Privacy Policy
This Privacy Policy describes how exStrat collects, processes, stores, and protects personal data when users interact with the platform. exStrat acts solely as a technical SaaS provider and does not hold funds or crypto-assets on behalf of users.
1. Data Controller
The data controller of the personal data collected through the exStrat platform is:
exStrat
Société par actions simplifiée (SAS) with a share capital of €1,000
Registered office: 60 rue François 1er, 75008 Paris, France
SIREN / SIRET: 100 131 184 / 100 131 184 00010
RCS: R.C.S. Paris 100 131 184
Publication Director: Daan Reinartz, President
Contact: contact@exstrat.io
For any question regarding this Privacy Policy or your personal data, you may contact us at contact@exstrat.io.
2. Scope of this Privacy Policy
This Privacy Policy describes how exStrat collects, processes, stores, and protects personal data when users:
- Access or use the exStrat web application
- Create an account
- Connect exchange accounts via API
- Subscribe to a paid plan
- Contact support
- Subscribe to communications (if applicable)
exStrat acts solely as a technical SaaS provider and does not hold funds or crypto-assets on behalf of users.
3. Categories of Personal Data Collected
3.1 Account Information
- Email address
- Account credentials (hashed and secured)
- Subscription status
3.2 Technical Data
- IP address
- Browser type and version
- Device information
- Session identifiers
- Connection timestamps
3.3 Usage Data
- Actions performed within the application
- Strategy configurations
- Order transmission logs (technical metadata only)
- Status of API transmissions
3.4 API Connection Data
When connecting an exchange via API:
- Encrypted API credentials (never stored in plain text)
- Exchange account identifier (where applicable)
- Technical logs related to API communication
exStrat does not access or store private keys and does not have custody of funds.
3.5 Communication Data
- Emails sent to support
- Messages exchanged via contact forms or chat
4. Purposes of Data Processing
Personal data is processed for the following purposes:
- Account creation and management
- Provision of platform functionalities
- Portfolio tracking and data display
- Technical transmission of orders via API (upon explicit user validation)
- Subscription and billing management
- Platform security and fraud prevention
- Technical monitoring and troubleshooting
- Service improvement through anonymized statistics
- Compliance with legal obligations
exStrat does not use personal data to provide personalized investment advice or financial recommendations.
5. Legal Bases for Processing (GDPR)
Processing of personal data is based on:
- Performance of a contract (Article 6(1)(b) GDPR)
- Legitimate interest (Article 6(1)(f) GDPR)
- Legal obligation (Article 6(1)(c) GDPR)
- Consent (Article 6(1)(a) GDPR), where required
6. Data Retention Period
Personal data is retained only for as long as necessary for the purposes described above:
- Account data: for the duration of the account and up to five (5) years after deletion for legal compliance
- Technical logs: up to two (2) years for security and traceability purposes
- Billing data: retained according to applicable accounting and tax regulations
After the applicable retention period, data is securely deleted or anonymized.
7. Data Recipients
Personal data may be shared with:
- Hosting providers
- Technical service providers (cloud infrastructure, email services, monitoring tools)
- Payment processors
- Legal authorities where required by law
All processors act under contractual data processing agreements compliant with GDPR.
exStrat does not sell personal data.
8. International Data Transfers
Where personal data is transferred outside the European Union, appropriate safeguards are implemented, such as:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Equivalent data protection guarantees
9. Data Security
exStrat implements appropriate technical and organizational measures to ensure the security of personal data, including:
- Encryption of sensitive data
- Secure storage of API credentials
- Access control mechanisms
- Monitoring and logging systems
- Secure hosting infrastructure
No system can guarantee absolute security.
10. User Rights (GDPR)
In accordance with the GDPR, users have the right to:
- Access their personal data
- Rectify inaccurate data
- Request erasure
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent at any time (where applicable)
Users may exercise their rights by contacting contact@exstrat.io.
Users also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or their local data protection authority.
11. Cookies and Tracking Technologies
exStrat may use cookies or similar technologies for:
- Session management
- Security purposes
- Performance monitoring
- User experience improvement
Where required by law, a cookie consent mechanism is implemented.
12. Third-Party Exchanges
When users connect their exchange accounts via API:
- Data exchange is governed both by this Privacy Policy and the exchange's own terms and privacy policy
- exStrat is not responsible for the data processing practices of third-party exchanges
13. No Automated Decision-Making
exStrat does not perform automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.
No automated profiling for investment purposes is carried out.
14. Changes to this Privacy Policy
exStrat reserves the right to modify this Privacy Policy at any time.
Users will be informed of substantial changes through appropriate means.
15. Contact
For any questions related to this Privacy Policy or your personal data:
60 rue François 1er, 75008 Paris, France