Privacy Policy
1. Introduction & who we are
This Privacy Policy explains how the operator of the Dojiq service (“Dojiq,” “we,” “us”) processes personal data when you use the Software, website, and related services (the “Service”). It should be read together with the Terms of Service and EULA.
The data controller for the processing described here is deToon, Kerklaan 30, 9751 NN Haren, the Netherlands (Chamber of Commerce (KvK) no. 71447210; VAT no. NL002349019B52), contactable at info.dojiq@gmail.com.
2. Scope & roles
This policy covers personal data we process as a controller — that is, where we decide the purposes and means of processing (for example, your account and the operation of the Service). It does not cover the processing that your Brokers (such as Alpaca and Bitvavo), your payment card network, or other independent third parties carry out as their own controllers under their own privacy policies; you should review those separately. When the Service transmits your trading instructions to a Broker, the Broker processes the resulting data as an independent controller.
3. Personal data we collect
| Category | Examples |
|---|---|
| Account data | Username, display name, email address, a securely hashed password, account status, and preferences. |
| Access-request data | The email address and any note you submit to request an invitation, plus verification and password-reset tokens. |
| Connected-account credentials | The broker/exchange API keys and secrets you provide, stored encrypted at rest (see section 5), plus the exchange name, account label, and whether it is live or paper. |
| Trading & usage data | Your strategy selections and configuration, paper and live orders, positions, portfolio and balance snapshots, signals, and the actions you take in the Service. |
| Technical & log data | IP address, session identifiers, device/browser information, request logs, and diagnostic data used to operate and secure the Service. |
| Security & audit data | Login attempts and outcomes, control/flag changes, broker-connection events, and similar audit-log entries. |
| Billing data | If you subscribe, subscription status, plan, and processor identifiers. Payment card details are handled by our payment processor; we do not receive or store full card numbers. |
| Communications | Emails and support messages you exchange with us and related metadata. |
We do not intentionally collect special-category personal data, and you should not provide it. Most trading data is financial rather than sensitive, but you should treat your account as confidential.
4. How & why we use your data (and our legal bases)
Under the GDPR we must have a legal basis for each purpose. We rely on the following:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and administer your account; provide the Service; run strategies and transmit the Orders you configure to your Brokers; show your dashboards. | Performance of a contract (Art. 6(1)(b)). |
| Secure the Service: authentication, brute-force and abuse protection, audit logging, fraud and incident prevention. | Legitimate interests (Art. 6(1)(f)) in operating a secure service; and, where applicable, legal obligation. |
| Manage invitations, verification, and password resets; communicate about your account and material changes. | Contract and legitimate interests. |
| Process subscriptions and payments. | Contract; legal obligation for tax/accounting records. |
| Improve, debug, and maintain the Service, and develop new features. | Legitimate interests, balanced against your rights (we use aggregated or minimised data where practical). |
| Comply with legal obligations and respond to lawful requests. | Legal obligation (Art. 6(1)(c)). |
| Any optional processing that requires it (e.g. non-essential communications). | Consent (Art. 6(1)(a)), which you may withdraw at any time. |
Where we rely on legitimate interests, you may object as described at section 11. We do not sell your personal data and we do not use it for third-party advertising.
5. How API keys & credentials are protected
Your broker and exchange API keys are among the most sensitive data you give us, so we treat them specially:
- they are encrypted at rest using strong, industry-standard authenticated encryption and are never stored in plain text;
- they are decrypted only transiently, in memory, at the moment they are needed to read data or to transmit an Order you have authorised;
- we strongly recommend that you issue trade-only keys with withdrawal and transfer permissions disabled, so that even in the unlikely event of exposure, funds cannot be moved off your account (Dojiq does not itself verify or enforce these Broker-side settings); and
- you can disconnect a Connected Account at any time, which removes its keys from active use.
Passwords are stored only as strong, salted, industry-standard one-way hashes and are never recoverable in plain text.
7. Sub-processors
We use the following categories of sub-processors, who process personal data on our behalf under contractual data-protection terms. Specific providers may change; we will keep this list current.
| Provider / category | Purpose | Region |
|---|---|---|
| Stripe (payments) | Subscription billing and payment processing | US / EU |
| Google (Gmail API) | Transactional email delivery | US / EU |
| Hosting / infrastructure | Application hosting and storage on our infrastructure | EU |
| Market-data & news sources | Prices, indicators, sentiment (generally non-personal) | Various |
Your Brokers (Alpaca, Bitvavo) are not our sub-processors; they are independent controllers with whom you have your own relationship.
8. International data transfers
Some recipients (for example, a U.S. broker such as Alpaca, or a payment or email provider) are located outside the European Economic Area. Where we transfer personal data internationally, we rely on an appropriate safeguard under the GDPR — such as an adequacy decision, the European Commission’s Standard Contractual Clauses, or another lawful transfer mechanism — and we take steps to ensure your data remains protected. Where you choose to connect a Broker located outside your region, the resulting transfer of your instructions and account data to that Broker is necessary to perform the contract you requested.
9. Data retention
We keep personal data only as long as necessary for the purposes described, then delete or anonymise it. In general: account and trading data are kept while your account is active and for a reasonable period afterwards to operate the Service, resolve disputes, and meet legal, tax, and accounting obligations; security and audit logs (such as login attempts) are kept for a limited period and then purged; and billing records are kept for the period required by law. You can request deletion as described below, subject to obligations that require us to retain certain records.
10. Security
We implement technical and organisational measures appropriate to the risk, including encryption of credentials at rest, one-way password hashing, signed session cookies, transport encryption, access controls, brute-force and account-targeting protections, and audit logging. No system is perfectly secure, and we cannot guarantee absolute security; you are responsible for keeping your own credentials confidential and for using trade-only API keys. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where required, affected users, in accordance with the GDPR.
11. Your rights
Subject to and in accordance with applicable law (including the GDPR), you have the right to:
- access the personal data we hold about you and obtain a copy;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”) where the conditions are met;
- restrict or object to certain processing, including processing based on our legitimate interests;
- data portability — receive certain data in a structured, machine-readable format;
- withdraw consent at any time where processing is based on consent, without affecting prior processing; and
- lodge a complaint with a supervisory authority (section 16).
To exercise your rights, contact info.dojiq@gmail.com. We may need to verify your identity, and we will respond within the timeframes required by law. You can also disconnect any Connected Account at any time, which removes its stored keys from active use.
13. Automated processing & profiling
The Service executes automated trading according to the configuration you set; this automation operates on your own instructions and your own accounts and is not automated decision-making about you that produces legal or similarly significant effects on you within the meaning of GDPR Article 22. We do not use your personal data for automated profiling to make decisions about you. Signals and scores generated by the Service concern markets and instruments, not evaluations of your person.
14. Children
The Service is not directed to, and may not be used by, anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
15. Changes to this policy
We may update this policy from time to time. We will change the version identifier and “last updated” date and, for material changes, notify you through the Service or by email. Continued use after a change takes effect constitutes acknowledgement of the updated policy, except where consent is required.
16. Contact & complaints
For any privacy question or to exercise your rights, contact our data-protection contact at info.dojiq@gmail.com, or by post at deToon, Kerklaan 30, 9751 NN Haren, the Netherlands. If you are in the EEA, you also have the right to lodge a complaint with your local data-protection supervisory authority; in the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). We ask that you contact us first so we can try to resolve your concern.
info.dojiq@gmail.com is the only email address deToon operates in connection with Dojiq. Any message that purports to come from Dojiq or deToon but originates from any other address is not from us and is not authorised by us; we accept no responsibility or liability for it, and you should not rely or act on it.
Appendix A — Regulatory framework, compliance & sources
This appendix records the legal and regulatory frameworks that apply to the Dojiq service and to the regulated third parties through which your assets are custodied and your trades are executed, together with links to the authoritative public documentation. It forms part of, and is incorporated by reference into, each of Dojiq’s Terms of Service, End User License Agreement, and Privacy Policy. Where a linked third-party document conflicts with any summary here, the third party’s own current document governs your relationship with that third party. Outgoing links are provided for transparency; we are not responsible for the content of external sites.
A.1 — Dojiq’s regulatory position & compliance
Dojiq is a provider of trading-automation software. It does not itself carry out any regulated financial activity, does not take custody of client money or assets, and accordingly does not hold, and is not required to hold, a licence as a broker-dealer, investment firm, crypto-asset service provider, e-money or payment institution, or bank (see the division of responsibility at Terms §4 and EULA §3–4). The regulated services of custody, execution, and any advice are provided to you by the Brokers under their own authorisations (A.2). In operating the software service, Dojiq is designed to comply with the laws applicable to it as a Netherlands/EU-based online service provider, including in particular:
- the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG), as detailed in our Privacy Policy;
- EU consumer-protection law, including the Consumer Rights Directive (2011/83/EU) and the Unfair Terms in Consumer Contracts Directive (93/13/EEC), as transposed into the Dutch Civil Code (Burgerlijk Wetboek);
- the EU e-Commerce Directive (2000/31/EC) and applicable information-society-service and electronic-contracting rules; and
- applicable anti-money-laundering, sanctions, and market-abuse laws to the extent they apply to our activities.
Nothing in this appendix is a representation that Dojiq holds any financial-services licence or provides any regulated service.
A.2 — The Brokers: regulated status & public registers
Your money, securities, and crypto-assets are held and your trades executed by the following regulated entities, each under its own agreement with you (A.5). You can verify each entity in the public registers linked below.
| Entity | Role | Regulator / registration | Verify |
|---|---|---|---|
| Alpaca Securities LLC | U.S. broker-dealer; carries & custodies your securities and cash; clears your trades | Registered with the U.S. SEC; member of FINRA; member of SIPC. CRD #288202, SEC #8-69928 | FINRA BrokerCheck |
| Alpaca Crypto LLC | Alpaca’s U.S. cryptocurrency entity (Dojiq routes crypto to Bitvavo, not Alpaca) | FinCEN-registered money services business, NMLS #2160858. Not FINRA/SIPC; crypto is not SIPC/FDIC protected | NMLS Consumer Access |
| Bitvavo B.V. | EU crypto-asset service provider: operates the trading venue, custody & administration, and transfer services | Authorised as a CASP under MiCA (Reg. (EU) 2023/1114) by the AFM; e-money-token activity supervised by DNB. KvK 68743424 | Bitvavo Imprint · DNB register |
| Stichting Bitvavo Payments | Bankruptcy-remote foundation that safeguards user funds (crypto & euro) on at least a 1:1 basis; you hold a direct claim on it | Dutch foundation, KvK 69228922 | Bitvavo User Agreement |
| Bitvavo Custody B.V. | Party for the Bitvavo lending service only | Dutch company, KvK 80118844 | Bitvavo User Agreement |
A.3 — Investor & asset-protection frameworks (and their limits)
- SIPC (U.S. securities). Protects the custody of securities and cash held at a member broker (up to US$500,000, including US$250,000 cash) if the broker fails. It does not protect against market losses or trading losses, and does not cover cryptocurrency. See Alpaca’s SIPC explainer.
- MiCA safeguarding (EU crypto). Under MiCA, Bitvavo segregates client assets via the bankruptcy-remote Stichting Bitvavo Payments, held at least 1:1, with you retaining a direct claim. This is asset segregation, not a state guarantee.
- No deposit guarantee for crypto. Crypto-assets and associated e-money balances are not bank deposits and are not covered by the Dutch deposit-guarantee scheme (depositogarantiestelsel) or any equivalent, and are not FDIC-insured.
- None of these protections apply to Dojiq, which holds no client money or assets. They attach to your account at the relevant Broker.
A.4 — Applicable legal & regulatory frameworks
| Framework | Relevance | Source |
|---|---|---|
| MiCA — Regulation (EU) 2023/1114 | Crypto-asset services (Bitvavo) | EUR-Lex |
| GDPR — Regulation (EU) 2016/679 | Personal-data processing (Dojiq) | EUR-Lex |
| U.S. securities regulation | Securities custody/execution (Alpaca Securities) | SEC · FINRA |
| Securities Investor Protection Act / SIPC | Broker-failure protection | SIPC |
| U.S. Bank Secrecy Act / MSB registration | Crypto money-services (Alpaca Crypto) | FinCEN |
| EU Consumer Rights & Unfair Terms Directives | Consumer protection (Dojiq) | 2011/83/EU · 93/13/EEC |
| EU e-Commerce Directive 2000/31/EC | Online-service obligations (Dojiq) | EUR-Lex |
| Dutch data-protection supervision | Privacy complaints & guidance | Autoriteit Persoonsgegevens · EDPB |
| EU Standard Contractual Clauses | Safeguard for international data transfers | European Commission |
| EU Online Dispute Resolution | Consumer dispute resolution | ODR platform |
A.5 — Source documents (authoritative third-party terms)
Your relationship with each Broker and service provider is governed by that party’s own documents. Review them; they control over any summary in Dojiq’s documents.
Alpaca (U.S. securities & crypto): Disclosures index · Customer Agreement · Terms & Conditions · Privacy Policy · Crypto Customer Agreement · Crypto Risk Disclosures · Form CRS.
Bitvavo (EU crypto-assets): Terms · User Agreement · Risk Disclosure · Privacy Statement · Cookie Statement · Imprint · Developer Agreement.
Other providers: Stripe Privacy Policy (payments) · Google Privacy Policy (transactional email).
A.6 — Dojiq’s own documents
These three documents together form the whole agreement between you and Dojiq and cross-reference one another:
- Terms of Service — the master service agreement.
- End User License Agreement — the software licence, custody division, risk disclosures, warranties, liability, and indemnity.
- Privacy Policy — how we process personal data under the GDPR.
The current version identifier and last-updated date appear at the top of each document. When we make material changes we update the version, and we notify you through the Service or by email as described in each document’s “changes” section.