Privacy Policy

VERSION 1.1  ·  LAST UPDATED: MARCH 12, 2026  ·  GDPR COMPLIANT (EU 2016/679)

This privacy policy describes how the apothem platform (hereinafter "we" or "apothem") collects, processes and protects your personal data, in compliance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable data protection legislation.

01. Data Controller

The data controller for your personal data is:

• Name: CREPIN
• Address: 76 Rue Masséna, 69006 Lyon, France
• Email: support@apothem.fr
• Status: Individual – operator of the apothem platform

For any questions regarding the protection of your data, you may contact us directly at the email address above with the subject line [GDPR]. We are committed to responding within a maximum of 30 calendar days.

02. Data Collected and Purposes

We collect only the data strictly necessary for the operation of the Service, in accordance with the data minimisation principle (Article 5(1)(c) of the GDPR):

Data category	Data collected	Purpose	Legal basis	Retention period
Identity	Email address, username	Account creation and management, communication	Contract performance	Account duration + 3 years
Authentication	Hashed password (bcrypt), 2FA token	Securing access to the account	Contract performance	Account duration
API Keys	Public key + secret key (AES-256 encrypted)	Executing trading orders on the exchange	Contract performance	Until revocation or account closure
Trading	Trade history, positions, P&L	Dashboard, performance tracking	Contract performance	3 years after account closure
Configuration	Risk parameters, position size	Customising bot behaviour	Contract performance	Account duration
Connection	IP address, connection timestamp, user-agent	Security, fraud detection, rate limiting	Legitimate interest (security)	30 days
Session	Session token (secure cookie)	Maintaining the connection	Contract performance	30 days or until logout

03. API Key Processing

API keys are the most sensitive data you entrust to us. We give them special protection:

• Encryption at rest: stored exclusively in encrypted form (AES-256 Fernet) — unusable without the server's decryption key;
• Restricted permissions: apothem requires and recommends API keys with only "read" and "trading" permissions. Withdrawal permission is never required and should never be granted;
• No sharing: your API keys are never shared, resold or transmitted to third parties, including commercial partners;
• Single dedicated use: your API keys are used exclusively to submit trading orders on your exchange, in response to signals received from TradingView;
• Deletion on request: your API keys are deleted from our systems upon connection revocation or account closure.

04. Legal Basis for Processing

Each of our processing activities rests on a specific legal basis under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): processing of email, password, API keys, trading data, configuration settings — necessary for providing the Service;
• Legitimate interest (Art. 6(1)(f)): processing of IP addresses, connection logs and session data — to ensure platform security and prevent unauthorised access;
• Legal obligation (Art. 6(1)(c)): retention of certain data in response to a court order or legal obligation.

We do not carry out any processing based on consent for the essential features of the Service — you can therefore use apothem without your consent being required for indispensable processing. Non-essential cookies, if added in the future, would be subject to your prior consent.

05. Cookies and Trackers

The apothem platform uses only strictly necessary cookies for the operation of the Service, which do not require prior consent:

• session: secure session cookie (HttpOnly, Secure, SameSite=Lax) to maintain your connection — duration: 30 days;
• csrf_token: anti-CSRF (Cross-Site Request Forgery) security token injected into forms — duration: browser session.

We do not use any advertising cookies, profiling cookies, or third-party trackers for behavioural analysis or marketing targeting. No advertising network has access to your browsing data on apothem.

06. Data Recipients

Your personal data is processed exclusively by the following individuals and entities:

• The apothem Operator (CREPIN): access to data necessary for administering the Service;
• Hetzner Online GmbH: hosting provider for the servers on which your data is stored, located in the European Union (Nuremberg, Germany data centre) — Hetzner acts as a data processor under the GDPR;
• Your exchange: your API keys are used to submit orders on your exchange account on your behalf — the exchange is an independent third party, subject to its own terms of use;
• Competent authorities: in case of legal obligation, court order or official investigation.

Your personal data is never sold, rented or exchanged for commercial purposes.

07. Transfers Outside the European Union

Your data is hosted within the European Union, on Hetzner servers in Nuremberg (Germany). We ensure that your data remains within the European Economic Area as much as possible.

Transfers outside the EU may occur in the following cases:

• Connection to your exchange: depending on the exchange you use, API requests may transit to servers located outside the EU. These exchanges take place exclusively via encrypted connections (HTTPS/TLS) and are limited to the data necessary for executing orders;
• Authentication via Google OAuth (if enabled): subject to Google's privacy policy terms and their transfer mechanisms (EU–US adequacy decision, Standard Contractual Clauses).

Any transfer outside the EU takes place within the framework of appropriate safeguards in accordance with Articles 44 to 49 of the GDPR.

08. Security Measures

We implement technical and organisational security measures appropriate to the level of risk, in accordance with Article 32 of the GDPR:

• Encryption of sensitive data: API keys encrypted at rest (AES-256 Fernet), passwords hashed (bcrypt, high cost);
• Encryption of communications: HTTPS/TLS protocol on all client-server exchanges;
• CSRF protection: CSRF token on all sensitive requests to prevent cross-site attacks;
• Rate limiting: limiting login attempts to prevent brute-force attacks;
• Session management: secure session cookies (HttpOnly, Secure, SameSite), token rotation;
• Secure infrastructure: Hetzner servers in ISO 27001 certified data centre, located in the EU;
• Restricted access: access to data limited to authorised persons only, following the principle of least privilege.

09. Personal Data Breach

In the event of a personal data breach likely to result in a risk to your rights and freedoms, apothem is committed to:

• Notifying the competent supervisory authority within 72 hours of becoming aware of the incident, in accordance with Article 33 of the GDPR;
• Informing you personally by email as soon as possible if the breach is likely to result in a high risk to your rights and freedoms (Article 34 of the GDPR);
• Describing the nature of the breach, the data concerned, the likely consequences, and the measures taken to address it.

10. Your GDPR Rights

In accordance with the GDPR (Articles 15 to 22), you have the following rights over your personal data:

• Right of access (Art. 15): obtain a copy of all personal data we hold about you, as well as information about their processing;
• Right to rectification (Art. 16): correct inaccurate or incomplete data about you;
• Right to erasure / "right to be forgotten" (Art. 17): request the deletion of your personal data, subject to legal retention obligations;
• Right to restriction of processing (Art. 18): obtain the suspension of processing of your data in certain cases provided for by the GDPR;
• Right to data portability (Art. 20): receive your data in a structured, commonly used and machine-readable format (JSON or CSV);
• Right to object (Art. 21): object to the processing of your data based on our legitimate interest, for reasons relating to your particular situation;
• Right not to be subject to automated decision-making (Art. 22): not be subject to a decision based solely on automated processing that produces significant legal effects.

How to exercise your rights: send your request by email to support@apothem.fr with the subject line [GDPR - Access] or [GDPR - Deletion], attaching a form of identification if necessary to verify your identity. We will respond within a maximum of 30 days.

If you believe your rights are not being respected, you have the right to lodge a complaint with the competent supervisory authority:

• In France: CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr
• In any other EU country: the data protection authority of your country of residence

11. Protection of Minors

The apothem platform is strictly reserved for persons aged 18 years or older. We do not knowingly collect personal data from minors. If you find that a minor has created an account, please contact us immediately at support@apothem.fr so that we can delete the data and the account as soon as possible.

12. Data Not Collected

We expressly confirm that we do not collect the following data:

• Payment or banking data (no financial transactions pass through apothem);
• Browsing data for advertising or commercial profiling purposes;
• Precise location data (GPS);
• Biometric or health data;
• Data relating to political opinions, religious beliefs or ethnic origin;
• Content of your private communications.

13. Policy Changes

This privacy policy may be updated to reflect legal, regulatory or technical developments. In the event of a substantial change, we will inform you by email at the address associated with your account, at least 15 days before the changes take effect.

The date of the last update is always indicated at the top of this document. We encourage you to check this page regularly.

14. Contact

For any questions relating to the protection of your personal data:

Email: support@apothem.fr
Subject: [GDPR] Your request

We are committed to acknowledging receipt of your request within 48 hours and responding within a maximum of 30 days.