Privacy Policy
(Effective 29 April 2025 – v1.0)
This Privacy Policy explains how Gainz LLC (“Gainz”, “we”, “us”, “our”) collects, uses, shares and protects personal information when you use dca.bot, our mobile apps, dashboards, APIs or any other service that links to this notice (collectively, the “Services”). Please read it together with our Terms of Service, which include a binding arbitration clause and class-action waiver governing privacy disputes.
1. Who we are
| Region served | Data controller | Contact |
|---|---|---|
| All users worldwide (United States, EEA, UK and others) | Gainz LLC, 3 Germay Dr, Unit 4 #2478, Wilmington, DE 19804, USA |
[email protected] |
| (Gainz LLC may designate an Article 27 EU representative in the future; any change will appear here.) | ||
2. Information we collect
| Category | Examples | How collected |
|---|---|---|
| Identifiers | E-mail address, IP address, device ID, username | account forms; automatic logs |
| Customer records | Billing name, country, card last 4 digits & expiry | payment processor |
| Commercial data | Subscription tier, invoices, support history | generated during use |
| Internet activity | Pages viewed, referral URL, cookie IDs | cookies, pixels, SDKs |
| Approximate geolocation | City/region inferred from IP | automatic |
| Trading metadata | Exchange account alias, order size, schedule, outcomes | via your encrypted API keys |
| Marketing preferences | Newsletter opt-in, campaign tags | you provide |
We do not knowingly collect social-security numbers, driver-licence data, precise GPS coordinates, biometric data or children's data (see Section 11).
3. Why we use personal information and our legal bases
| Purpose | Typical data used | Legal basis* |
|---|---|---|
| Create & secure your account; place/cancel orders | identifiers, trading metadata | Contract performance |
| Process payments & keep accounts | billing data, transaction IDs | Contract; legal obligation |
| Detect & prevent fraud or abuse | identifiers, logs, geolocation | Legitimate interests; legal obligation |
| Improve and debug Services | aggregated analytics, crash logs | Legitimate interests |
| Send product updates or marketing | identifiers, preferences | Consent (withdrawable) |
| Comply with law, enforce Terms, defend claims | any relevant category | Legal obligation; legitimate interests |
* For users in the EEA/UK these correspond to GDPR Art. 6. Our legitimate interests include platform security, fraud prevention, product improvement, and protection of legal rights.
4. Cookies and similar technologies
We use:
- Essential cookies – session continuity, authentication, fraud prevention.
- Analytics cookies – privacy-respecting tools (e.g., Plausible, GA4 with IP-anonymisation).
- Marketing cookies/pixels – only if you opt-in to them.
EEA/UK visitors see a consent banner that lets them accept or reject non-essential cookies.
5. How we share information
Gainz does not sell personal information and does not share it for cross-context behavioural advertising. We disclose data only to:
- Service providers – AWS (us-east-1, us-west-2, eu-central-1), e-mail/SMS vendors, analytics, payment processors (contract-bound).
- Exchanges – order instructions sent via your API keys; we never transmit your exchange password or secret key in plain text.
- Affiliates – internal business uses consistent with this Policy.
- Authorities – when required by law or to protect rights, property or safety.
- Business transfers – if we merge, sell or reorganise; subject to confidentiality.
- Aggregated/anonymised data – cannot reasonably identify you.
6. International transfers
We store data in the United States and Germany. When personal data from the EEA/UK moves to the US we rely on the Standard Contractual Clauses (2021) plus supplementary measures (TLS in transit, AES-256 at rest, strict access controls).
7. Security and breach response
- TLS 1.2+ encryption in transit.
- AES-256 encryption of secrets (API keys) at rest.
- Role-based staff access and audited logs.
- Annual penetration tests and continuous vulnerability scanning.
Breach notification. If a breach leads to unauthorised personal-data access we will investigate promptly and notify affected users and regulators in line with GDPR Arts 33-34 and applicable U.S. state breach laws.
8. Data retention
| Data type | Retention |
|---|---|
| Account credentials | Life of account + 30 days |
| Encrypted API keys | Deleted within 24 h of removal or account closure |
| Trading metadata & invoices | 5 years (tax/AML) |
| Server logs & analytics IDs | 12 months |
| Marketing-consent logs | 3 years after last e-mail |
| Support tickets | 3 years after closure |
We securely erase or anonymise data once no longer needed, unless law requires longer storage.
9. Your privacy rights
9.1 EEA & UK
Access, rectification, erasure, restriction/objection, portability, withdraw consent, complaint to a supervisory authority (e.g., your local DPA).
9.2 United States (CA, VA, CO, CT, UT)
Access, correction, deletion, opt-out of targeted ads / sale or sharing / certain profiling, and the right to appeal a denied request.
9.3 How to exercise
E-mail [email protected] or use the in-app privacy centre. We verify identity and respond within one month (30 days for US-state requests). Authorised agents may act with signed permission.
10. Notice at collection (California Civil Code § 1798.100)
| CCPA category | Examples | Purpose | Retention |
|---|---|---|---|
| A – identifiers | e-mail, IP, device ID | account, security | life of account + 30 days |
| B – customer records | billing name, card last 4 | payment | 7 years |
| D – commercial info | subscription tier, invoices | accounting | 5 years |
| F – internet activity | logs, cookie IDs | analytics, fraud | 12 months |
| G – geolocation (approx.) | city/region | localisation, security | 30 days |
We do not intentionally collect CCPA categories C, E, H, I, J or K.
You can opt out of any future "sale or sharing" by clicking Do Not Sell or Share My Personal Information in the footer.
11. Children's privacy
The Services are not directed to children under 18. If we learn we have collected personal information from a child under 18, we delete it immediately.
12. Automated decision-making
Trades are executed automatically according to parameters you set. You can pause or change strategies at any time, so this processing does not produce legal or similarly significant effects within the meaning of GDPR Art. 22. You may request human review if you believe an automated action adversely affected you.
13. Changes to this Policy
We may update this Policy. Material changes will be announced by e-mail or in-app banner at least 30 days before taking effect.
Change log
- v1.0 (29 Apr 2025) – initial release
14. Contact us
- E-mail: [email protected]
- Mail: Gainz LLC, 3 Germay Dr, Unit 4 #2478, Wilmington, DE 19804, USA
Any dispute arising under this Privacy Policy is subject to the arbitration clause and class-action waiver in our Terms of Service.