Scope & applicability
This policy applies to all users located in the European Union (EU) and European Economic Area (EEA) and governs how MagicTradeBot processes personal data in compliance with Regulation (EU) 2016/679 — the General Data Protection Regulation ("GDPR").
Because MagicTradeBot is a self-hosted binary, the personal data we control is limited to what is required to operate our website, manage accounts, and validate licenses. The division of data controller responsibilities is as follows:
| Data category | Controller | Description |
|---|---|---|
| Account & registration data | MagicTradeBot | Name, email address, password hash, account preferences |
| License & billing data | MagicTradeBot | Transaction references, license keys, purchase history |
| Technical & security logs | MagicTradeBot | IP addresses, login events, session data (retained 12 months) |
| Support communications | MagicTradeBot | Email threads, ticket content, submitted evidence |
| Trading data & bot configuration | You (the user) | API keys, trade history, strategy files — stored on your server |
| Exchange API credentials | You (the user) | We never receive or store your exchange API keys |
Lawful basis for processing
Under GDPR Article 6, all personal data processing must have a lawful basis. The following table sets out our processing activities and their corresponding legal grounds:
| Processing activity | Lawful basis | GDPR article |
|---|---|---|
| Account creation and authentication | Contract performance | Art. 6(1)(b) |
| License validation and activation | Contract performance | Art. 6(1)(b) |
| Payment processing via NowPayments | Contract performance | Art. 6(1)(b) |
| Security monitoring and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Sending service and security notices | Legitimate interests / contract | Art. 6(1)(b)(f) |
| Marketing and promotional emails | Consent (opt-in) | Art. 6(1)(a) |
| Retention of billing records | Legal obligation (tax regulation) | Art. 6(1)(c) |
| Anonymised analytics & improvement | Legitimate interests | Art. 6(1)(f) |
Your GDPR rights
As an EU/EEA data subject you have the following rights under GDPR. All requests are processed free of charge within 30 days of receipt of a complete request.
A. Right of access (Article 15)
You may request confirmation of whether we process your personal data and, if so, receive a copy of that data along with information about how it is processed.
GDPR Access Request — [your account email]. Include your account email and license key. We will respond within 30 days with a data export in JSON or CSV format.
B. Right to rectification (Article 16)
You have the right to correct inaccurate personal data or complete incomplete data we hold about you. For most account fields (name, email) this is available via self-service in your Account Dashboard. For other corrections, contact us directly.
C. Right to erasure — "Right to be forgotten" (Article 17)
You may request deletion of your personal data. We will fulfil erasure requests subject to the following:
| Data category | Erasure outcome |
|---|---|
| Account profile data (name, email, preferences) | Deleted within 30 days of request |
| License activation records | Deleted after legal retention period (7 years for billing records under financial regulations) |
| Security and IP logs | Deleted after 12-month retention period |
| Support ticket content | Deleted 2 years after ticket closure |
| Billing transaction records | Retained for 7 years as required by tax law — cannot be erased earlier |
D. Right to data portability (Article 20)
You may request a copy of your personal data in a structured, commonly used, machine-readable format (JSON or CSV) suitable for transfer to another service. Submit portability requests to sales@magictradebot.com with subject GDPR Portability Request.
E. Right to restrict processing (Article 18)
You may request that we temporarily halt processing of your personal data in the following circumstances:
- You contest the accuracy of data we hold — processing is paused during verification
- Processing is unlawful but you prefer restriction over deletion
- We no longer need the data but you require it for legal claims
- You have objected to processing under Article 21 — pending verification
F. Right to object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes:
-
Marketing emails. Unsubscribe via the link in any marketing email, or email us with subject
GDPR Marketing Opt-Out. -
Profiling or automated decision-making. Contact us to opt out of any automated processing that significantly affects you.
G. Right to withdraw consent (Article 7)
Where processing is based on your consent (e.g. marketing emails), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Contact us or use the unsubscribe link in any marketing communication.
H. Right to lodge a complaint (Article 77)
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with your national data protection authority. You may do this without first raising the matter with us, though we encourage you to contact us first so we can attempt to resolve the issue directly.
Data processing details
| Data type | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Account data (name, email) | Authentication, support, licence management | Contract | Until deletion + 30 days |
| Billing records (TxHash, amount) | License activation, fraud prevention | Contract + legal obligation | 7 years |
| IP addresses & access logs | Security monitoring, abuse prevention | Legitimate interests | 12 months |
| Support communications | Issue resolution, quality improvement | Contract + legitimate interests | 2 years after closure |
| Marketing consent records | Proof of consent for marketing | Legal obligation | Until withdrawn + 3 years |
| Anonymised analytics | Platform improvement | Legitimate interests | Indefinite (not personal data) |
International data transfers
MagicTradeBot is operated from Pakistan. If you are located in the EU/EEA, your personal data is transferred to and processed in a country outside the EEA. We ensure appropriate safeguards are in place for such transfers:
-
Standard Contractual Clauses (SCCs). Where we use EU-approved SCCs with processors outside the EEA, including any cloud infrastructure or analytics providers.
-
Adequacy decisions. Where transfers are made to countries covered by a European Commission adequacy decision.
-
Processor agreements. All third-party processors who handle EU personal data are bound by data processing agreements requiring GDPR-equivalent protections.
GDPR Transfer Enquiry.
Security measures
We implement technical and organisational measures appropriate to the risk of processing personal data, consistent with GDPR Article 32:
-
Encryption in transit. TLS 1.3 for all data transmitted between your browser and our servers.
-
Encryption at rest. AES-256 for all stored sensitive data.
-
Access controls. Role-based access (RBAC) and two-factor authentication required for all staff with access to personal data.
-
Pseudonymisation. Where possible, personal identifiers are replaced with licence keys or anonymised tokens in internal processing.
-
Breach notification. In the event of a personal data breach we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected individuals without undue delay where there is high risk to their rights and freedoms (Article 33/34).
Third-party processors
We use a limited number of third-party service providers who process personal data on our behalf. All are bound by data processing agreements (DPAs):
| Processor | Purpose | Data transferred |
|---|---|---|
| NowPayments | Crypto payment processing | Transaction reference only — no personal financial data |
| Resend | Transactional email delivery | Name, email address |
| Google Analytics | Anonymised website analytics | Anonymised usage data — IP anonymisation enabled |
| Cloud infrastructure provider | Hosting of website and license validation service | Account and license data (encrypted at rest) |
We do not sell or rent personal data to any third party. See our full Privacy Policy for complete details on data sharing.
Exercising your rights
To submit any GDPR data rights request, contact our privacy team:
Include with your request:
- Your account email address and license key
- The specific right you are exercising
- Proof of identity for sensitive requests (e.g. government-issued ID if requesting deletion of all data)
Policy updates
This GDPR Compliance Policy is reviewed annually and updated when changes to our processing activities, applicable law, or regulatory guidance require it. When material changes are made:
- The "Last Updated" date at the top of this page is updated
- Registered EU/EEA users are notified via email
- A notice is displayed on the platform dashboard for 30 days
Continued use of MagicTradeBot after changes are published constitutes acknowledgement of the updated policy.
Contact & supervisory authority
For all GDPR-related questions, data rights requests, or compliance enquiries:
If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.