Legal · Privacy Policy

Privacy Policy

Effective April 30, 2026

Last updated April 30, 2026

Version 1.0

This Privacy Policy explains what information MyZiggy collects, how we use it, and your rights. It applies to the MyZiggy mobile application, website, and associated services (the "Service"). Capitalised terms not defined here have the meaning given in the Terms of Service.

01Who we are#

The data controller is [Legal entity name], [registered address]. Contact: privacy@myziggy.ai. If you are in the EEA, UK, or another jurisdiction with a data-protection authority, you may also contact our Data Protection point of contact at dpo@myziggy.ai.

02Information we collect#

2.1 Information you provide

Account data: name, email, password (stored hashed), authentication method (email/password, Apple OAuth, Google OAuth).
Profile preferences: push-notification settings, quiet hours, timezone, language, advanced-alert opt-in.
Trading Capital amount: the user-declared dollar figure used to compute position sizes. This is not read from your Exchange wallet.
Execution Engine configuration: minimum Setup Score, active coins, max open positions, risk-per-trade, exchange selection.
Communications: support tickets, feedback, and any documents or screenshots you send us.
Identity / KYC documents (only if and when required for fraud, sanctions screening, or regulatory compliance — currently not collected for general account use).

2.2 Information generated by your use of the Service

Trade Plans and Trade Executions: for each manual trade or Execution Engine trade — pair, side, position size, entry price, invalid level, target levels, fill prices, exit reason, P&L, timestamps, and Exchange order IDs.
Audit log: every execution-side action you take recorded with user ID, action, payload metadata, IP address, user agent, and timestamp. Retained for 7 years for security and dispute purposes.
Engagement data: screens viewed, features used, alerts opened, in-app actions, session duration.
Crash and diagnostic data: stack traces, error codes, app version, device model, OS version.

2.3 Information collected from your devices and integrations

Device data: device identifiers, OS version, mobile carrier (where exposed), language, timezone, push-notification token (APNs/FCM).
Network data: IP address (for rate-limiting, security, and approximate geolocation to enforce restricted-region rules).
Exchange data: account state read via your API Key — open positions, recent fills, order status. We read only what is necessary to operate features you have enabled. We do not read withdrawal history because we do not request withdrawal scopes.
Cookies and similar technologies (web only): see Section 7.

2.4 Information from third parties

Stripe (payments): subscription status, billing cycle, payment method type (card brand, last 4 — full card data never reaches MyZiggy), country, tax. We do not receive your full card number.
OAuth providers (Apple, Google) when you sign in: name, email, OAuth user ID.

2.5 What we do not collect

We do not read or store your Exchange password.
We do not request or accept API Keys with withdrawal or transfer permissions; if you provide one, we reject it.
We do not read your Exchange wallet balance.
We do not collect financial-account information beyond what Stripe shares for billing.
We do not knowingly collect data from anyone under 18.

03How we use information#

Purpose	Legal basis (GDPR)
Provide the Service (auth, dashboards, Setups, execution, Execution Engines, alerts, billing)	Performance of contract
Operate Exchange connections and submit orders you authorise	Performance of contract
Compute aggregate System Performance metrics (across all users, anonymised)	Legitimate interest
Operate, evaluate, and improve the Setup-generation methodology and Execution Engines logic, in aggregate and de-identified form	Legitimate interest
Customer support and communications	Performance of contract / legitimate interest
Fraud prevention, security monitoring, abuse detection, and audit logging	Legitimate interest / legal obligation
Tax, accounting, sanctions screening, and AML	Legal obligation
Marketing emails about new features (you can unsubscribe)	Consent (where required) / legitimate interest
Comply with court orders and lawful requests	Legal obligation

3.1 Trading-analytics use — what this means in plain English

We use your trade history, fill data, and engagement events to evaluate and improve how the Service performs. We do this only in aggregate and de-identified form — meaning we strip identifiers and combine your data with other users' data before computing model statistics. The Service's underlying methodology is not personalised to any individual user; it is a fixed methodology evaluated against the population.

We do not sell or share your individual trade history with any third party for advertising or modelling purposes.

3.2 No automated decisions with legal effect

The Service makes automated decisions (Execution Engines order submission, position sizing, alert triggering). These decisions affect your trading outcomes only because you chose to enable them and configured the parameters. They do not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. You can pause, reconfigure, or stop the execution engine at any time.

04Exchange API Keys — how we handle them#

This section is critical to your trust in the Service.

Trade-only scopes only. When you connect an Exchange we run a programmatic test that attempts a withdrawal call. If the call succeeds, we reject the API Key and refuse to store it.
Encrypted at rest. API Key secrets are encrypted using a managed key-management service (KMS). Plaintext secrets never touch our database, our logs, or our backups.
Server-side use only. API Keys are decrypted in memory only on the request path that uses them. They are never sent back to your device after creation. The mobile app sees only the last 4 characters of the public key.
No third-party sharing. API Keys are never shared with any third party.
Access controls. Engineering access to KMS-encrypted material is limited to a small set of senior engineers and is logged.
IP allowlisting. We publish a list of MyZiggy egress IPs; we recommend you IP-restrict your Exchange API Key to those IPs.
Revocation. You can revoke a connection in the Service or by deleting the API Key at the Exchange. Either action stops MyZiggy from being able to act on your account, immediately.

05Sharing of information#

We share information only as follows:

Service providers acting on our instructions and bound by confidentiality and data-processing agreements:
- Stripe (payments)
- AWS / Google Cloud / similar (hosting, KMS)
- Datadog / Sentry / similar (logging, observability — without API key material)
- SendGrid / Postmark / similar (transactional email)
- APNs (Apple), FCM (Google) (push notifications — token only)
- Customer-support tooling (e.g., Zendesk / Intercom)
Exchanges: we transmit order instructions to the Exchange you have connected, on your behalf.
Authorities when legally required: subpoena, court order, lawful regulatory request, or to protect rights, safety, or property.
Acquirer in a merger, acquisition, or asset sale — subject to the new owner being bound by terms at least as protective as this Policy.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use your trade history for advertising.

06International data transfers#

We are based in [the United States]. Where we transfer personal data out of the EEA, UK, or another region with restrictions, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent. A copy of the relevant safeguards is available on request to privacy@myziggy.ai.

07Cookies and similar technologies (web only)#

The mobile app does not use third-party tracking cookies. The website uses (a) strictly-necessary cookies for authentication and security, (b) preference cookies for language/timezone, and (c) first-party analytics to measure aggregate site usage. We do not use cookies to build cross-site advertising profiles. Cookie banner controls are provided where required by law.

08Data retention#

Data	Retention
Account data	While account is active; deleted within 30 days of account deletion request, except as below
Trade Plans and Trade Executions	7 years (financial-records / tax / dispute reasons)
Audit log (security and execution-side actions)	7 years; anonymised after account deletion
API Key secrets	Until disconnected or rotated; then immediately deleted
Support tickets	3 years
Push tokens	Until invalidated by the OS or by logout
Backups	Up to 35 days, then overwritten
Aggregate / de-identified analytics	Indefinitely (no longer personal data)

09Your rights#

Depending on where you live, you may have rights to:

Access the personal data we hold about you;
Correct inaccurate data;
Delete your data ("right to be forgotten");
Port your data to another provider in machine-readable form;
Restrict or object to certain processing;
Withdraw consent where processing is based on consent;
Opt out of "sale" or "sharing" of personal information (we do not engage in either);
Lodge a complaint with a supervisory authority (EU/UK) or the appropriate authority in your jurisdiction.

To exercise these rights, email privacy@myziggy.ai. We will verify your identity (typically by confirming control of the account email) and respond within 30 days, or 45 days for complex requests, in line with GDPR / CCPA / India DPDP / equivalent. Some data — execution audit logs, fraud records, tax records — must be retained even after a deletion request, in which case we will explain the basis.

9.1 California (CCPA/CPRA)

We do not sell or share personal information as those terms are defined under California law. Categories collected, sources, purposes, and recipients are described above. California residents have the right to know, delete, correct, and limit the use of sensitive personal information; we do not collect "sensitive personal information" beyond what is necessary to operate the Service (e.g., account credentials).

9.2 EEA / UK

The legal bases for processing are listed in Section 3. You have the right to lodge a complaint with the data-protection authority in your country.

9.3 India (DPDP Act)

Where applicable, MyZiggy acts as a Data Fiduciary. You may exercise rights of access, correction, erasure, and grievance through the contact below. Our grievance officer is [Name], reachable at grievance@myziggy.ai.

10Security#

Measures we use include:

TLS 1.2+ for all data in transit
KMS-encrypted secrets at rest, with no plaintext logging
Strict scope enforcement on Exchange API Keys (withdrawal scopes rejected)
Two-factor authentication available, and required for high-impact actions
Session token rotation, short-lived access tokens
Rate-limiting on auth and execution endpoints
Production access limited to a small set of engineers, with audit logging
Periodic third-party security review (planned/ongoing)

No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities as required by law (in the EEA, within 72 hours of becoming aware where feasible).

11Children#

The Service is not intended for, and is not directed at, anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with information, contact privacy@myziggy.ai and we will delete it.

12Third-party links and services#

The Service links to and integrates with third parties (Exchanges, Stripe, Apple, Google). Their privacy practices are governed by their own policies. We are not responsible for them.

13Changes to this Policy#

We may update this Policy. For material changes we will give at least 14 days' notice by email or in-app banner. The "Last updated" date at the top reflects the most recent version. Prior versions are available on request.

14Contact#

Privacy: privacy@myziggy.ai
Data protection: dpo@myziggy.ai
Grievances (India): grievance@myziggy.ai
Security: security@myziggy.ai