Legal / Privacy Policy

Privacy Policy

Effective July 3, 2026

Deptle Ltd · Company No. 14327806 · [email protected]

The honest summary: we run your account, your devices, and a security log — and we designed the product so that your exchange keys, strategies, trades, and market activity never reach us at all. No analytics, no trackers, no selling data. The details, and your rights, follow.

Who we are and what this covers

In plain terms

Deptle Ltd (UK) is responsible for your data. This one policy covers the website, your account, and the desktop app.

This policy explains how Deptle Ltd (company number 14327806, registered office 128 City Road, London, United Kingdom, EC1V 2NX) handles personal data when you use deptle.com, your Deptle account, and the Deptle Terminal desktop application (together, the Service). Deptle Ltd is the data controller.

We are subject to the UK GDPR and, where we serve people in the European Union, the EU GDPR. Privacy questions and requests: [email protected].

EU representative: we will appoint a representative in the European Union under Article 27 EU GDPR before public launch; their name and contact details will be published here.

What we deliberately never collect

In plain terms

Your exchange keys, your strategies, your trades, and your market-data usage never reach us. There are no analytics or trackers anywhere.

Deptle Terminal is built so that the most sensitive things never leave your machine. We do not collect, receive, or store:

  • your exchange API keys — they are stored only in your operating system’s credential store and are never transmitted to us;
  • your strategies, code, and research — they stay on your device; the software does not upload them;
  • your orders, positions, or balances — orders are signed on your device and sent directly to the exchange, and we are not in that path;
  • your market-data usage — the application retrieves market data directly from the exchanges;
  • behavioral analytics of any kind — no analytics scripts, no advertising or tracking cookies, no session recording, on either the website or the application.

What we collect

In plain terms

An account (email, username), your registered devices, a security log with IP addresses, and whatever you write to support.

Account data. Email address, username, and a password (stored as a secure hash by our authentication provider), plus your membership tier and account status.

Device data. To enforce the three-device limit and protect accounts, each machine that runs the application registers a device identity: a cryptographic device key (public part), a derived device ID, a one-way hardware fingerprint hash, an optional label, and last-seen timestamps.

Security log. Security-relevant events — sign-ins, application launches, profile changes, device revocations, and suspected ban evasion — are recorded with the event type, result, device ID, IP address, and time. You can see your own recent activity in your dashboard.

Crash and error reports. If the website or application encounters an error, a technical report (application version, operating system, stack trace) is sent to our error service. These reports are configured not to include personal content, and session replay is disabled.

Support correspondence. If you write to us, we keep the correspondence for as long as needed to help you and to keep a record of the request.

The desktop application specifically

In plain terms

When the app starts, it authenticates you and your device with our servers. While it runs, everything trading-related stays between your machine and your exchange.

Starting Deptle Terminal involves our servers: the launcher authenticates your account, presents the device identity described above, checks your subscription, and downloads the signed application package. Each of these requests necessarily reveals your IP address and client version to us, and launch events appear in the security log.

Once running, the application’s trading functions — market data, order placement, account queries — communicate directly between your machine and your chosen exchanges using your locally-stored keys. Crash logs are written locally on your machine and, in release builds, sent to our error service as described above.

Why we process it (and the legal bases)

In plain terms

To run your account and the software (contract), to keep accounts and the product secure (legitimate interests), and to meet legal duties. Nothing is based on consent we'd need to nag you for.

  • Providing the Service — creating and operating your account, authenticating you, delivering and licensing the software, enforcing device limits, providing support. Legal basis: performance of our contract with you (Art. 6(1)(b)).
  • Security and anti-abuse — the security log, device fingerprinting, rate limiting, and ban-evasion detection that protect your account, other users, and the integrity of the software. Legal basis: our legitimate interests (Art. 6(1)(f)) in securing the Service; we have assessed that these measures do not override your rights, and you can object (section 9).
  • Diagnostics — crash and error reports used solely to find and fix defects. Legal basis: legitimate interests.
  • Legal compliance — retaining records where law requires (for example, billing records once paid subscriptions operate). Legal basis: legal obligation (Art. 6(1)(c)).

We send only transactional email (account confirmation, security notices, service messages). We do not send marketing email, so we do not process your data for marketing.

Where your data lives

In plain terms

Primary storage is in London. EU-to-UK transfers are covered by the EU's adequacy decision, and our error service is hosted in the EU.

Account, device, and security-log data are stored with our authentication and database provider, Supabase, hosted on AWS in the London region (eu-west-2), United Kingdom. For users in the EU/EEA, transfers to the UK are covered by the European Commission’s adequacy decision for the United Kingdom. Crash and error reports are processed by Sentry with EU (Germany) data ingestion.

Website and API traffic passes through Cloudflare’s global network for security and delivery. Where any provider processes limited data outside the UK/EEA, transfers rely on recognized safeguards (adequacy decisions, the EU–US Data Privacy Framework, or standard contractual clauses).

Who we share it with

In plain terms

Only the infrastructure providers that run the service — never sold, never given to advertisers.

We share personal data only with the processors that operate the Service on our behalf, under data-processing agreements:

  • Supabase — authentication and database (London, UK);
  • Sentry — crash and error reporting (EU ingest);
  • Cloudflare — network security, DNS, and content delivery;
  • Hetzner Online — server infrastructure hosting our application servers (Helsinki, Finland, EU);
  • a payment processor, once paid subscriptions launch — it will be named here before we take a single payment (we will never store your card details ourselves).

We do not sell personal data, and we do not share it with advertisers or data brokers. We may disclose data where the law compels us to, or as part of a corporate transaction under section 20 of the Terms of Service — in which case this policy continues to apply to it.

How long we keep it

In plain terms

Account data for as long as the account exists. Security logs for 12 months. Deleted account = deleted data.

  • Account and device data: for as long as your account exists. Devices you revoke remain listed (as revoked) while the account exists.
  • Security log: 12 months on a rolling basis.
  • Crash reports: retained by our error service for a limited operational period, then deleted.
  • Sign-in handshake records (desktop authorization codes): minutes — they expire and are removed almost immediately.
  • Support correspondence: as long as needed for the matter, then archived or deleted.

When you delete your account (section 9), the associated account, device, and security-log records are deleted immediately as part of the deletion.

Your rights — including instant deletion

In plain terms

You can see, fix, export, and delete your data. Deletion is self-serve in your dashboard and takes effect immediately.

Under the UK and EU GDPR you have the rights of access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests). Here is how to exercise them:

  • See your data: your dashboard shows your profile, devices, and recent security activity. For a complete copy (access/portability), email [email protected] from your account email — we respond within one month.
  • Fix your data: username, email, and password are self-serve in Settings.
  • Delete your account: self-serve in Settings → Delete account. It takes effect immediately and permanently removes your profile, registered devices, security log, and sign-in identity. Suspended accounts must request deletion via [email protected] instead — we may retain the minimum data needed to keep a ban effective, where the law permits.
  • Object or restrict: email [email protected]; note that some security processing (section 5) is necessary to offer the Service at all.

You also have the right to complain to a supervisory authority: the UK Information Commissioner’s Office (ico.org.uk) or, if you are in the EU, your national authority (for example, the CNIL in France).

How we protect it

In plain terms

Encryption in transit and at rest, hardware-backed credential storage on your machine, and server-side access controls — plus the best protection of all: not collecting things.

Data is encrypted in transit (TLS) and at rest with our providers. Sensitive tokens in our own systems are additionally encrypted at the application layer. On your machine, credentials live in the operating system’s native secure store. Server-side, row-level security restricts each account to its own records, requests are rate-limited, and sign-in flows are hardened against timing and replay attacks. Application packages are cryptographically signed.

No system is perfectly secure. If we ever suffer a breach affecting your personal data, we will notify the relevant authority and, where required, you — without undue delay.

Automated security enforcement

In plain terms

No profiling, no automated decisions about you as a person. Security systems can automatically block a device or account — a human reviews it if you object.

We do not use your data for profiling, and we make no automated decisions about you that produce legal or similarly significant effects. Our security systems do automatically enforce technical rules — device limits, rate limits, and ban-evasion checks can block a device or restrict an account without human involvement. If you believe an automated restriction is wrong, contact [email protected] and a human will review it.

Children

In plain terms

The service is 18+. We don't knowingly hold minors' data.

The Service is for adults (18+), as set out in the Terms of Service. We do not knowingly collect personal data from anyone under 18; if you believe we hold such data, contact [email protected] and we will delete it.

Cookies

In plain terms

One strictly-necessary sign-in cookie. That's the whole story.

The website sets a single strictly-necessary authentication cookie and nothing else — no analytics or tracking cookies of any kind. The full detail is in the Cookie Policy.

Changes to this policy

In plain terms

If we change what we collect or why, we'll update this page and tell you about material changes in advance.

We will update this policy when our practices change — for example, when subscriptions launch and a payment processor is added, or when our EU representative is appointed. Material changes will be announced by email or in the product before they take effect, and every version carries its effective date at the top. Questions: [email protected].

Questions about this document? Contact [email protected]. The plain-language summaries are provided for readability only; the full text of each section governs.