Privacy Policy

1. Information We Collect

We collect only the data needed to operate the service:

• Account credentials — username and password hash (we never store plaintext passwords).
• Telegram chat ID (only if you choose to link Telegram for notifications) and the Telegram username you used at link time.
• Exchange API keys and secrets you provide. These are encrypted at rest with AES-256 and used only to place trades on your behalf. Withdrawal scope is never required.
• Trading data generated while using the service: orders, fills, position state, profit/loss, and configured strategy parameters.
• Standard technical logs (IP address, browser user agent, timestamps) used for security monitoring and debugging.

2. How We Use Information

• To operate the arbitrage service — connect to exchanges via your API keys, execute hedged trades, and report PnL to you.
• To compute and charge our server subscription and performance fees per our Terms.
• To answer your support requests when you contact us.
• To detect and prevent abuse, fraud, and security incidents.

3. How We Share Information

We do not sell, rent, or share your personal data with third parties for marketing. Operationally we share: (a) your encrypted API key usage with the exchanges you choose to connect — required to place trades; (b) hosting and infrastructure data with our cloud provider (AWS, Singapore region); (c) limited account data with payment processors when you pay invoices. We do not share data with advertisers or analytics brokers.

4. Security

• API keys and secrets are encrypted at rest using AES-256.
• All traffic to arbitron.app is served over HTTPS with HSTS enforced for one year.
• Servers are hosted on AWS in the ap-southeast-1 (Singapore) region with private VPC routing for all internal traffic.
• API keys provided by users must NOT have withdrawal permission. We technically cannot move funds out of your exchange accounts.

5. Cookies and Local Storage

We use a session cookie to keep you logged in, a culture cookie to remember your language choice, and an anti-forgery cookie for form-submission protection. We use browser local storage to remember UI preferences such as theme (light/dark). On our public pages we use privacy-friendly, anonymous, cookieless product analytics (PostHog, hosted in the EU) to understand traffic: it records anonymous page views and approximate location and device derived from your IP, stores no identifier on your device, never collects personal data, never identifies you, is not used for advertising, and does not track you across other sites. Analytics never runs once you are signed in.

6. Your Rights

• Right to access — request a copy of the personal data we hold about you.
• Right to deletion — request that we delete your account and associated personal data.
• Right to portability — export your trading history in a machine-readable format.
• Right to correction — update inaccurate personal data.

To exercise any of these rights, email support@arbitron.app. We respond within 30 days.

7. Data Retention

We keep your account data while your account is active. After account deletion, personal data is removed within 30 days. Aggregated trading metrics may be retained longer for service improvement. Encrypted API keys are deleted immediately when you remove them from your profile or close your account.

8. Children

Arbitron is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy as the service evolves. Material changes will be announced in-app and to linked Telegram accounts at least 14 days before they take effect. The effective date at the top of this page reflects the latest revision.

10. Contact

Questions or requests about this policy can be sent to support@arbitron.app. The data controller is Arbitron, a UAE-registered entity.