Legal

Privacy Policy

This policy explains what personal data BTCMatic (operated by SMARTCHIP Ltd, the data controller) processes, why, and what rights you have. We collect the minimum the service needs — there are no ads, no tracking pixels, and we never sell data.

1. What we store

DataPurposeLegal basis
Email addressAccount identity, magic-link sign-in, service notificationsContract
Your rules, watched addresses, fire/order history and evaluation tracesProviding the automation service; showing you why rules did or did not fireContract
Exchange API keys (trade-only)Placing orders on your exchange account. Stored with per-account envelope encryption (AES-256-GCM, keys wrapped by a hardware KMS); decrypted only in the isolated order executor, never loggedContract
Notification channels (Telegram chat id, email, webhook URLs and signing secrets)Delivering the notifications you configure; webhook secrets encrypted at restContract
Subscription and payment statusBilling. Card details go directly to Stripe — we never see or store themContract
Audit log (fires, orders, key validations, account actions) and server logsSecurity, abuse prevention, support and dispute resolutionLegitimate interest

Bitcoin addresses you watch are public blockchain data; we treat your association with them as personal data and protect it accordingly.

2. Processors and recipients

We share data only with the processors needed to run the service:

ProcessorRoleLocation
Hetzner Online GmbHHosting (all application data)Germany (EU)
Cloudflare, Inc.DNS, TLS proxy, DDoS protection (traffic metadata)EU/US (SCCs)
Stripe, Inc.Payment processing (email, payment details)EU/US (SCCs)
TelegramMessage delivery, only if you connect a Telegram channelPer Telegram's policy
Transactional email (SMTP) providerMagic-link and notification email deliveryEU region selected

Amazon Web Services provides the key-management service (KMS) that wraps our encryption keys; your raw exchange keys are never sent to AWS. We disclose data to authorities only when legally required.

3. Retention

4. Your rights (GDPR)

You can request access, rectification, erasure, restriction, portability, and object to legitimate-interest processing, by emailing privacy@btcmatic.com. We respond within 30 days. You may also lodge a complaint with your local supervisory authority. Sign-in uses magic links — we store no passwords. Cookies: a session token only, strictly necessary, no third-party or advertising cookies.

5. Security

Security posture is summarised on the Security page: non-custodial design, trade-only keys with exchange-side IP allow-listing, envelope encryption at rest, isolated order execution, and immutable audit trails. If a breach affecting your data occurs, we will notify you and the supervisory authority as GDPR requires.

6. Changes and contact

We will announce material changes to this policy by email or in-app before they take effect. Controller: SMARTCHIP Ltd. Contact: privacy@btcmatic.com.