Privacy Policy

1. Introduction

CryptoDashboardPlus ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cryptocurrency portfolio tracking service.

This policy complies with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation.

2. Information We Collect

2.1 Information You Provide to Us

Account Information

• Email address: Used for account creation, authentication, and communication
• Password: Hashed using bcrypt (one-way hash, never stored in plain text)
• Profile information: Username, display name, avatar preferences
• Notification settings: Email, Telegram preferences for alerts

Portfolio Data (Stored in localStorage and Server)

• Transaction history: Buy/sell trades with dates, prices, quantities, fees
• Holdings: Cryptocurrency types, amounts, and cost basis
• Balance history: Historical portfolio valuations for performance tracking
• Goals and targets: Financial planning data (goal name, target amount, deadline)
• Price alerts: User-configured price alert conditions
• Notes and tags: Custom labels and annotations on transactions
• User preferences: Dashboard layout, theme (dark/light), currency display (USD/EUR/BTC)

API Keys and Credentials

• Exchange API keys: Read-only API keys from Binance, Coinbase, Pionex (encrypted with AES-256)
• API secrets: Encrypted at rest and in transit, never exposed in logs or responses
• Wallet addresses: Public blockchain addresses for tracking (Ethereum, BSC, Polygon, Arbitrum, Optimism, Avalanche)
• OAuth tokens: Google OAuth tokens if you choose to sign in with Google (stored securely, encrypted)

2.2 Information Collected Automatically

Usage Data

• Pages visited and features used
• Time spent on the platform
• Click patterns and navigation paths
• Feature engagement metrics

Device and Browser Information

• IP address (anonymized where possible)
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen resolution
• Language preferences

Cookies and Browser Storage

• Session cookie (express.sid): Express-session cookie for maintaining login state (24-hour expiry, httpOnly, secure in production)
• JWT token (authToken): Stored in localStorage for API authentication
• localStorage keys:
  • trades - Cached portfolio transaction history
  • portfolioHoldings - Current cryptocurrency holdings
  • balanceHistory - Historical balance snapshots
  • goals - Financial goals and targets
  • priceAlerts - Configured price alerts
  • settings - User preferences (theme, currency, notifications)
  • apiCache - Cached CoinGecko price data (1-hour expiry)
  • userProfile - User profile data and display preferences
• Preference cookies: Theme preference (dark/light mode), language, currency display

2.3 Information from Third-Party Sources

• Price data: From CoinGecko API (cryptocurrency prices, market cap, 24h volume)
• Exchange data: Portfolio and transaction data from Binance, Coinbase, Pionex APIs (read-only access)
• Blockchain data: Public transaction data from blockchain RPCs:
  • Ethereum (via Infura/Alchemy RPC)
  • Binance Smart Chain (BSC)
  • Polygon
  • Arbitrum
  • Optimism
  • Avalanche
• Payment data: From Stripe (payment processing, subscription status)
• Email delivery: Via Nodemailer for transactional emails

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Provide portfolio tracking and analytics
• Display real-time cryptocurrency prices
• Sync data from connected exchanges
• Generate reports and visualizations
• Send price alerts and notifications
• Calculate portfolio performance metrics

3.2 Account Management

• Create and maintain your account
• Authenticate your identity
• Manage subscriptions and billing
• Provide customer support
• Send account-related communications

3.3 Service Improvement

• Analyze usage patterns to improve features
• Debug and fix technical issues
• Develop new features and functionality
• Conduct A/B testing and experiments
• Optimize performance and user experience

3.4 Security and Fraud Prevention

• Detect and prevent unauthorized access
• Identify suspicious activity
• Protect against security threats
• Comply with legal obligations

3.5 Communications

• Send transactional emails (password resets, confirmations)
• Deliver price alerts and notifications (if enabled)
• Share service updates and new features
• Send marketing communications (with consent, opt-out available)

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data based on:

Processing Purpose	Legal Basis
Service delivery and account management	Contract performance
Security and fraud prevention	Legitimate interests
Legal compliance	Legal obligation
Marketing communications	Consent (opt-in)
Analytics and improvements	Legitimate interests

5. How We Share Your Information

5.1 We DO NOT Sell Your Data

We do not and will never sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers

We share data with trusted third-party service providers who assist us in operating our service:

• Cloud hosting: For secure data storage and infrastructure
• Payment processors: For handling subscription payments (Stripe, PayPal)
• Email services: For transactional emails and notifications
• Analytics providers: For understanding usage patterns (with anonymization)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.3 API and Data Providers

• CoinGecko API: Cryptocurrency price data, market cap, volume (no personal data shared, only coin IDs)
• Exchange APIs (read-only):
  • Binance API - Portfolio balances, trade history
  • Coinbase API - Account balances, transaction history
  • Pionex API - Trading bot performance, holdings
  Your API keys are encrypted and used only to fetch your portfolio data. We NEVER request withdrawal permissions.
• Blockchain RPC providers: Public wallet addresses queried on blockchain networks (Ethereum, BSC, Polygon, Arbitrum, Optimism, Avalanche)
• Stripe: Payment processing for premium subscriptions (they collect payment card data, not us)
• Google OAuth (optional): If you choose Google sign-in, we receive your email and profile name
• Telegram Bot API (optional): If you enable Telegram notifications, your Telegram chat ID is stored
• Nodemailer/Email service: For sending transactional emails (password resets, alerts, reports)

5.4 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations (court orders, subpoenas)
• Protect our rights and property
• Prevent fraud or illegal activity
• Protect the safety of users or the public

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change.

6. Data Security

We implement robust security measures to protect your data:

6.1 Technical Safeguards

• Encryption in transit: All data transmission uses TLS 1.3/SSL encryption (HTTPS)
• Password security: Passwords are hashed using bcrypt (cost factor 10, salted, one-way hash)
• API key encryption: Exchange API keys and secrets encrypted at rest using AES-256
• JWT authentication: JWT tokens with secure signatures for API authentication (stored in localStorage)
• Session management: Express-session with secure, httpOnly cookies (24-hour maxAge, secure flag in production)
• OAuth security: Google OAuth 2.0 with state parameter for CSRF protection
• Rate limiting: API rate limits to prevent brute force attacks
• Input validation: Server-side validation to prevent injection attacks

6.2 Organizational Safeguards

• Limited employee access to personal data
• Regular security training
• Data access logging and monitoring
• Incident response procedures

6.3 Your Responsibilities

• Use strong, unique passwords
• Enable two-factor authentication (if available)
• Keep your login credentials confidential
• Use secure devices and networks
• Report suspicious activity immediately

7. Data Retention

We retain your data for as long as necessary to provide our services:

Data Type	Retention Period
Account information	Active account + 30 days after deletion
Portfolio data	Active account + 30 days after deletion
Transaction history	7 years (for tax compliance purposes)
Usage logs	90 days
Support tickets	3 years
Marketing data	Until consent is withdrawn

You can request deletion of your data at any time by contacting us. Some data may be retained for legal compliance purposes.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 GDPR Rights (EU/EEA Users)

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to certain types of processing
• Right to withdraw consent: Withdraw consent at any time
• Right to lodge a complaint: File a complaint with a supervisory authority

8.2 How to Exercise Your Rights

To exercise any of these rights:

• Email us at: support@cryptodashboardplus.com
• Use the in-app data export feature (for portability)
• Delete your account from settings (for erasure)

We will respond to your request within 30 days.

8.3 California Privacy Rights (CCPA)

California residents have additional rights:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Opt-out of the sale of personal information (we don't sell data)
• Access personal information
• Request deletion of personal information
• Non-discrimination for exercising privacy rights

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we use appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for certain countries
• Privacy Shield certification (where applicable)

10. Children's Privacy

CryptoDashboardPlus is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

If you believe we have collected information from a child under 18, please contact us immediately and we will delete the information.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Cookie Type	Purpose	Required
Essential/Session	Authentication, security, basic functionality	Yes
Preference	Remember your settings (theme, language)	No
Analytics	Understand usage patterns	No
Performance	Cache data, improve load times	No

11.2 Managing Cookies

You can control cookies through:

• Browser settings (most browsers allow you to block cookies)
• Our cookie consent banner (when implemented)
• Third-party opt-out tools

Note: Blocking essential cookies may prevent the service from functioning properly.

11.3 Local Storage

We use browser local storage to cache portfolio data for faster loading and offline access. This data is stored on your device and can be cleared through your browser settings.

12. Third-Party Links

Our service may contain links to third-party websites (e.g., exchanges, blockchain explorers). We are not responsible for the privacy practices of these sites. Please review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective when posted, with the "Last Updated" date revised.

For material changes, we will:

• Notify you via email
• Display a prominent notice on the platform
• Require re-acceptance for significant changes

14. Data Protection Officer

For privacy-related inquiries or to exercise your rights, contact:

• Email: support@cryptodashboardplus.com
• Subject Line: "Privacy Inquiry - CryptoDashboardPlus"

15. Supervisory Authority

If you are located in the EU/EEA and have concerns about our data processing, you have the right to lodge a complaint with your local data protection authority.