Privacy Policy
Last updated: July 2026
This policy explains what personal data BTCMatic (operated by SMARTCHIP Ltd, the data controller) processes, why, and what rights you have. We collect the minimum the service needs — there are no ads, no tracking pixels, and we never sell data.
1. What we store
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account identity, magic-link sign-in, service notifications | Contract |
| Your rules, watched addresses, fire/order history and evaluation traces | Providing the automation service; showing you why rules did or did not fire | Contract |
| Exchange API keys (trade-only) | Placing orders on your exchange account. Stored with per-account envelope encryption (AES-256-GCM, keys wrapped by a hardware KMS); decrypted only in the isolated order executor, never logged | Contract |
| Notification channels (Telegram chat id, email, webhook URLs and signing secrets) | Delivering the notifications you configure; webhook secrets encrypted at rest | Contract |
| Subscription and payment status | Billing. Card details go directly to Stripe — we never see or store them | Contract |
| Audit log (fires, orders, key validations, account actions) and server logs | Security, abuse prevention, support and dispute resolution | Legitimate interest |
Bitcoin addresses you watch are public blockchain data; we treat your association with them as personal data and protect it accordingly.
2. Processors and recipients
We share data only with the processors needed to run the service:
| Processor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (all application data) | Germany (EU) |
| Cloudflare, Inc. | DNS, TLS proxy, DDoS protection (traffic metadata) | EU/US (SCCs) |
| Stripe, Inc. | Payment processing (email, payment details) | EU/US (SCCs) |
| Telegram | Message delivery, only if you connect a Telegram channel | Per Telegram's policy |
| Transactional email (SMTP) provider | Magic-link and notification email delivery | EU region selected |
Amazon Web Services provides the key-management service (KMS) that wraps our encryption keys; your raw exchange keys are never sent to AWS. We disclose data to authorities only when legally required.
3. Retention
- Account data: for the life of the account, deleted or anonymised within 30 days of closure.
- Exchange API keys: deleted immediately when you remove them or close the account.
- Audit log: up to 24 months (security and dispute resolution).
- Backups: encrypted, rotated out within 30 days.
- Invoicing records: as long as tax law requires.
4. Your rights (GDPR)
You can request access, rectification, erasure, restriction, portability, and object to legitimate-interest processing, by emailing privacy@btcmatic.com. We respond within 30 days. You may also lodge a complaint with your local supervisory authority. Sign-in uses magic links — we store no passwords. Cookies: a session token only, strictly necessary, no third-party or advertising cookies.
5. Security
Security posture is summarised on the Security page: non-custodial design, trade-only keys with exchange-side IP allow-listing, envelope encryption at rest, isolated order execution, and immutable audit trails. If a breach affecting your data occurs, we will notify you and the supervisory authority as GDPR requires.
6. Changes and contact
We will announce material changes to this policy by email or in-app before they take effect. Controller: SMARTCHIP Ltd. Contact: privacy@btcmatic.com.