Privacy Policy

Last updated: June 2026

This Privacy Policy explains what personal data CryptoCopilot collects, how it is used and how it is protected.

1. Data controller

CryptoCopilot is the data controller for personal data collected through the Platform at cryptocopilot.online.

2. Data we collect

  • Registration data: username, email address and password (stored hashed with bcrypt).
  • Bitget UID: your Bitget account identifier, required to verify Platform access.
  • Bitget API keys: key, secret and passphrase, stored encrypted with AES-256-GCM. Used for read-only queries only.
  • Session data: session identifier in a Secure, HttpOnly, SameSite cookie. Maximum duration 8 hours.
  • Language preference: a lang cookie containing no personal data.
  • Access logs: standard server logs (IP, timestamp, path). Retained for the minimum time required for security and diagnostics.

3. Purpose of processing

  • Managing your account and authenticating your access.
  • Verifying eligibility (Bitget referral).
  • Fetching data from your Bitget account to display your portfolio analysis.
  • Maintaining Platform security (detecting unauthorised access, blocking attacks).

4. Commercial relationship with Bitget — Affiliate disclosure

CryptoCopilot participates in Bitget's referral programme. This means we may receive a financial commission from Bitget when a user creates a Bitget account through our referral link. This commercial relationship is fully transparent and does not in any way affect the analyses, scores or information displayed by the Platform, which are calculated algorithmically and independently.

This disclosure is made in compliance with EU rules on unfair commercial practices (Directive 2005/29/EC), the UK CAP Code, and the US Federal Trade Commission (FTC) guidelines on endorsement and testimonial disclosures.

5. Legal basis

Processing is based on the performance of a contract (provision of the service) and on CryptoCopilot's legitimate interest in maintaining Platform security.

5. Data retention

We retain your data for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us (see section 9).

6. Data sharing

We do not sell or transfer your personal data to third parties. The only data transmitted externally are API queries to Bitget, which are protected by HTTPS and are necessary for the service to function.

7. Security

We apply appropriate technical and organisational measures: bcrypt-12 password hashing, AES-256-GCM encrypted API keys, HttpOnly/Secure/SameSite cookies, CSRF tokens, mandatory HTTPS, login rate limiting and HTTP security headers.

8. Your rights (GDPR / UK GDPR)

If you reside in the European Union or the United Kingdom, you have the following rights regarding your personal data:

  • Access: know what data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data.
  • Restriction: ask us to suspend processing in certain circumstances.
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interest.

To exercise any of these rights, email us at support@cryptocopilot.online. We will respond within 30 days. If you believe our processing of your data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

9. Security breach notification (GDPR Art. 33–34)

In the event of a security breach affecting personal data, CryptoCopilot commits to:

  • Notify the competent supervisory authority within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of affected individuals.
  • Notify affected users directly without undue delay where the breach is likely to result in a high risk to their rights, including the nature of the breach, the data involved and the measures taken.
  • Maintain an internal record of all security breaches.

10. California residents — CCPA / CPRA rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the CPRA grant you the following additional rights:

  • Right to know: what personal information we collect, use, disclose or sell.
  • Right to delete: request deletion of your personal information.
  • Right to non-discrimination for exercising your CCPA rights.
  • "Do Not Sell or Share My Personal Information": CryptoCopilot does not sell or share personal data with third parties for commercial or advertising purposes. No opt-out process is needed because we do not engage in this practice.

To exercise your rights under CCPA, contact us at support@cryptocopilot.online.

11. Contact

For any privacy queries, to exercise your rights (access, rectification, erasure, portability) or to request deletion of your account and all associated data, email us at: support@cryptocopilot.online. We respond to all requests within 30 days.