Last reviewed: May 20, 2026
Privacy policy
How CryptoCompanion collects, uses, protects, exports, and deletes product data.
/* REPLACE BEFORE LAUNCH: Replace with a jurisdiction-aware Privacy Policy from Termly, TermsFeed, or iubenda and update subprocessors, retention periods, and company contact details. */
Use a template generator before launch:
- Termly Privacy Policy Generator
- TermsFeed Privacy Policy Generator
- iubenda Privacy and Cookie Policy Generator
Data we collect
CryptoCompanion collects account information such as email address, authentication state, plan status, affiliate attribution, and support-contact details. When users connect an exchange, CryptoCompanion stores read-only exchange credentials in encrypted form and imports portfolio holdings, trades, balances, and related metadata needed to power product features.
The product may also process alerts, watchlists, journal notes, AI conversation context, tax-report settings, notification preferences, consent choices, device metadata, IP address, user agent, and operational logs.
How we use data
Data is used to authenticate users, operate dashboards, sync read-only exchange data, calculate portfolio and tax summaries, send alerts, maintain security, enforce plan limits, support account export or deletion, improve product reliability, and respond to support requests.
CryptoCompanion does not sell personal data. Optional analytics and marketing cookies are disabled until a user grants consent.
Data sharing and processors
CryptoCompanion may use infrastructure, database, cache, email, payment, monitoring, AI, and analytics providers to operate the service. Before production launch, this section must list each processor, their purpose, and links to their data-processing terms.
Payment information will be handled by the selected payment provider. CryptoCompanion should not store raw card numbers.
Retention export and deletion
Users can request account export and deletion from the product. Some audit records, including consent history and security logs, may be retained when required for legal, fraud-prevention, security, or compliance reasons, but direct personal identifiers should be minimized where possible.
Deletion timing, backup retention, and jurisdiction-specific privacy rights must be finalized before public launch.
Security
Exchange API secrets are encrypted before storage and decrypted only inside the sync worker. Access to user data should be role-limited, audited where appropriate, and protected by TLS in production.