Privacy Policy

1. Data controller

1.1. The data controller is Botely — Italian limited liability company to be incorporated prior to commercial launch. Until then, the service is operated in pre-launch by the founding team in their personal capacity.

1.2. Privacy contact: privacy@botely.trade. DPO contact: dpo@botely.trade. A formal DPO will be appointed at the latest by incorporation.

2. Categories of personal data we process

2.1. Account data — email address, name, hashed password, locale preference.

2.2. Identification data (KYC), collected at signup once Customer Due Diligence is active: government-issued ID document, date of birth, residential address, selfie (liveness check), processed by a specialised KYC provider (Sumsub or Onfido).

2.3. Subscription and billing data — plan, billing cycle, Stripe customer ID, invoice records, payment status. Card data is processed directly by Stripe and is not stored on our infrastructure.

2.4. Service usage — webhook destination URL(s), Telegram chat ID, email-delivery preferences, signal delivery logs, paper-portfolio simulation history.

2.5. Technical data — IP address, user agent, request timestamps, session identifiers, anti-bot tokens (Cloudflare Turnstile).

2.6. Correspondence — emails, support tickets, complaint records.

2.7. Trading-infrastructure data, processed only if you enable the Optional Autotrade Feature: your Hyperliquid main account address (a pseudonymous EVM identifier), the public address and metadata of the EIP-712 `approveAgent` action you sign from your own wallet, and — encrypted at rest using AES-256-GCM with a server-side master key — the private key of the Botely-controlled agent wallet that signs orders on the three whitelisted markets (ETH-USD, SOL-USD, BNB-USD) on your main Hyperliquid account. We do not receive, store or have any means to derive your wallet seed phrase, mnemonic or primary private key. We do not store information about your overall on-chain activity beyond what is strictly needed to operate the Bot (order history on the three whitelisted markets).

2.8. Subscriber sizing preferences — capital ceiling tier, per-strategy enable/disable toggles, sizing percentages — chosen by you in the dashboard. These preferences are configuration data, not profiling: signals themselves are identical across the tier.

3. Purposes and lawful bases of processing

3.1. Performance of the contract (Article 6(1)(b) GDPR): provisioning your account, delivering signals through the channels you choose, billing your subscription, paper-trading simulation, communications about the Service.

3.2. Compliance with legal obligations (Article 6(1)(c) GDPR): anti-money-laundering CDD, tax-record retention, retention of the investment recommendations register for at least five years pursuant to Article 20 of Regulation (EU) 596/2014 and Commission Delegated Regulation (EU) 2016/958.

3.3. Legitimate interest (Article 6(1)(f) GDPR): fraud and abuse prevention, security monitoring, audit logging, defence of legal claims. The relevant legitimate interests have been balanced against your fundamental rights; you may object to processing on this basis (see section 8).

3.4. Consent (Article 6(1)(a) GDPR): optional marketing communications and any future analytics or marketing cookies (none are active at the Effective Date). Consent can be withdrawn at any time.

4. No individual profiling

4.1. Botely does not profile individual subscribers. Signals are generated by algorithms that analyse market data only; they are broadcast identically to all subscribers of a given tier, without regard to any subscriber's circumstances.

4.2. No automated decision-making within the meaning of Article 22 GDPR produces legal effects on you. Signing up for a subscription, suspending an account for abuse and similar operational decisions are made by humans (or are non-evaluative).

5. Recipients and sub-processors

5.1. We share personal data only with sub-processors that act on our documented instructions under a Data Processing Agreement compliant with Article 28 GDPR.

5.2. Current sub-processor list:

Stripe Payments Europe, Ltd. / Stripe, Inc. (Ireland / USA) — billing and payment processing.

Hetzner Online GmbH (Germany) — hosting and infrastructure for the application server and database.

Resend, Inc. (USA) — transactional email delivery.

Cloudflare, Inc. (USA) — Turnstile anti-bot, edge proxy, DNS.

Upstash, Inc. (USA / EU regional) — Redis cache and message queue used to deliver signals and runtime state.

Altervista S.r.l. (Italy) — external watchdog endpoint that receives a periodic HMAC-signed liveness ping from our infrastructure (no subscriber data is transmitted; only a heartbeat token).

Sumsub or Onfido (KYC provider, to be activated prior to commercial launch).

Sentry, Inc. / Axiom Cloud, Inc. (error and log monitoring, optional, only if activated).

5.3. The current list is also reproduced in our Cookies Policy and is kept up to date; we will notify subscribers of material changes.

6. International transfers

6.1. Some sub-processors are established outside the European Economic Area (mainly in the United States: Stripe, Resend, Cloudflare). Transfers rely on:

(a) EU Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR; and/or

(b) the EU-US Data Privacy Framework under the adequacy decision adopted by the Commission on 10 July 2023, where the sub-processor is self-certified.

6.2. A Transfer Impact Assessment is available on request.

7. Retention

7.1. Account data: for the duration of the contract and 5 years thereafter (limitation periods).

7.2. KYC data: 5 years from the end of the relationship (Italian Legislative Decree 231/2007, Article 31).

7.3. Investment recommendations register: at least 5 years from the date of generation (MAR record-keeping).

7.4. Billing records: 10 years (Italian tax law).

7.5. Server logs and security audit logs: 12 months.

7.6. Database backups: 90 days.

7.7. Botely agent-wallet private key (encrypted at rest): for the duration of the Optional Autotrade Feature opt-in. The key is wiped from our active datastores upon (a) you disabling autotrade from your dashboard, (b) you revoking the agent wallet from your Hyperliquid account, or (c) account closure. Database backups containing earlier encrypted copies follow the 90-day retention in 7.6.

7.8. After the applicable retention period, personal data are deleted or irreversibly anonymised.

8. Your rights

8.1. You have the right to: access (Article 15 GDPR), rectify (Article 16), erase (Article 17), restrict processing (Article 18), data portability (Article 20), object to processing based on legitimate interest (Article 21), withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.2. To exercise any of these rights, write to privacy@botely.trade. We will respond within 30 days; this period may be extended by a further two months for complex requests, in which case we will inform you within the first month.

8.3. You have the right to lodge a complaint with the Garante per la protezione dei dati personali, the Italian data-protection authority — garanteprivacy.it — or with the supervisory authority of your habitual residence.

9. Cookies and similar technologies

9.1. Botely uses strictly-necessary cookies and similar technologies to keep you signed in, persist your locale preference, and protect against bots. These are permitted without consent under Article 5(3) of Directive 2002/58/EC (ePrivacy) and Article 122 of the Italian Codice Privacy.

9.2. Optional analytics and marketing cookies are not used at the Effective Date. If we introduce them in future, we will request consent through the cookie banner.

9.3. Full details are in the Cookies Policy.

10. Security

10.1. We apply technical and organisational measures appropriate to the risk: AES-256-GCM encryption of sensitive data at rest (including, where applicable, the Botely authenticator private key described in section 2.7), TLS for data in transit, industry-standard password hashing, short-lived session tokens, multi-factor authentication for administrative access, principle-of-least-privilege access controls, off-site backups, vulnerability management.

10.2. The protocol-level scope of the Botely agent wallet on Hyperliquid (trading-only authority: no withdrawals, no balance transfers, no non-trading actions) is a control enforced by Hyperliquid itself: even in a worst-case scenario where the encrypted agent key were compromised, the attacker would not be able to withdraw funds, transfer balances or perform any non-trading action. Botely's server-side execution code additionally restricts the agent to placing/cancelling orders on ETH-USD, SOL-USD and BNB-USD. Loss of the master encryption key would render existing ciphertexts inert; new agent wallets would be re-approved by users from their own wallets.

10.3. We will notify you and the competent supervisory authority of any personal-data breach within the timeframes required by Articles 33 and 34 GDPR.

11. Children

11.1. The Service is not directed to, and may not be used by, persons under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected such data, we will delete it without undue delay.

12. Changes to this Privacy Policy

12.1. We may update this Privacy Policy from time to time. Material changes will be notified by email and by an in-product banner at least 30 days before they take effect. Non-material changes (clarifications, formatting) take effect on publication.

Contact

• Botely — Italian limited liability company to be incorporated prior to commercial launch. Until then, the service is operated in pre-launch by the founding team in their personal capacity, contactable at the addresses below.
• privacy@botely.trade
• compliance@botely.trade (compliance / MAR)
• dpo@botely.trade (DPO)
• Address (post-incorporation): To be confirmed at incorporation.

These documents are published in English (canonical) and Italian. In case of conflict between the two versions, the English version prevails for interpretation.

Changelog

• v1.0 — 2026-05-14 — Initial publication.