AlgotunAlgotun

PRIVACY POLICY REGARDING THE PROCESSING OF PERSONAL DATA AND INFORMATION ABOUT USERS OF THE "ALGOTUN" SOFTWARE

Date of revision: "05" July 2026 · Version: 1.6

Place of publication: https://algotun.com/legal/privacy · Applicable jurisdiction: Russian Federation

Summary — 6 points that are important to understand

1. What we collect: the minimum necessary set — email (login), password hash, encrypted API keys, technical metadata (IP, browser, logs), anonymized visit statistics; upon voluntary linking — a Telegram identifier for notifications; when you contact support — the name you provide (optional), a contact for the reply (email or Telegram), and the text of your enquiry. We do not collect or process: full name, passport data, telephone, or bank card data.

2. Why: operation of the Platform, security, issuance of fiscal receipts, improvement of the service, responses to requests from state authorities.

3. Where we store it: on servers in Russia (Federal Law No. 152-FZ, part 5 of Article 18). There is no cross-border transfer.

4. To whom we transfer it: to the payment infrastructure operator — a payment aggregator or acquiring bank (for accepting payment, refunds, and the fiscal receipt), to the hosting provider (for hosting), to state authorities (as required by law). For marketing — to no one. We collect visit statistics with our own service on our own servers and do not transfer them to third parties.

5. Your rights: to request, clarify, delete, withdraw consent. Response time — up to 30 days.

6. Contact: info@algotun.com. Responsible person: Alexander Sergeevich Borodin.

1. GENERAL PROVISIONS

1.1. This Policy determines the procedure for the processing and protection of personal data and information about users of the "Algotun" software (hereinafter — the "Platform") that the individual Alexander Sergeevich Borodin, Taxpayer Identification Number (INN) 323401195508, applying the special tax regime "Tax on Professional Income" (hereinafter — the "Contractor"), receives in the process of granting the User the right to use the Platform. The Contractor processes the minimum necessary set of personal data. The following are not collected: the User's full name, passport data, telephone number, and bank card data.

1.2. Operator status and notification to Roskomnadzor. The Contractor is an operator of personal data within the meaning of Article 3 of Federal Law No. 152-FZ of 27 July 2006 "On Personal Data" (hereinafter — "Federal Law No. 152-FZ"). Before the commencement of the processing of personal data (or within the period established by law), the Contractor submits to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) a notification of the processing of personal data in the manner established by Article 22 of Federal Law No. 152-FZ and Order of Roskomnadzor No. 274 of 28 October 2022.

1.3. Legal grounds for processing. The processing of personal data is carried out on the grounds provided for by:

clause 5 of part 1 of Article 6 of Federal Law No. 152-FZ — performance of an agreement to which the personal data subject is a party (the Public Offer);
clause 7 of part 1 of Article 6 of Federal Law No. 152-FZ — the legitimate interests of the Contractor (information security, fraud prevention, debugging of operability);
part 1 of Article 9 of Federal Law No. 152-FZ — the consent of the personal data subject, expressed upon acceptance of the Offer and the placing of the corresponding mark.

1.4. Principles of processing. The Contractor is guided by the principles of legality, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality (Article 5 of Federal Law No. 152-FZ).

2. LIST OF PROCESSED DATA

The Contractor collects data that is minimally necessary for the operation of the Platform and the performance of obligations to the User.

2.1. Account identifier:

Email address (Email) — a unique login, a channel for service notifications, access recovery;
Password hash (the password is not stored in plain text).

2.2. Technical access tokens (API integration):

The public and secret access keys to third-party exchanges ("API keys") provided by the User;
API keys are stored in encrypted form using the AES-256 algorithm; the encryption keys are stored separately from the encrypted data;
Manual access by the Contractor's employees to the decrypted keys is not provided for; decryption occurs only by a software module at the moment a trading command is executed;
The Contractor does not request or store private keys of cryptocurrency wallets, seed phrases, passwords for exchange accounts, or other data that provides direct access to the User's assets.

2.3. Technical metadata: IP address, device type, browser information (user-agent), request timestamps, logs of the execution of trading commands — for information security, debugging, and operability monitoring.

2.4. Data on trading settings and results: the parameters of trading strategies and combinations specified by the User, the results of forward tests (virtual trades), the history of trading operations — for the provision of the Platform's functionality.

2.5. Data for notifications (optional): upon the User's voluntary linking of Telegram to receive notifications, the Contractor stores the Telegram chat identifier and username. Linking is not mandatory and may be cancelled by the User at any time.

2.6. Anonymized visit statistics: viewed pages, referral source (referrer and UTM tags), country by IP address — for traffic analysis and improvement of the Website. Statistics are collected by the Contractor's own analytics service (see section 8), operate without cookies, and are not transferred to third parties.

2.7. Payment information: The Contractor does not process or store bank card data, passport data, or other payment information. Settlements are carried out through third-party payment services that comply with the PCI DSS standard. For accepting payment, processing refunds, and generating the fiscal receipt, the Contractor transfers to the payment infrastructure operator (a payment aggregator, an acquiring bank) the minimum necessary set of data: the User's email address (for sending the receipt), the name and cost of the service being paid for, and the order identifier. The Contractor receives from the aggregator anonymized transaction data (amount, date, status, order identifier) for accounting and the generation of a fiscal receipt through the "My Tax" (Moy Nalog) application in accordance with Federal Law No. 422-FZ of 27 November 2018 (hereinafter — "Federal Law No. 422-FZ").

2.8. Support enquiry data: when an enquiry is submitted via the feedback form on the Website or via the support Telegram bot, the Contractor processes the name provided by the sender (an optional field), a contact for the reply (an email address or a Telegram identifier and username), and the text of the enquiry. Consent to the processing of this data is expressed by placing a mark ("checkbox") in the form before sending; for enquiries via Telegram — by the fact of voluntarily sending a message to the support bot.

3. PURPOSES OF PROCESSING

The Contractor processes personal data solely for the following purposes:

identification of the User in the Platform system and the provision of access to the Personal Account;
technical support of the operation of the Platform's algorithms, including the transmission of trading commands via secure API channels to the User's exchange account;
information security, prevention of unauthorized access, detection and prevention of fraudulent actions;
service notifications (technical works, functionality updates, expiry of the subscription term, changes to terms);
improvement of the operation of the Website and the Platform on the basis of anonymized visit statistics;
consideration of enquiries received via the feedback form on the Website or the support Telegram bot, and sending replies to them;
fulfilment of the requirements of the legislation of the Russian Federation — the generation of tax-on-professional-income fiscal receipts, responding to requests from authorized bodies in cases established by law.

4. PROCEDURE AND CONDITIONS OF PROCESSING

4.1. Technical and organizational protective measures:

encryption of the communication channel (TLS 1.3) when transferring data between the User and the Platform;
symmetric AES-256 encryption for API keys; the encryption keys are stored separately from the data;
support for two-factor authentication (TOTP) to protect the account;
access to data on the principle of least privilege with mandatory authentication and logging (audit log) of critical actions;
regular backup with copies stored in the territory of the Russian Federation;
monitoring of information security events and response to incidents.

4.2. Data localization. The primary processing and storage of personal data that allows the identification of citizens of the Russian Federation are carried out on servers physically located in the territory of the Russian Federation, on the facilities of a Russian hosting provider (part 5 of Article 18 of Federal Law No. 152-FZ). Backup is carried out in compliance with the localization requirements.

4.3. Storage periods:

Account data (email, password hash) — the period of the subscription + 30 days after termination (basis: the agreement);
API keys (encrypted) — until disconnection by the User + 30 days (basis: the agreement);
Fiscal receipts and settlement data — 5 years from the date of generation of the receipt (basis: part 4 of Article 13 of Federal Law No. 422-FZ);
Security logs and trading logs — 12 months (basis: legitimate interests);
Subjects' requests and responses to them — until the expiry of the limitation periods for the corresponding right of claim (basis: observance of the subject's rights).

Upon expiry of the periods, the data is subject to irreversible deletion or anonymization (parts 4–7 of Article 21 of Federal Law No. 152-FZ).

4.4. Deletion upon the User's request. A deletion request is executed within 30 (thirty) calendar days from the moment of confirmation of the applicant's identity, less data that is mandatory to store by law (for example, tax-on-professional-income fiscal receipts — 5 years).

4.5. Notification of information security incidents. Upon establishing the fact of unlawful or accidental transfer (provision, distribution, access) of personal data that has resulted in a violation of the subjects' rights, the Contractor notifies Roskomnadzor:

of the fact of the incident — within 24 (twenty-four) hours from the moment of detection;
of the results of the internal investigation — within 72 (seventy-two) hours from the moment of detection.

Notification of the personal data subjects in respect of whom the incident occurred is carried out without undue delay if the incident is capable of entailing negative consequences for the rights and legitimate interests of the subjects (clause 3.1 of Article 21 of Federal Law No. 152-FZ).

4.6. Person responsible for organizing the processing of personal data. The person responsible for organizing the processing of personal data in accordance with clause 1 of part 1 of Article 18.1 of Federal Law No. 152-FZ is Alexander Sergeevich Borodin, contact email: info@algotun.com.

5. TRANSFER OF DATA TO THIRD PARTIES

5.1. The Contractor does not transfer personal data to third parties, except for:

payment infrastructure operators (payment aggregators, acquiring banks) — to the extent necessary for accepting payment, processing refunds, and generating the fiscal receipt: the email address, the name and cost of the service being paid for, and the order identifier;
the hosting provider — within the framework of the technical infrastructure, subject to contractual guarantees of compliance with Federal Law No. 152-FZ;
authorized state bodies (Roskomnadzor, the Federal Tax Service, law enforcement bodies) — in the cases and manner directly provided for by the legislation of the Russian Federation.

5.2. Cross-border transfer of personal data is not carried out.

5.3. The Contractor does not sell personal data to third parties, does not use it for marketing purposes, and does not exchange it with other market participants. Visit statistics are collected by the Contractor's own analytics service on the Contractor's servers and are not transferred to third-party analytics systems.

6. RIGHTS OF THE PERSONAL DATA SUBJECT

6.1. The User is entitled at any time to:

request confirmation of the fact of processing of their personal data, obtain information about the purposes, methods, and periods of processing;
demand the clarification, blocking, or deletion of their personal data if it is incomplete, outdated, inaccurate, or processed in violation of the law;
withdraw consent to the processing of personal data (if the processing is based on consent); the withdrawal of consent does not affect processing that is necessary for the performance of the agreement or directly provided for by law;
appeal against the actions or inaction of the Contractor to Roskomnadzor or to a court (Article 17 of Federal Law No. 152-FZ).

6.2. Procedure for exercising rights.

The request is sent in writing to the email info@algotun.com, indicating contact details and the essence of the demand.
The Contractor is entitled to request additional confirmation of the applicant's identity in order to prevent unauthorized requests.
The period for consideration of a request is no more than 30 (thirty) calendar days from the moment of its receipt. The response is sent by the same method by which the request was received, unless otherwise expressly indicated by the User.

7. AUTOMATED DATA PROCESSING

7.1. Data processing is carried out predominantly by automated means, without human involvement, using the Platform's software.

7.2. Decisions entailing legal consequences for the User or significantly affecting their rights and interests (disabling access, blocking an account) are not made solely on the basis of automated processing. Any restriction of access is subject to mandatory manual verification by the Contractor (part 4 of Article 16 of Federal Law No. 152-FZ).

8. USE OF COOKIES AND ANALYTICS

8.1. Cookies. The Website uses only strictly necessary (technical) cookies that ensure the operation of the Personal Account, authentication, and session preservation. Such cookies are required for the functioning of the Website and, in accordance with the law, do not require separate consent. Advertising and marketing cookies are not used by the Contractor. Cookies for tracking Users across third-party websites are not applied.

8.2. Visit analytics. For traffic analysis and improvement of the Website, the Contractor uses its own web analytics service (Umami), hosted on the Contractor's servers in the territory of the Russian Federation. The service operates without the use of cookies (cookieless), does not track Users across different websites, and collects only anonymized statistics (viewed pages, referral source, country by IP). Analytics data is not transferred to third parties.

8.3. Exceptions. On the pages for entering and managing exchange API keys, web analytics is not connected — these sections are excluded from statistical accounting for privacy purposes.

9. PROCESSING OF MINORS' DATA

The Platform is not intended for persons under 18 years of age. The Contractor does not knowingly collect the personal data of minors. If the Contractor becomes aware of the registration of a minor User, the account is blocked and the data is deleted.

10. FINAL PROVISIONS

10.1. Acceptance of the Policy. Consent to this Policy is expressed by the User by placing a separate mark ("checkbox") in the corresponding field during registration and upon acceptance of the Offer. Acceptance of the Policy is a mandatory condition for access to the Platform's functionality. The fact of acceptance is recorded by the Contractor (date, time, IP address, Policy version).

10.2. Amendments to the Policy. The Contractor is entitled to make amendments to this Policy. Of material amendments (expansion of the purposes of processing, new categories of data transferred to third parties, changes to storage periods), the User is notified by email no less than 7 (seven) calendar days before the date of entry into force. The current revision is always available at https://algotun.com/legal/privacy.

10.3. Contacts. On matters related to the processing of personal data and for the exercise of the subject's rights, the User contacts the Contractor at: info@algotun.com.

11. CONTRACTOR'S DETAILS

Full name: Alexander Sergeevich Borodin

Taxpayer Identification Number (INN): 323401195508

Tax status: Payer of the tax on professional income (self-employed), Federal Law No. 422-FZ

Email: info@algotun.com

Website: https://algotun.com

Gizlilik Politikası | Algotun