling retention. Older backups are securely destroyed. |
7. Your Rights
Under the General Data Protection Regulation (GDPR) and similar data protection laws, you have the following rights regarding your personal data:
- Right to access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten") — request deletion of your account and associated personal data.
- Right to data portability — request an export of your data (trade history, strategy configurations, account settings) in a machine-readable format.
- Right to restrict processing — request that we limit how we use your data in certain circumstances.
- Right to object — object to the processing of your personal data for specific purposes.
- Right to withdraw consent — withdraw your consent at any time where processing is based on consent.
How to exercise your rights:
- Email us at support@polytrade.io with your request.
- Use the account deletion feature in your dashboard settings.
- Use the data export feature in your dashboard to download your trading data.
We will respond to all data rights requests within 30 days. If we need additional time, we will notify you of the extension and the reasons for the delay.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
8. Cookies and Tracking
- Session cookies — used solely for authentication and maintaining your logged-in session. These are essential cookies required for the service to function.
- CSRF tokens — used to protect against cross-site request forgery attacks. These are security cookies.
We do not use:
- Third-party tracking cookies
- Advertising or remarketing cookies
- Analytics cookies (we use server-side Prometheus metrics only, which do not track individual users)
- Social media cookies or widgets
Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR. You can configure your browser to reject cookies, but this will prevent you from using the authenticated portions of the service.
9. Children's Privacy
Polytrade is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a user under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at support@polytrade.io.
10. International Data Transfers
All data is stored and processed on servers located in the European Union (Germany). If you access Polytrade from outside the EU, your data will be transferred to our EU-based servers. By using the service, you consent to this transfer.
We do not transfer your personal data to countries outside the EU/EEA unless required by a third-party service listed in Section 5, in which case appropriate safeguards (such as Standard Contractual Clauses) are in place.
11. Blockchain Data Disclaimer
Polytrade interacts with the Polygon blockchain for payment processing and with Polymarket for trade execution. It is important to understand the following:
- Blockchain transactions are public and permanent. Once a transaction is recorded on-chain, it cannot be modified, hidden, or deleted by anyone, including us.
- Your wallet address and transaction history on the Polygon network are publicly visible to anyone.
- Exercising your right to erasure (Section 7) applies only to data stored on our servers. We cannot delete or alter any data recorded on a blockchain.
- If you wish to maintain privacy for your on-chain activity, consider using a dedicated wallet address that is not linked to your real-world identity.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- For material changes (changes that affect your rights or how your data is processed), we will notify you by email at least 14 days before the changes take effect.
- For minor changes (clarifications, formatting, or typographical corrections), we will update the "Last updated" date at the top of this page.
- Your continued use of Polytrade after changes take effect constitutes acceptance of the updated policy.
13. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR) — processing necessary to provide the Polytrade service you have subscribed to, including account management, trade execution, and payment processing.
- Legitimate interests (Article 6(1)(f) GDPR) — processing necessary for security (rate limiting, brute force protection, fraud prevention), system monitoring, and service improvement, where these interests are not overridden by your rights.
- Legal obligation (Article 6(1)(c) GDPR) — processing necessary to comply with tax, financial, or other legal requirements (e.g., payment record retention).
- Consent (Article 6(1)(a) GDPR) — where applicable, such as for optional marketing communications. You may withdraw consent at any time.
14. Contact
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
- Email: support@polytrade.io
- Data Protection inquiries: support@polytrade.io (subject line: "Data Protection Request")