Privacy Policy
Last updated: March 2026
Plutarc (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we store and protect it, who we share it with, and what rights you have over it.
By using Plutarc at plutarc.cc, you agree to the practices described in this policy.
1. Who We Are
Plutarc is operated as an independent software product. For data protection enquiries, contact us at: support@plutarc.cc
2. What Data We Collect
2.1 Account Data
When you register, we collect:
- Email address
- Authentication credentials (managed by our third-party authentication provider, Clerk — Plutarc does not store passwords directly)
- Subscription plan and billing status
2.2 Configuration Data
To operate your bot, we store in Convex:
- Trading strategy templates and component parameters you configure
- Bot state and activation status
2.3 API Key Data
When you connect an exchange account, we store your API key and secret in Convex. These credentials are:
- Encrypted at rest using AES-256-GCM authenticated encryption with per-operation random nonces
- Decrypted only at runtime by your dedicated bot instance
- Never logged, exposed in plaintext, or accessible to Plutarc staff
2.4 Trade History
Your bot's execution records — including trade timestamps, asset pairs, order types, and outcomes — are stored in Convex for the lifetime of your account. This data is used to populate your dashboard and is never used for any other purpose.
2.5 Payment Data
Payments are processed by Stripe. We do not store your card number, CVV, or full payment details. We retain only what Stripe provides us: a subscription status, billing interval, and anonymised payment method summary (e.g. card type and last four digits).
2.6 Technical Data
We may collect standard technical data including IP address, browser type, and access timestamps for security and diagnostic purposes. This data is not used for tracking or advertising.
3. Why We Collect It (Lawful Basis)
| Data | Purpose | Lawful Basis |
|---|---|---|
| Account data | Account management, authentication | Contract performance |
| Configuration data | Bot operation | Contract performance |
| API key data | Exchange connectivity for bot operation | Contract performance |
| Trade history | Dashboard, user reference | Contract performance |
| Payment data | Billing and subscription management | Contract performance / Legal obligation |
| Technical data | Security, fraud prevention, diagnostics | Legitimate interests |
| Analytics data | Aggregate usage patterns, service improvement | Legitimate interests |
We do not process your data for marketing, profiling, or advertising purposes. We do not sell your data to any third party.
4. How We Store and Protect Your Data
4.1 Convex
Account data, configuration, API keys, and trade history are stored in Convex, a cloud database platform. Convex operates data centres in the European Union (Ireland) and applies industry-standard security controls.
4.2 Compute Infrastructure
Your dedicated bot instance runs on a compute instance hosted in the EU. Infrastructure providers are GDPR-compliant. Your bot instance does not persist data independently — all structured data is written to Convex.
4.3 Deployment Orchestration
Plutarc uses a self-hosted deployment orchestration system to provision and manage bot instances. This system processes deployment metadata only and does not have access to your account data, API keys, or trade history.
4.4 Stripe
Payment processing is handled by Stripe, Inc. Stripe is certified to PCI DSS Level 1. We share only what is necessary for billing — your email address and subscription details.
4.5 GitHub
Bot software is deployed from a private GitHub repository. GitHub does not have access to your account data, API keys, or configuration.
4.6 API Key Security
Your exchange API credentials are encrypted at rest using AES-256-GCM. They are decrypted only in-memory within the isolated runtime of your dedicated compute instance — never written to disk in plaintext, never logged, and inaccessible to Plutarc staff.
5. Data Retention
| Data | Retention Period |
|---|---|
| Account data | Retained while your account exists; deleted on account closure |
| Configuration data | Retained while your account exists; deleted on account closure |
| API key data | Retained while your account exists; deleted on account closure or on your request |
| Trade history | Retained while your account exists; deletable on request by contacting us |
| Payment data | Retained as required for legal and tax compliance (typically 7 years) |
| Technical / log data | Retained for up to 90 days for security purposes |
Cancellation of a subscription does not delete your account or its associated data. Account closure and data deletion are separate actions available via your account settings or by contacting us at support@plutarc.cc.
6. Your Rights
Under UK GDPR, you have the following rights over your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to portability — request your data in a structured, machine-readable format
- Right to restriction — request that we limit processing of your data in certain circumstances
- Right to object — object to processing based on legitimate interests
Self-serve options: You can export your trade history and account configuration directly from the Plutarc dashboard at any time without contacting us. To request deletion of your trade history, contact us at support@plutarc.cc.
For all other requests, contact us at support@plutarc.cc. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
7. International Users
Plutarc is operated from the United Kingdom and is available to users globally. By using Plutarc, you acknowledge that your data may be transferred to and processed in countries outside your own, including the European Union, where both Convex and compute infrastructure are hosted.
California Residents (CCPA)
Plutarc does not sell personal data. California residents may contact us at support@plutarc.cc to exercise any rights available to them under the California Consumer Privacy Act.
EU and EEA Residents
Your data is processed in accordance with the EU General Data Protection Regulation (GDPR). You have the same rights as UK users described in Section 6, and may lodge a complaint with your local supervisory authority.
8. Cookies and Analytics
Plutarc uses cookies necessary to maintain your authenticated session on the dashboard. We do not use advertising cookies or tracking cookies that follow you across other websites.
We use privacy-focused analytics tools (Rybbit and Vercel Analytics) to understand aggregate usage patterns such as page views and visit duration. These tools do not use cookies for cross-site tracking, do not collect personally identifiable information, and are not used for advertising or profiling.
9. Children
Plutarc does not knowingly collect data from individuals who do not meet the minimum age requirements of the exchanges they connect to. If you believe a minor has created an account, contact us at support@plutarc.cc and we will investigate and delete the account if confirmed.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notice at least 14 days before they take effect.
11. Contact
For any data protection queries or to exercise your rights: support@plutarc.cc
For complaints: Information Commissioner's Office — ico.org.uk