Your funds, your keys, your decisions.
Botely is non-custodial by design. We never see, hold, or route your money. This page is the receipt for that promise.
Five hard rules.
Never custody
We never receive, hold, or route user funds. Signals are emitted; you execute (or don't) on your own account, with your own broker.
Never your private keys
No mnemonic, no seed phrase, no wallet upload. If automation is needed, the Pro tier delivers an HMAC-signed webhook to YOUR endpoint.
Never edit history
Closed trades, once published on /performance, are never edited or removed. If a number changes, you'll see a diff in the changelog.
Never anonymous strategies
Every signal is tied to a specific strategy version with a SHA-256 config hash. The hash is pinned per-signal; you can verify which exact ruleset produced what.
Never auto-execute without consent
Optional managed execution (Step 2 roadmap) requires explicit per-signal permissions and per-account caps. The default is signal-only.
Where things actually live.
Compute
Hetzner VPS · EU (Helsinki) · 2 vCPU / 4 GB
TLS
Let's Encrypt via Caddy · auto-renew
Auth
Better-Auth · scrypt password hashing · 30d session
Database
Postgres 16 (auth + waitlist) · Upstash Redis (signal state)
Webhook signing
HMAC SHA-256 · rotating secrets per subscriber
Trading venue
dYdX v4 perpetuals · permissionless settlement
Find a bug? Tell us.
If you spot a security issue — auth bypass, signal forgery, data leak, anything else — email us before posting publicly. We don't run a paid bounty yet but we credit reports and fix fast.
security@botely.trade