Privacy Policy
VERSION 1.1 · LAST UPDATED: MARCH 12, 2026 · GDPR COMPLIANT (EU 2016/679)
Commitment to transparency. This policy describes precisely what data we collect, why, how we protect it, and how you can exercise your rights. Your data is never sold. Your API keys are encrypted and technically do not allow any withdrawal of funds.
This privacy policy describes how the platform apothem (hereinafter “we” or “apothem”) collects, processes and protects your personal data, in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and the amended French Data Protection Act.
01. Data controller
The person responsible for processing your personal data is:
- Name : CREPIN
- Address : 76 Rue Massena, 69006 Lyon, France
- Email: support@apothem.fr
- Status : Individual – operator of the apothem platform
For any questions relating to the protection of your data, you can contact us directly at the email address above with the subject [GDPR]. We undertake to respond within a maximum period of 30 calendar days.
02. Data collected and purposes
We only collect data strictly necessary for the operation of the Service, in accordance with the principle of data minimization (article 5(1)(c) of the GDPR):
| Data category |
Data collected |
Purpose |
Legal basis |
Shelf life |
| Identify |
Email address, nickname |
Account creation and management, communication |
Execution of the contract |
Account duration + 3 years |
| Authentication |
Hashed password (bcrypt), 2FA token |
Securing account access |
Execution of the contract |
Account duration |
| API keys |
Public key + secret key (AES-256 encrypted) |
Execution of trading orders on the exchange |
Execution of the contract |
Until account is revoked or closed |
| Trading |
History of trades, positions, P&L |
Dashboard, performance monitoring |
Execution of the contract |
3 years after account closure |
| Configuration |
Risk parameters, position size |
Customizing bot behavior |
Execution of the contract |
Account duration |
| Connection |
IP address, connection timestamp, user-agent |
Security, fraud detection, rate limiting |
Legitimate interest (security) |
30 days |
| Session |
Session token (secure cookie) |
Staying connected |
Execution of the contract |
30 days or until disconnected |
03. Specific processing of API keys
API keys are the most sensitive data you entrust to us. We grant it special protection:
API key security: your API keys are encrypted in the database with the AES-256 algorithm via Fernet (authenticated symmetric encryption). They are never stored in plain text, never displayed in full in the interface, and never transmitted to third parties.
- Encryption at rest: storage exclusively in encrypted form (AES-256 Fernet) — unusable without the server's decryption key;
- Restricted permissions: apothem requires and recommends API keys with only “read” and “trading” permissions. Permission to opt out is never required and should never be granted;
- Lack of sharing: your API keys are never shared, resold or transmitted to third parties, including business partners;
- Single and dedicated use: your API keys are used exclusively to submit trading orders on your exchange, in response to signals received from TradingView;
- Deletion on request: your API keys are deleted from our systems upon log-in revocation or account closure.
04. Legal basis for processing
Each of our processing operations is based on a specific legal basis within the meaning of Article 6 of the GDPR:
- Performance of the contract (art. 6(1)(b)): processing of email, password, API keys, trading data, configuration parameters — necessary for the provision of the Service;
- Legitimate interest (art. 6(1)(f)): processing of IP addresses, connection logs and session data — to ensure the security of the platform and prevent unauthorized access;
- Legal obligation (art. 6(1)(c)): retention of certain data in response to a court order or legal obligation.
We do not carry out any processing based on consent for the essential functionalities of the Service — you can therefore use apothem without your consent being required for essential processing. Non-essential cookies, if they were to be added, would be subject to your prior consent.
05. Cookies and trackers
The apothem platform only uses cookies strictly necessary to the operation of the Service, which do not require prior consent:
- session : secure session cookie (HttpOnly, Secure, SameSite=Lax) allowing you to maintain your connection — duration: 30 days;
- csrf_token : anti-CSRF (Cross-Site Request Forgery) security token injected into forms — duration: browser session.
We do not use none advertising cookie, profiling cookie, or third-party tracker for behavioral analysis or marketing targeting purposes. No advertising agency has access to your browsing data on apothem.
06. Data recipients
Your personal data is processed exclusively by the following people and entities:
- The Apothem Operator (CREPIN): access to data necessary for the administration of the Service;
- Hetzner Online GmbH : host of the servers on which your data is stored, located in the European Union (Nuremberg datacenter, Germany) — Hetzner acts as a subcontractor within the meaning of the GDPR;
- Your exchange : your API keys are used to submit orders to your exchange account on your behalf — the exchange is an independent third party entity, subject to its own terms of use;
- Competent authorities : in the event of a legal obligation, judicial injunction or official investigation.
Your personal data is not never sold, rented or exchanged for commercial purposes.
07. Data transfers outside the European Union
Your data is hosted within the European Union, on Hetzner servers in Nuremberg (Germany). We ensure that your data remains within the European Economic Area as much as possible.
Transfers outside the EU may occur in the following cases:
- Connection to your exchange: depending on the exchange you use, API requests may pass through to servers located outside the EU. These exchanges take place exclusively via encrypted connections (HTTPS/TLS) and are limited to the data necessary for the execution of orders;
- Authentication via Google OAuth (if enabled): subject to the terms of Google's privacy policy and their transfer mechanisms (EU-US adequacy decision, Standard Contractual Clauses).
Any transfer outside the EU is carried out within the framework of appropriate guarantees in accordance with Articles 44 to 49 of the GDPR.
08. Security measures
We implement technical and organizational security measures adapted to the level of risk, in accordance with Article 32 of the GDPR:
- Encryption of sensitive data: encrypted API keys at rest (AES-256 Fernet), hashed passwords (bcrypt, high cost);
- Communications encryption: HTTPS/TLS protocol on all client-server exchanges;
- CSRF protection: CSRF token on all sensitive requests to prevent cross-site attacks;
- Rate limiting: limiting login attempts to prevent brute force attacks;
- Session management: secure session cookies (HttpOnly, Secure, SameSite), token rotation;
- Secure infrastructure: Hetzner servers in ISO 27001 certified data centers, located in the EU;
- Restricted access: access to data limited to authorized persons only, according to the principle of least privilege.
09. Personal data breach
In the event of a personal data breach likely to create a risk for your rights and freedoms, apothem undertakes to:
- Notify CNIL in the 72 hours following becoming aware of the incident, in accordance with article 33 of the GDPR;
- Inform you personally by email as soon as possible if the violation is likely to create a high risk for your rights and freedoms (article 34 of the GDPR);
- Describe the nature of the breach, the data affected, the likely consequences and the measures taken to remedy it.
10. Your rights (GDPR)
In accordance with the GDPR (articles 15 to 22), you have the following rights over your personal data:
- Right of access (art. 15): obtain a copy of all personal data we hold about you, as well as information about its processing;
- Right of rectification (art. 16): correct inaccurate or incomplete data about you;
- Right to erasure / “right to be forgotten” (art. 17): request the deletion of your personal data, subject to legal retention obligations;
- Right to restriction of processing (art. 18): obtain the suspension of the processing of your data in certain cases provided for by the GDPR;
- Right to portability (art. 20): receive your data in a structured, commonly used and machine-readable format (JSON or CSV);
- Right to object (art. 21): object to the processing of your data based on our legitimate interest, for reasons relating to your particular situation;
- Right not to be subject to an automated decision (art. 22): not be the subject of a decision based exclusively on automated processing producing significant legal effects.
How to exercise your rights: send your request by email to support@apothem.fr with the subject [GDPR - Right of access] or [GDPR - Deletion], attaching an identity document if necessary to verify your identity. We will respond within a maximum of 30 days.
If you believe that your rights are not respected, you have the right to lodge a complaint with the competent supervisory authority:
- In France : CNIL (National Commission for Information Technology and Liberties) — www.cnil.fr
- In any other EU country: the data protection authority of your country of residence
11. Protection of minors
The apothem platform is strictly reserved for people aged over 18 years or older. We do not knowingly collect personal data from minors. If you notice that a minor has created an account, we invite you to contact us immediately at support@apothem.fr so that we can delete the data and the account as soon as possible.
12. Data not collected
We expressly confirm that we do not collect not the following data:
- Payment or banking data (no financial transactions pass through apothem);
- Browsing data for advertising or commercial profiling purposes;
- Precise location data (GPS);
- Biometric or health data;
- Data relating to political opinions, religious beliefs or ethnic origin;
- Content of your private communications.
13. Privacy Policy Changes
This privacy policy may be updated to reflect legal, regulatory or technical developments. In the event of a substantial modification, we will notify you by email to the address associated with your account, at least 15 days before the changes come into effect.
The last update date is always indicated at the top of this document. We encourage you to consult this page regularly.
For any questions relating to the protection of your personal data:
Email: support@apothem.fr
Object : [GDPR] Your request
We undertake to acknowledge receipt of your request within 48 hours and respond to it within a maximum of 30 days.