Privacy Policy

The data controller is the operator of GRIDVULCAN, contact email privacy@gridvulcan.com. Full legal identification is available on the imprint page.

• Account data: email address, hashed password (stored by Supabase Auth).
• API credentials: exchange API keys, encrypted at rest with AES-256-GCM. Never displayed in clear after creation.
• Operational data: bot configurations, orders, fills, equity curves.
• Technical data: IP address (transient, used for rate limiting and security), browser language cookie (gv_lang).
• Communications: messages you send via the contact form or support modal.

• Contract (Art. 6.1.b): account data and operational data are processed to provide the service you signed up for.
• Legitimate interest (Art. 6.1.f): technical logs for security, abuse prevention, and rate limiting.
• Consent (Art. 6.1.a): waitlist email is processed only after you submit it via the form.
• Legal obligation (Art. 6.1.c): accounting records, where applicable, after billing is enabled.

We use the following sub-processors. Each has its own privacy policy:

• Supabase (authentication, database) — hosted in the EU.
• Vercel (frontend hosting, Web Analytics — cookieless and IP-anonymised).
• Render (backend hosting).
• Resend (transactional email delivery: account verification, password reset, waitlist confirmation, contact replies).

We do not sell personal data, and we do not share it with third parties for advertising purposes.

• Account data: while your account is active, plus 30 days after deletion.
• API credentials: until you delete the credential or the account.
• Fills and operational data: while the account is active. Aggregated anonymised metrics may be retained for service improvement.
• Contact messages: 24 months from receipt.
• Waitlist: until you ask to be removed or the waitlist is closed.

You have the right to access, rectify, delete, restrict processing, port your data, and object to processing. To exercise any of these rights, write to privacy@gridvulcan.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in Spain: AEPD, www.aepd.es).

When data is transferred outside the EEA (e.g. to a US sub-processor), the transfer is covered by Standard Contractual Clauses (SCC) or an adequacy decision of the European Commission.

We encrypt API credentials at rest (AES-256-GCM with per-user additional authenticated data). Authentication uses Supabase JWT with short-lived tokens and JWKS rotation. Transport is HTTPS. Internal engine-to-backend traffic is gated by per-bot HMAC tokens.

We only use strictly necessary cookies: an authentication session cookie (set by Supabase) and a language preference cookie (gv_lang). Analytics is provided by Vercel and is cookieless. See the Cookie Policy for details.

We may update this policy. Material changes will be communicated by email and through the dashboard at least 14 days before they take effect.