Privacy Policy

How we collect, use, and protect your information when you use Zignalbox.

Effective date: June 1, 2026

1. Who We Are

Zignalbox ("we", "our", "us") is an automated algorithmic trading signal service. We operate the platform available at app.zignalbox.com and zignalbox.com.

This Privacy Policy explains what personal data we collect, why we collect it, and how we protect it. By using Zignalbox, you agree to the practices described here.

2. Information We Collect

Account information — When you register, we collect your name, email address, and a hashed password. We never store your password in plain text.

Exchange credentials — If you connect a Binance account, we store your API key and API secret. See Section 4 for full details on how these are handled.

Notification settings — Your Telegram chat ID and WhatsApp phone number if you configure these channels.

Trade & signal data — Records of every trading signal received, every trade executed on your behalf, and performance metrics (entry, exit, P&L).

Subscription data — Your subscription tier (Starter / Pro / Elite), billing period, and promotional code if applicable.

Usage data — Server access logs (IP address, timestamp, HTTP method, response status). These are retained for security auditing and deleted after 90 days.

Multi-factor authentication — If you enable MFA, we store only the encrypted TOTP secret. We do not have access to your MFA codes.

3. How We Use Your Information

  • Trade execution — We use your exchange API credentials to place and manage orders on Binance on your behalf.
  • Notifications — We use your Telegram ID, WhatsApp number, or email to send trade alerts, signal confirmations, and account security notices.
  • Service operation — Account authentication, session management, subscription enforcement, and platform feature delivery.
  • Security — IP monitoring, brute-force protection, API key health checks, and intrusion detection.
  • Service improvement — Anonymized, aggregated performance metrics help us refine signal strategies. No individual trading data is used for this purpose without anonymization.

We do not sell your data. We do not use your trading data or account information for advertising.

4. Exchange API Keys

Your API keys are the most sensitive data we store. We treat them with the highest level of protection available.

  • API keys and secrets are encrypted at rest using AES-256-GCM with a key-encryption key (KEK) stored separately in environment variables — never in the database.
  • Keys are decrypted only in memory at the moment of use (trade execution or balance check) and immediately discarded.
  • We require that you create API keys with trade and read-only permissions only. Keys with withdrawal permissions are rejected at onboarding.
  • We actively monitor API key health every 24 hours and alert you if a key becomes invalid or your IP restriction drifts.
  • You can revoke and delete your API keys from Zignalbox at any time from the Exchange Settings page.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may share data only in these limited circumstances:

  • Binance — Your API keys are sent to Binance's API servers solely to execute trades and retrieve balances on your behalf. We have no control over Binance's own privacy practices.
  • Notification providers — Your Telegram chat ID is sent to the Telegram Bot API. Your WhatsApp phone number is sent to Meta's Cloud API. Your email is sent to our transactional email provider (Resend). These are used only for trade alerts and account notices.
  • Infrastructure providers — Our hosting provider (Railway) and database provider (Supabase) process data on our behalf under data-processing agreements. They do not have independent access to your data for their own use.
  • Legal requirements — We may disclose information if required by law, court order, or to protect the rights and safety of Zignalbox and its users.

6. Data Retention

  • Active accounts — Account and trade data are retained for the life of your account plus 12 months after account closure.
  • API keys — Deleted from our database immediately when you disconnect your exchange account. Encrypted copies in backups are purged within 30 days.
  • Server logs — Access logs are retained for 90 days then automatically deleted.
  • Notification records — In-app notifications are retained for 90 days.
  • Backup data — Database backups are retained for 30 days and then permanently deleted.

You may request deletion of your account and all associated data at any time by contacting us at hello@zignalbox.com. We will process deletion within 30 days.

7. Security

We implement industry-standard technical and organizational security measures:

  • All data in transit is encrypted using TLS 1.2+.
  • Exchange credentials are encrypted at rest with AES-256-GCM.
  • Authentication uses bcrypt-hashed passwords, JWT tokens with short expiry, and optional TOTP multi-factor authentication.
  • Binance API IPs are whitelisted and monitored for drift every 6 hours.
  • Rate limiting is applied on all public endpoints to prevent brute-force attacks.
  • Our pre-push CI/CD gate includes a security agent that audits every code change before deployment.

No system is 100% secure. If you discover a security vulnerability, please report it to hello@zignalbox.com and we will respond within 48 hours.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request that inaccurate data be corrected.
  • Deletion — Request that your data be deleted ("right to be forgotten").
  • Portability — Request your trade history and account data in a machine-readable format (JSON/CSV).
  • Objection — Object to processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at hello@zignalbox.com. We will respond within 30 days. Identity verification may be required before we process your request.

9. Cookies & Tracking

Zignalbox uses a minimal set of browser storage technologies:

  • localStorage — JWT authentication tokens are stored in your browser's localStorage to maintain your session. These are not cookies and are not transmitted to third parties.
  • sessionStorage — Temporary UI state (e.g., pending onboarding steps) stored only for the duration of your browser session.
  • No advertising trackers — We do not load Facebook Pixel, Google Analytics, or any third-party advertising or behavioral tracking scripts on authenticated dashboard pages.
  • Cloudflare Turnstile — Our public-facing pages (registration, login, request access) use Cloudflare Turnstile for bot protection. This processes your IP address and browser signals to verify you are human. See Cloudflare's Privacy Policy for details.

10. Children's Privacy

Zignalbox is a financial services platform. You must be at least 18 years of age (or the age of legal majority in your jurisdiction) to use our service. We do not knowingly collect personal information from minors. If you believe a minor has registered, please contact us and we will delete the account immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the effective date at the top of this page.
  • Send a notification via your configured channel (Telegram, email, or in-app) at least 7 days before the change takes effect.

Your continued use of Zignalbox after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before the effective date.

12. Contact

For privacy-related questions, data requests, or security reports:

Email: hello@zignalbox.com

We aim to respond to all privacy inquiries within 5 business days.

Zignalbox operates under the laws of the Republic of Costa Rica. For EU/EEA residents: Zignalbox is not currently subject to GDPR as we do not have an establishment in the EU, but we voluntarily apply GDPR-equivalent data protection standards.

Questions about your privacy?

We take data protection seriously. Reach out and we'll respond within 5 business days.

hello@zignalbox.com