Privacy Policy

A short, honest description of what data we collect, what we do with it, who else sees it, and how to delete it. We don't sell data, we don't run ad networks, and we don't track you across the web.

1. What we collect

Account information

Email address, password hash (never the plaintext password), and creation date. If you subscribe, we collect billing details via Stripe — we never see your full card number, only the last 4 digits and a Stripe customer reference.

Bot data

Your bot source code, bot names, log output (when cloud logging is enabled), and per-bot metadata (when last run, last error, etc.). This data is encrypted in transit and at rest in our Supabase database.

API credentials

Encrypted exchange API keys you add through Settings → API Connections. Keys are encrypted at rest. They're delivered to your local bots via the wd.connection() SDK — never logged, never sent to third parties.

Usage telemetry

Basic anonymized application telemetry (which features you used, version, OS) is collected to help us prioritize features and reproduce bugs. We do not use third-party analytics SDKs (no Mixpanel, Amplitude, Segment, etc.). Telemetry is opt-out in Settings.

Support correspondence

If you email us, we keep that email thread for support history. It's stored in our regular email system (Google Workspace), not exposed to any third party beyond Google's standard processing.

2. What we explicitly do NOT collect

• Plaintext passwords — only Argon2id hashes
• Cross-site tracking — no third-party cookies, no Google Analytics, no Facebook Pixel, no advertising IDs
• Your trade history — your bot executes trades through your API keys on exchanges; those records belong to the exchange and to you
• Your funds — we don't take custody, don't route orders through us, never hold a dollar
• Browsing history — what you do on other websites is none of our business
• Biometric or device fingerprinting — we identify your account by your login, not by your machine

3. How we use it

• Account info — authenticating your logins, sending billing receipts, sending operational alerts (e.g., "trial expires in 3 days")
• Bot data — running your bots, showing your logs in the dashboard, audit history for AI Fix calls
• API credentials — passing through to wd.connection() at runtime; never used for anything else
• Telemetry — bug triage, feature prioritization, debugging reports
• Support correspondence — answering your messages

4. Who we share it with

We share specific subsets of data with these third parties only to operate the service:

• Supabase — our database provider. Stores account, bot, and log data encrypted at rest.
• Stripe — payment processing. They handle card details under PCI compliance; we never see the full number.
• Anthropic (Claude API) — when you click "Fix with AI", your bot's code + the error traceback + recent logs are sent to Anthropic for that single call. Anthropic does not retain or train on API inputs under their standard terms. Never includes your API keys.
• Railway — hosts our website backend at watchdogbot.cloud. Processes only HTTP requests; doesn't store user data.
• Google Workspace — email infrastructure for support correspondence.

We do not sell, rent, or trade your data to anyone — full stop. We don't have data partnerships, affiliate programs, or anything that would create incentive to share your information.

5. Data retention & deletion

Active accounts: Your data is retained as long as your account exists.

Canceled subscriptions: Data is retained for 90 days after subscription cancellation so you can resume without re-uploading. After 90 days, bots stop running and we permanently delete bot logs, code, and connection settings. Account email and billing history are retained for 7 years for tax and accounting requirements.

On-demand deletion: Email privacy@watchdogbot.cloud at any time to delete your account immediately. We confirm completion within 7 business days. Some data may persist in encrypted backups for up to 30 days after deletion, then is purged.

6. Your rights (GDPR / CCPA)

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (subject to legal retention requirements)
• Receive your data in a portable format (JSON export available on request)
• Object to processing or restrict it
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@watchdogbot.cloud. We respond within 30 days, usually faster.

7. Security

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: AES-256 for sensitive fields (API keys, password hashes) in Supabase
• Authentication: email + password with Argon2id hashing; optional Whop license verification
• Per-bot UUID secrets for authenticated API callbacks; sessions never leave the local machine

If you believe you've discovered a security vulnerability, email security@watchdogbot.cloud. Responsible disclosure is appreciated; we credit reporters in our changelog with their permission.

8. Children

WatchDog Bot is not directed at and does not knowingly collect data from children under 16. Most exchanges we integrate with also require KYC verification that excludes minors. If you believe a minor has created an account, email us and we'll delete it.

9. International transfers

Our infrastructure runs in US data centers (Supabase: US East; Railway: US West). If you access the service from outside the US, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses for EU/UK users where required.

10. Changes to this policy

Material changes are emailed to active subscribers at least 14 days before they take effect. Non-material changes (typos, clarifications) are reflected here with an updated "Last updated" date at the top.