Privacy Policy

1. Who we are

Skyptra ("we", "us") operates the website skyptra.com — a cryptocurrency arbitrage scanner, strategy backtest viewer, and (in beta) automated execution service. Questions about this policy: [email protected].

2. What we collect

• Account data — your email address and password (stored as a salted hash by our authentication provider, Supabase). If you sign in with Google, we receive your email and basic profile from Google instead.
• Signup context — at signup we capture your IP address and approximate location (city/region/country, via a one-time lookup). This appears in your confirmation email as a security signal and is stored with your account metadata.
• Pro configuration — if you join Pro: your strategy parameters and which exchanges you've connected.
• Exchange API keys — if you connect an exchange: the API key, secret, and (for OKX/Gate) passphrase you provide. These are encrypted at rest with a server-side key and used solely to operate the strategy you enabled. We instruct you to create keys without withdrawal permission.
• Technical logs — standard web-server logs (IP, user agent, request path) kept for security and debugging.
• Browser storage — we use localStorage/sessionStorage for your login session and UI preferences (e.g. dismissed banners). We do not use advertising or cross-site tracking cookies.

3. What we do NOT collect

• No payment data (Pro is free during beta; we have no billing processor).
• No exchange account balances or trade history beyond what's needed to place and manage the orders of the strategy you enabled.
• No third-party analytics or advertising trackers.

4. How we use your data

• To create and secure your account, and send you transactional emails (confirmation, password reset, execution notifications).
• To run the Pro strategy you configured against the exchanges you connected — this is the entire purpose of storing API keys.
• To debug, secure, and improve the service.

We do not sell or rent personal data to anyone.

5. Service providers

• Supabase — authentication and account storage.
• Resend — transactional email delivery (sent from skyptra.com).
• Amazon Web Services — application hosting (Singapore region, ap-southeast-1).
• Cloudflare — DNS and network security in front of the site.
• ipapi.co — the one-time IP/location lookup at signup.

6. Security

• All traffic is served over HTTPS.
• Exchange API secrets are encrypted at rest (Fernet/AES) with a key held only on the server; they are never sent back to the browser. The interface shows at most the last 4 characters of a key.
• Sessions are verified server-side on every Pro request; revoked sessions fail closed.
• We strongly recommend connecting IP-restricted, trade-only API keys. Skyptra never asks for withdrawal permissions.

7. Data retention & deletion

Account data is kept while your account is active. You can disconnect exchanges or disable execution at any time from the Pro page; you can revoke API keys at your exchange at any time, which immediately cuts our access. To delete your account and all associated data (including stored keys), email [email protected] from your account email — we complete deletion within 30 days.

8. Your rights

Depending on your jurisdiction you may have rights to access, correct, export, or delete your personal data, and to object to processing. Contact us and we'll honor these requests where the data isn't required to operate a service you've actively enabled.

9. Children

Skyptra is not directed at anyone under 18, and we do not knowingly collect data from minors.

10. Changes

We'll post any changes to this policy here and update the date above. Material changes affecting Pro users (e.g. how keys are stored) will also be announced by email.