Privacy & Data Protection

Privacy Policy

Last updated: April 15, 2025 GDPR Compliant Registered in Finland, EU
We Don't Sell Your Data
Your information is never sold, traded, or shared with advertisers under any circumstances.
No Personal ID Required
No name, email, phone number, or government ID is required to use PolyCopyBot.
Wallet Address Only
Authentication is handled solely via your Web3 wallet signature — no passwords, no accounts.
GDPR Compliant
Fully compliant with EU GDPR. You have the right to access, correct, and erase your data at any time.
Section 1

Introduction & Data Controller

Welcome to PolyCopyBot. This Privacy Policy explains how PolyCopyBot ("we", "us", "our") collects, uses, and protects information relating to your use of our automated copy-trading platform for Polymarket, accessible at polycopybot.app.

The data controller responsible for your personal data under the General Data Protection Regulation (GDPR) is:

Company
PolyCopyBot
Registered Address
Olympiaranta 1, Helsinki 00140, Finland
Jurisdiction
Finland, European Union — GDPR applies
Data Protection Contact
[email protected]

By using PolyCopyBot, you acknowledge and agree to the practices described in this policy. If you do not agree, please discontinue use of the service.

Section 2

What Data We Collect

PolyCopyBot is designed with data minimisation as a core principle. We collect only what is strictly necessary to provide the service. No name, email address, phone number, government ID, or any traditional personally identifiable information is required.
Data Type Details Purpose
Wallet Address Your public Ethereum/Polygon wallet address (e.g. 0x…) Authentication & identity within the platform
Session Data Session tokens, timestamps, device type, browser info Security, fraud prevention, service continuity
Usage Analytics Pages visited, features used, click patterns (anonymised) Product improvement, performance monitoring
Bot Configuration Your chosen copy-trading parameters and preferences Executing your copy-trading instructions
Log Data Server logs including IP address, request times, error logs Security monitoring, debugging, compliance

We do not collect and never request the following:

  • Full legal name or personal identity information
  • Email address (unless you voluntarily contact support)
  • Phone number or SMS verification
  • Government-issued ID, passport, or KYC documentation
  • Private keys, seed phrases, or wallet credentials
  • Payment card or banking information
Section 3

How We Use Your Data

We use the minimal data we collect exclusively for the following purposes:

  • Service Provision: Authenticating your wallet, executing your copy-trading bot configurations, and displaying your trading dashboard.
  • Security & Fraud Prevention: Detecting unusual activity, preventing unauthorised access, and protecting the integrity of the platform.
  • Service Improvement: Understanding how features are used to improve product quality and prioritise development.
  • Technical Operations: Monitoring server performance, diagnosing errors, and maintaining uptime.
  • Legal Compliance: Fulfilling obligations under applicable law, including GDPR and Finnish data protection legislation.
  • Support Communications: Responding to queries you initiate via email or contact form.
We do not use your data for behavioural advertising, profiling, automated decision-making with significant legal effects, or any purpose not listed above.
Section 4

Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases for processing your data:

GDPR Art. 6(1)(b)
Performance of a Contract
Processing your wallet address and bot configuration is necessary to deliver the copy-trading service you have requested.
GDPR Art. 6(1)(f)
Legitimate Interests
Processing log data and usage analytics to maintain platform security, prevent fraud, and improve service quality.
GDPR Art. 6(1)(c)
Legal Obligation
Retaining certain records to comply with Finnish law and applicable EU regulations where required.
GDPR Art. 6(1)(a)
Consent
Where we deploy optional analytics or non-essential cookies, we rely on your freely given, informed consent which you may withdraw at any time.

We regularly review our processing activities to ensure each activity has an appropriate legal basis.

Section 5

Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or disclosure.

  • Encryption at rest: All stored data is encrypted using AES-256 encryption.
  • Encryption in transit: All data transmitted between your browser and our servers is secured via TLS 1.3.
  • EU-based servers: Data is stored exclusively on servers located within the European Union, ensuring GDPR territorial protections apply.
  • Access controls: Access to personal data is restricted to authorised personnel on a strict need-to-know basis.
  • Regular audits: We conduct periodic security assessments and vulnerability scanning of our infrastructure.
  • Log retention: Server logs containing IP addresses are retained for a maximum of 90 days, after which they are automatically purged.
In the event of a personal data breach that is likely to result in high risk to affected individuals, we will notify the relevant supervisory authority and affected users in accordance with GDPR Article 33 and 34 timelines (72-hour notification).
Section 6

Cookies & Tracking

PolyCopyBot uses a minimal cookie footprint. We do not use advertising trackers, third-party marketing pixels, or cross-site tracking technologies.

pp_session Essential Maintains your authenticated session after connecting your wallet. Expires on browser close or after 24 hours of inactivity.
pp_csrf Essential Cross-site request forgery protection token. Required for secure form submissions and API calls.
pp_prefs Essential Stores your UI preferences (theme, layout settings) locally. Contains no personal data.
pp_analytics Analytics Anonymised usage analytics for product improvement. Collected only with your consent. Contains no wallet address or identifying data.
Essential cookies are necessary for the service to function and cannot be disabled. The analytics cookie is optional and only set with your consent. You may clear all cookies through your browser settings at any time.
Section 7

Third-Party Services

To deliver our service, we integrate with the following third-party providers. We share only the minimum data necessary for each integration and have Data Processing Agreements (DPAs) in place where required by GDPR.

Polygon RPC
Blockchain Network
Facilitates on-chain transaction broadcasting to the Polygon network. Your wallet address and transaction data are shared as required by the blockchain protocol. On-chain data is inherently public.
WalletConnect
Wallet Authentication
Provides secure, open-source wallet connection infrastructure. WalletConnect acts as a relay only; no personal data beyond the connection session is stored by them. See walletconnect.com for their privacy policy.
Cloud Infrastructure
Hosting & CDN
Our application is hosted on EU-based servers. All hosting providers are bound by GDPR-compliant data processing agreements and Standard Contractual Clauses where applicable.
Analytics
Product Analytics (Optional)
We use privacy-respecting, cookieless analytics to understand platform usage. No data is shared with advertising networks. Analytics are only activated with your consent.

We do not sell, rent, or share your data with any third party for marketing, advertising, or commercial purposes. Any third-party access is strictly limited to what is necessary for the above integrations.

Section 8

Your GDPR Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days in accordance with GDPR Article 12.

Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including the purposes for which it is processed and how long it is retained.
Right to Rectification (Art. 16)
Request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten") where we no longer have a lawful basis to retain it.
Right to Restriction (Art. 18)
Request that we restrict the processing of your data in certain circumstances, such as while a dispute over accuracy is resolved.
Right to Portability (Art. 20)
Receive your personal data in a structured, machine-readable format, and have it transferred to another controller where technically feasible.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling. We must stop unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)
Withdraw any consent you have given at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint
Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi if you believe your rights have been violated.
To exercise your rights, email [email protected] with the subject line "GDPR Request". We may need to verify your identity (via wallet signature) before fulfilling your request.
Section 9

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

Active Account Data (wallet address, preferences) For the duration of your active use of the service.
Active period
Server & Access Logs (IP address, timestamps) Automatically purged after the retention window.
90 days
Session Tokens & CSRF Tokens Invalidated on logout or after inactivity timeout.
24 hours
Analytics Data Aggregated and anonymised; individual sessions deleted.
12 months
Support Correspondence (if email provided) Retained for support continuity and legal compliance.
3 years
Data after account deletion request Purged upon verified erasure request unless legally required.
30 days

On expiry of the relevant retention period, data is securely deleted or anonymised such that it can no longer be attributed to any individual.

Section 10

International Transfers

PolyCopyBot stores and processes data exclusively on servers located within the European Union. In the ordinary course of operations, we do not transfer personal data outside the EEA.

Blockchain interactions (e.g. Polygon network) result in transaction data being published to a public, decentralised ledger. This is an inherent property of public blockchains and is not considered a transfer under GDPR, as the data was intended to be public by design.

In the event that any third-party sub-processor is located outside the EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46.

A list of our current data processing sub-processors and their locations is available on request by emailing [email protected].

Section 11

Children's Privacy

PolyCopyBot is a financial services platform intended exclusively for users who are 18 years of age or older. We do not knowingly collect or process personal data from individuals under 18.

By using PolyCopyBot, you represent and warrant that you are at least 18 years old. If we become aware that we have inadvertently collected information from a minor, we will take immediate steps to delete that data and terminate the associated account.

If you believe that a minor has provided us with personal information, please contact us immediately at [email protected] so we can take appropriate action.

Section 12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Post a prominent notice on the PolyCopyBot dashboard for users who are logged in
  • Provide at least 14 days' notice before material changes take effect, where possible

Your continued use of PolyCopyBot after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

For significant changes that affect how we process your data in ways not covered by our current legal basis, we will seek fresh consent where required by GDPR.

Previous versions of this policy are available on request by contacting [email protected].

Section 13

Contact the Data Controller

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please reach out to us using the details below. We aim to respond to all privacy-related enquiries within 5 business days and will resolve all GDPR requests within the 30-day statutory window.

Data Controller
PolyCopyBot
Postal Address
Olympiaranta 1, Helsinki 00140, Finland
Email — Privacy & GDPR Requests
[email protected]
Phone
+35 8 586 001 570  Mon–Fri 09:00–18:00 EET
Supervisory Authority
Finnish Data Protection Ombudsman — tietosuoja.fi
When submitting a GDPR request, please use the subject line "GDPR Request — [Type]" (e.g. "GDPR Request — Erasure") and include your wallet address so we can identify your data. Identity verification via a signed message may be required.