Privacy Policy

1. Data Controller

The Data Controller of personal data collected via the Cikos platform is:

Cikos
Email: privacy@cikos.com

Note: the final version of this document will include full legal name, registered office, VAT number, and — if designated — the contact details of the DPO (Data Protection Officer).

2. Data We Collect

We collect the following categories of personal data:

Data provided directly by the user

• Account: email, password (bcrypt-hashed, never plaintext), optional name
• Authentication: TOTP secret for 2FA (encrypted), session tokens
• Trading configurations: risk preferences, watchlists, trading mode, exchange API keys (AES-256-GCM encrypted at rest)
• Anthropic BYO API key (optional, if using BYO mode): encrypted at rest, never logged in plaintext
• Notification preferences: Telegram chat ID, email preferences

Data collected automatically

• Technical: IP address, user-agent, request timestamps, error logs
• Usage: generated signals, executed orders, open/closed positions, P&L, AI tokens consumed
• Technical cookies: session, CSRF, locale preferences — see section 7

Data collected from third parties

• Exchanges (Binance, Bitget): balances, positions, orders — only with your explicit authorization via API key
• Anthropic (for AI analysis): market contexts sent to generate analysis; we never send directly identifiable PII

3. Purposes and Legal Bases

We process your data for the following purposes, with these legal bases (GDPR Art. 6):

• Contract performance (Art. 6.1.b): providing the service, executing orders, managing the account, billing
• Legal obligation (Art. 6.1.c): retaining accounting data, responding to authority requests
• Legitimate interest (Art. 6.1.f): platform security (anti-fraud, rate limiting, audit logs), service improvement via aggregated statistics
• Consent (Art. 6.1.a): non-technical cookies, marketing communications (if enabled), optional behavioral analytics

4. How We Share Data

We do not sell your personal data. We share it only with:

• Infrastructure providers: Heroku / AWS for hosting, Postmark for transactional email, Stripe for payments, Datadog/Papertrail for logging
• Exchanges: Binance, Bitget — limited to authorized operations
• AI providers: Anthropic (Claude API) for market analysis; we send trading contexts without direct PII
• Competent authorities: only as required by law

Some of these providers are located outside the EU (e.g., Anthropic, Heroku). In such cases we apply Standard Contractual Clauses (SCC) and additional technical and organizational measures as required by the CJEU "Schrems II" ruling.

5. Retention Periods

• Active account: for the duration of the contractual relationship
• After account deletion: personal data anonymized immediately; accounting data retained for 10 years per legal obligation (Italian Civil Code art. 2220)
• Technical logs: 90 days
• Audit logs (critical actions): 24 months
• Backups: 30-day rolling

The above retention periods are indicative and may vary based on technical necessities or specific legal obligations.

6. Your Rights (GDPR Art. 15-22)

As a data subject you have the following rights:

• Access (Art. 15): obtain confirmation of processing and a copy of the data
• Rectification (Art. 16): correct inaccurate or incomplete data
• Erasure (Art. 17, right to be forgotten): request removal
• Restriction (Art. 18): restrict processing in specific cases
• Portability (Art. 20): receive data in machine-readable format
• Objection (Art. 21): object to processing based on legitimate interest
• Consent withdrawal: withdraw previously given consent at any time

You can exercise access and erasure rights directly from the "Privacy" tab of the dashboard ("Download JSON export" and "Delete account" functions). For other rights or structured requests write to privacy@cikos.com. We will respond within 30 days.

If you believe the processing violates GDPR, you can file a complaint with your national Data Protection Authority, or with the Italian Garante per la protezione dei dati personali (garanteprivacy.it).

7. Cookies

We use cookies in the following categories:

• Strictly necessary: authentication session, CSRF token, language preference. No consent required.
• Analytics (explicit consent only): aggregated usage patterns to improve the product, never personally identifiable data.

You can manage your cookie preferences by clicking "Manage cookies" in the footer of each page, or via your browser settings.

8. Security

We apply appropriate technical and organizational measures:

• Passwords and sensitive secrets encrypted (bcrypt for passwords, AES-256-GCM for API keys)
• TLS 1.2+ for all data transfers
• Principle of least privilege for internal access
• Immutable audit logging for critical actions
• Rate limiting and anomaly detection
• Encrypted backups, periodically tested

No system is 100% secure. In the event of a data breach, we will notify you within 72 hours as required by GDPR Art. 33.

9. Minors

The service is not intended for minors under 18. We do not knowingly collect minors' data. If we learn we have collected data from a minor, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified by email and in-app. The "Last updated" date at the top reflects the most recent version. Continuing to use the service after a change constitutes acceptance of the new version.