Legal
Privacy Policy
Last updated: May 20, 2025
Summary: Strykr collects only what is necessary to run your trading bot. We do not sell your data. Your API keys are encrypted and used solely to execute trades on your behalf.
1. Who We Are
Strykr ("we", "us", "our") is an automated algorithmic trading software platform accessible at strykrbot.com. This Privacy Policy explains how we collect, use, store, and protect information about you when you use our service.
For privacy questions, contact us at [email protected].
2. Information We Collect
We collect the following categories of information:
- Account information: Email address and password (hashed) when you register.
- Exchange API keys: Read/trade API keys and secrets for Coinbase and Alpaca that you provide to connect your brokerage accounts. These are encrypted at rest and never stored in plaintext.
- Trade data: Records of orders placed on your behalf, including symbol, side, quantity, price, timestamp, and outcome. This data is stored to power your dashboard and trade history.
- Bot configuration: Settings you configure such as risk mode, daily loss limits, and watchlists.
- Billing information: Subscription status and billing history. Payment card details are processed and stored exclusively by Stripe — we never see or store your full card number.
- Usage data: Log data such as login timestamps, IP addresses, and API request metadata for security and debugging purposes.
3. How We Use Your Information
We use collected information to:
- Authenticate your account and maintain your session
- Connect to your exchange accounts and execute automated trades
- Display your trade history, P&L, and bot status in the dashboard
- Process subscription payments through Stripe
- Send transactional emails (trade alerts, trial reminders, billing notifications)
- Monitor platform health and diagnose software errors
- Enforce our Terms of Service and prevent prohibited conduct
We do not use your data for advertising, profiling, or any purpose unrelated to operating the Service.
4. Exchange API Keys
Your Coinbase and Alpaca API keys are the most sensitive data we hold. We handle them as follows:
- API keys are encrypted using industry-standard AES encryption before being written to our database.
- Keys are decrypted in memory only when needed to place a trade or check a position, then immediately discarded from application memory.
- Keys are never logged, never transmitted to third parties, and never used for any purpose other than trading on your behalf.
- We strongly recommend providing API keys with trade permissions only — never withdrawal permissions.
You can revoke our access at any time by deleting the API key from your exchange account settings. Upon deletion, Strykr can no longer place orders in your account.
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal information. We share data with third parties only as follows:
- Stripe: Payment processing. Stripe receives your email address and billing details to manage subscriptions. Stripe's privacy policy is available at stripe.com/privacy.
- Resend / SendGrid: Transactional email delivery (trade notifications, trial reminders, billing alerts). Your email address is passed to deliver messages only.
- Coinbase / Alpaca: Your API keys are used to communicate with these exchanges on your behalf. We pass only the information required to place, modify, or cancel orders.
- Infrastructure providers: Our servers are hosted on DigitalOcean. Data at rest is encrypted. DigitalOcean does not have access to your application data.
- Law enforcement: We may disclose information if required by applicable law, court order, or government request.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the service. Specifically:
- Account and configuration data: Retained until you delete your account.
- Trade history: Retained indefinitely to support your historical records. You may export your full trade history as a CSV at any time from the dashboard.
- API keys: Deleted immediately when you remove them from your account settings or delete your account.
- Log data: Retained for up to 90 days for security and debugging purposes, then purged.
- Billing records: Retained for 7 years as required for financial compliance.
7. Data Security
We take reasonable technical measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
- API keys and passwords are encrypted or hashed at rest — plaintext values are never stored.
- Database access is restricted to the application server; no public database endpoint is exposed.
- We conduct periodic reviews of access controls and security configurations.
No system is 100% secure. In the event of a data breach affecting your account, we will notify you by email within 72 hours of discovery.
8. Your Rights and Choices
You have the following rights regarding your personal data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may update your email address from account settings or by contacting us.
- Deletion: You may request deletion of your account and all associated data. API keys are deleted immediately; trade history is purged within 30 days. Billing records are retained as required by law.
- Export: You may download your full trade history in CSV format from the dashboard at any time.
- Opt-out of emails: You may unsubscribe from non-transactional emails via the unsubscribe link in any email. Note that transactional messages (trade alerts, billing receipts) cannot be disabled while your account is active.
To exercise any of these rights, email [email protected].
9. Cookies and Tracking
Strykr uses a minimal set of cookies:
- Authentication token: A session cookie storing your JWT login token, required for the application to function. This cookie is HttpOnly and Secure.
- Preference cookies: We may store lightweight preferences (e.g., selected bot, UI state) in browser localStorage.
We do not use advertising cookies, cross-site tracking, or analytics platforms such as Google Analytics. We do not use tracking pixels or fingerprinting.
10. Children's Privacy
Strykr is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, contact us at [email protected] and we will delete the account promptly.
11. International Users
Strykr is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We apply the same privacy protections regardless of where you are located.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
Privacy questions, data requests, or concerns? Email us at [email protected]. We aim to respond within 5 business days.