Privacy Policy

Our Privacy Commitment

At My Bitcoin DCA, privacy is not just a feature—it's the foundation of our architecture. We built our platform with a client-side security model where your sensitive data never touches our servers.

1. Information We Collect

1.1 Account Information

• Name
• Email address
• Password (hashed and salted with bcrypt)
• Account creation date
• Google account ID (if you sign in with Google)

1.2 Google OAuth Authentication

If you choose to sign in using Google, we receive the following information from Google:

• Your Google account email address
• Your name (as set in your Google profile)
• Your Google account ID (a unique identifier)

We do not receive or store your Google password. Google OAuth authentication is subject to Google's Privacy Policy.

1.3 DCA Settings

• Weekly DCA amount (EUR)
• Purchase schedule (day and hour preferences)
• Hardware wallet Bitcoin address (for withdrawals)

1.4 Transaction Data

• Purchase records (date, BTC amount, EUR cost, fees)
• Withdrawal transaction IDs and amounts
• Blockchain transaction hashes (public data)
• Transaction statuses and confirmations

1.5 Device Information

• Expo push notification tokens (for mobile notifications)
• IP addresses (for rate limiting and security)
• Browser type and version (analytics)

1.6 Payment Information

When you subscribe to our Service, payment is processed by Stripe. We store:

• Stripe customer ID (a reference to your Stripe account)
• Subscription ID and status (active, cancelled, etc.)
• Subscription period dates

2. What We NEVER Collect

• Exchange API Keys: Never transmitted to or stored on our servers
• Exchange API Secrets: Never leave your mobile device
• Private Keys: We never hold or have access to your Bitcoin private keys
• Withdrawal Permissions: We cannot execute withdrawals on your behalf
• Trading Permissions: We cannot execute trades on your behalf

Your API keys are stored exclusively in your mobile device's encrypted SecureStore (iOS Keychain or Android Keystore). All withdrawal and trading operations are executed directly from your device to your exchange. We only receive confirmation reports after you've completed these operations.

3. How We Use Your Information

3.1 Service Delivery

• Track your Bitcoin purchases and withdrawals
• Monitor blockchain confirmations for your transactions
• Calculate DCA statistics and analytics
• Send scheduled purchase and withdrawal notifications

3.2 Security

• Authenticate your account access
• Prevent unauthorized access and fraud
• Rate limiting to prevent abuse
• Monitor for suspicious activity

3.3 Communication

• Send push notifications for optimal withdrawal timing
• Notify you when it's time to execute DCA purchases
• Send transaction status updates
• Respond to support requests

4. Data Storage and Security

4.1 Encryption

• In Transit: All data transmitted over HTTPS/TLS 1.2+
• At Rest: Passwords hashed with bcrypt (10 rounds)
• API Keys: Stored in OS-level encrypted storage on your device

4.2 Database Security

• MongoDB with encryption at rest
• Redis for session management and caching
• Regular automated backups
• Access control and authentication

4.3 Access Control

• JWT-based authentication with short-lived tokens
• Rate limiting on all endpoints
• IP-based security monitoring
• Automated security scanning (Semgrep)

5. Data Sharing

We do not sell, trade, or rent your personal information to third parties.

5.1 Third-Party Services

We integrate with the following services:

• Stripe: Payment processing for subscriptions. Stripe collects and processes your payment card details. See Stripe's Privacy Policy.
• Google: Optional OAuth authentication. If you sign in with Google, your authentication is processed by Google. See Google's Privacy Policy.
• Binance/Kraken: You interact directly with your exchange's API (we don't see your credentials)
• Mempool.space: Public blockchain data for transaction monitoring
• Expo Push Notifications: To deliver notifications to your mobile device (uses Firebase Cloud Messaging)
• CoinGecko: For Bitcoin price data (fallback source)
• Google Analytics: Website usage analytics. See Google's Privacy Policy.

5.2 Legal Compliance

We may disclose information if required by law, court order, or government request. We will notify you of such requests unless prohibited by law.

6. Your Rights

You Have the Right To:

• Access: Request a copy of all data we hold about you
• Correction: Update incorrect or incomplete information
• Deletion: Request deletion of your account and associated data
• Export: Download your transaction history and settings
• Opt-Out: Disable push notifications at any time

To exercise these rights, contact us at support@mybitcoindca.com or use the settings page in your account.

7. Data Retention

• Active Accounts: Data retained while your account is active
• Inactive Accounts: Data retained for 12 months after last login
• Deleted Accounts: Data permanently deleted within 30 days
• Legal Requirements: Some data may be retained longer for compliance
• Blockchain Data: Transaction hashes are public and permanent on blockchain

8. Cookies and Tracking

Essential Cookies:

• Authentication: JWT refresh tokens (httpOnly, secure)
• Session Management: Redis-backed session storage

Analytics Cookies (Consent Required):

If you consent, we use Google Analytics to understand how users interact with our Service and to improve the user experience. Google Analytics collects:

• Pages visited and time spent on each page
• Device type, browser, and operating system
• Geographic location (country/city level)
• Referral source (how you found us)

Managing Your Cookie Preferences:

• Clear your browser's localStorage to reset your consent choice and see the banner again
• Install the Google Analytics Opt-out Browser Add-on
• Use your browser's cookie settings to block third-party cookies

See Google's Privacy Policy for more information on how Google handles data collected through Analytics.

9. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately.

10. Data Breach Notification

We take data security seriously. In the unlikely event of a data breach that affects your personal information, we commit to the following:

10.1 What We Will Do

• Investigate and contain the breach as quickly as possible
• Assess the risk and determine what data may have been affected
• Notify affected users within 72 hours of becoming aware of a breach
• Report to relevant regulatory authorities as required by law
• Provide guidance on steps you can take to protect yourself

10.2 How We Will Notify You

• Email notification to your registered email address
• In-app notification when you next log in
• Public announcement on our website if the breach is widespread

10.3 Information We Will Provide

• Description of the nature of the breach
• Types of data that may have been affected
• Steps we are taking to address the breach
• Recommended actions you should take
• Contact information for questions or concerns

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email notification for material changes
• Requiring re-acceptance for substantial changes