Privacy Policy

Last updated: March 15, 2025 — Your privacy is paramount. This policy explains how BalancerTrade LLC collects, processes, and protects your personal information when you use our DeFi portfolio management platform at balancertrade.com.

Effective: 2025-03-15 | Version 2.4

1. Data Controller & Contact

BalancerTrade LLC (registered address: 350 Fifth Avenue, Suite 3300, New York, NY 10118, United States) is the data controller responsible for your personal data under applicable privacy laws, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) where applicable.

For privacy-related inquiries, you may contact our Data Protection Officer at:

Email: [email protected]
Post: BalancerTrade LLC, Attn: Privacy Office, 350 Fifth Avenue, Suite 3300, New York, NY 10118
Phone: +1 212 826 7392 (Monday–Friday, 9 AM – 6 PM EST)

2. Information We Collect

We collect information you provide directly, as well as data generated automatically through your use of our platform and services.

2.1 Information You Provide

Account Information: When you register, we collect your name, email address, phone number, and wallet address (if applicable).
Verification Data: For identity verification (KYC), we may collect government-issued ID, date of birth, and proof of address, as required by applicable anti-money laundering regulations.
Communications: Records of correspondence when you contact our support team, including chat logs and email history.
Transaction Data: Details of your portfolio allocations, liquidity pool interactions, and smart contract transactions on the Balancer protocol.

2.2 Information Collected Automatically

Device & Usage Data: IP address, browser type, operating system, referring URLs, pages visited, and time spent on our platform.
Cookies & Similar Technologies: We use essential, analytics, and functional cookies. See our Cookie Policy for detailed information.
Blockchain Data: Public blockchain addresses and transaction hashes that you interact with through our interface. This data is publicly available on the blockchain.

3. Purpose & Legal Basis for Processing

We process your personal data for the following purposes, relying on the legal bases indicated:

Service Delivery: To provide, maintain, and improve our DeFi portfolio management services (performance of contract).
Compliance: To comply with legal obligations, including anti-money laundering (AML), counter-terrorism financing (CTF), and sanctions screening (legal obligation).
Security: To detect, prevent, and investigate fraudulent or unauthorized activity (legitimate interest).
Communication: To respond to your inquiries, send service updates, and provide customer support (legitimate interest or consent).
Marketing: With your consent, we may send you newsletters and promotional materials about our services. You may opt out at any time.
Analytics: To analyze usage patterns and improve platform performance and user experience (legitimate interest).

4. Data Sharing & Third Parties

We do not sell your personal data. We may share your information with the following categories of third parties, only as necessary for the purposes described in this policy:

Service Providers: Cloud infrastructure (AWS, Google Cloud), analytics providers (Google Analytics, Amplitude), email delivery services (SendGrid), and identity verification vendors (Jumio, Onfido).
Blockchain Networks: When you execute transactions through our platform, your wallet address and transaction data are recorded on public blockchains (e.g., Ethereum, Arbitrum, Polygon). This data is immutable and publicly visible.
Regulatory Authorities: We may disclose your information to comply with applicable laws, court orders, or regulatory requests from agencies such as the SEC, FinCEN, or state financial regulators.
Professional Advisors: Legal counsel, auditors, and insurance providers who are bound by confidentiality agreements.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to this policy.

All third-party service providers are contractually obligated to process your data only on our instructions and to implement appropriate security measures. We conduct due diligence to ensure compliance with applicable privacy laws.

5. International Data Transfers

As a global platform serving users in the United States and internationally, your personal data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data from the European Economic Area (EEA), Switzerland, or the United Kingdom, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Data Protection Framework certification (EU-US DPF, Swiss-US DPF, and UK Extension where applicable);
Adequacy decisions from the European Commission for certain jurisdictions.

We ensure that all recipients of your data provide an equivalent level of protection as required by applicable law. By using our services, you acknowledge that your data may be processed in the United States and other jurisdictions where our service providers operate.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

Account Data: Retained for the duration of your account's active status plus 5 years after closure for regulatory compliance (AML/CTF recordkeeping).
Transaction Data: Retained for 7 years to comply with tax and financial reporting obligations under US federal law.
Verification Documents: Retained for 5 years after account closure or rejection, as required by anti-money laundering regulations.
Communications & Support Tickets: Retained for 3 years from the date of last interaction.
Analytics Data: Aggregated, anonymized data may be retained indefinitely for statistical purposes; personally identifiable analytics data is retained for 26 months.

When retention periods expire, your data is securely deleted or anonymized so that it can no longer be associated with you. Blockchain transaction data, once written to a public ledger, cannot be deleted—however, we do not control the blockchain itself.

7. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to all legitimate requests within the timeframes required by law (typically 30 days, extendable by 60 days for complex requests).

7.1 For All Users

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your data, subject to legal retention obligations (e.g., AML records).
Objection: Object to processing based on legitimate interests, including direct marketing.
Restriction: Request restriction of processing in certain circumstances (e.g., while a dispute is being resolved).
Portability: Receive your data in a structured, machine-readable format (e.g., JSON) and have it transmitted to another controller where technically feasible.

7.2 For California Residents (CCPA)

If you are a California resident, you have the additional right to:

Know: Request details about the categories and specific pieces of personal data we have collected, used, disclosed, or sold about you.
Opt-Out: Opt out of the sale or sharing of your personal data (we do not sell data, but you may opt out of targeted advertising via our Cookie Policy).
Non-Discrimination: Exercise your rights without receiving discriminatory treatment in pricing or services.

7.3 For EEA/UK Users (GDPR)

In addition to the rights above, you may:

Lodge a Complaint: File a complaint with your local data protection supervisory authority (e.g., the ICO in the UK or the relevant authority in your EU member state).
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please submit a request to [email protected] or use our Contact page. We may need to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

8. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security framework aligns with ISO 27001 and NIST cybersecurity standards.

8.1 Technical Safeguards

Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3 protocol. Data at rest is encrypted using AES-256 encryption.
Access Controls: Strict role-based access controls (RBAC) and multi-factor authentication (MFA) are enforced for all internal systems containing personal data.
Monitoring: 24/7 automated monitoring for suspicious activity, intrusion detection, and anomaly detection using machine learning models.
Penetration Testing: Independent third-party security audits and penetration tests are conducted quarterly, with results reviewed by our security team.
Smart Contract Audits: All deployed smart contracts are audited by recognized firms (e.g., Trail of Bits, ConsenSys Diligence) before public release.

8.2 Organizational Safeguards

Employee Training: Mandatory annual privacy and security training for all employees handling personal data.
Data Minimization: We collect only the data necessary for specified purposes and regularly review our data inventory to eliminate unnecessary data.
Incident Response: A documented incident response plan that includes notification to affected users and regulators within 72 hours of confirmed breach, as required by applicable law.
Vendor Due Diligence: All third-party service providers undergo security assessments and must maintain equivalent security standards.

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously update our practices to address emerging threats. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay.

9. Cookies & Tracking Technologies

Our platform uses cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver relevant content. For a comprehensive description of the cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy.

In summary, we use the following categories of cookies:

Essential Cookies: Required for the platform to function (e.g., session management, authentication). These cannot be disabled.
Analytics Cookies: Help us understand how users interact with our platform (e.g., Google Analytics, Amplitude). You may opt out via our cookie consent banner.
Functional Cookies: Remember your preferences (e.g., language selection, wallet connection preferences).
Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. These are only set with your explicit consent.

You can manage cookie preferences at any time by clicking the "Cookie Settings" link in the footer or adjusting your browser settings. Disabling certain cookies may affect platform functionality.

10. Children's Privacy

Our services are not directed to individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data without verifiable parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected] so we can investigate and take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Material changes will be communicated through one or more of the following methods:

Posting the updated policy on this page with a revised "Last updated" date.
Sending an email notification to the address associated with your account (if applicable).
Displaying a prominent notice on our platform or via a banner.

We encourage you to review this policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may close your account and cease using our services.

12. Governing Law & Disputes

This Privacy Policy is governed by and construed in accordance with the laws of the State of New York, United States, without regard to its conflict of law provisions. Any disputes arising out of or related to this policy shall be resolved through binding arbitration in New York County, New York, in accordance with the rules of the American Arbitration Association.

If you have any concerns about our handling of your personal data that cannot be resolved through our internal process, you may contact the relevant data protection authority in your jurisdiction. For users in the European Union, you may lodge a complaint with your local Data Protection Authority. For California residents, you may contact the California Privacy Protection Agency (CPPA).

13. California Privacy Rights (CCPA)

This section applies exclusively to residents of California, USA, as required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). We provide this information to help California residents understand their privacy rights and how we handle their personal information.

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information from California residents:

Identifiers: Name, email address, phone number, postal address, IP address, wallet address, government-issued ID numbers (for KYC).
Financial Information: Bank account information (for fiat on/off ramps), transaction history, portfolio balances, and DeFi protocol interactions.
Commercial Information: Records of products or services purchased, obtained, or considered, including subscription history and support tickets.
Internet/Electronic Activity: Browsing history, search history, and interaction data on our platform and related communications.
Geolocation Data: Approximate location derived from IP address (city/state level).
Inferences: Profiles drawn from the above to understand preferences, risk tolerance, and service suitability.

We do not collect sensitive personal information (e.g., precise geolocation, biometric data, or health information) for the purpose of inferring characteristics about California consumers.

13.2 Business/Commercial Purpose for Collection

We collect each category of personal information for the following business or commercial purposes:

Providing and maintaining our DeFi portfolio management platform (all categories).
Verifying identity and complying with AML/KYC regulatory obligations (identifiers, financial information, government ID).
Processing transactions and executing smart contract interactions (financial information, wallet addresses).
Improving platform functionality and user experience (internet/electronic activity, inferences).
Security and fraud prevention (identifiers, internet/electronic activity, geolocation).
Customer support and communication (identifiers, commercial information).

13.3 Sources of Personal Information

We collect personal information from the following sources:

Directly from you: When you register, complete KYC, submit support tickets, or communicate with us.
Automatically: Through cookies, analytics tools, and server logs when you interact with our platform.
Third parties: Identity verification providers (Jumio, Onfido), blockchain data providers (Etherscan API), and analytics services (Google Analytics, Amplitude).

13.4 Disclosure of Personal Information

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

Identifiers: To identity verification vendors, cloud infrastructure providers, and email delivery services.
Financial Information: To blockchain networks (publicly visible), payment processors, and regulatory authorities as required.
Internet/Electronic Activity: To analytics providers (Google Analytics, Amplitude) for platform optimization.
Commercial Information: To customer relationship management (CRM) platforms and support ticketing systems.

We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising without your explicit consent, which you may withdraw at any time through our cookie preferences.

13.5 Your CCPA Rights

California residents have the following rights under the CCPA/CPRA:

Right to Know: You may request, up to twice in a 12-month period, that we disclose the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you.
Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., compliance with legal obligations, security, fraud prevention).
Right to Correct: You may request correction of inaccurate personal information we maintain about you.
Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. We do not sell data, but you may opt out of targeted advertising via our cookie consent tool.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes other than those authorized by the CCPA (e.g., service delivery, security).
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, or providing a different level of service.

13.6 How to Exercise Your CCPA Rights

To exercise your rights under the CCPA, you may submit a verifiable consumer request by:

Emailing [email protected] with the subject line "CCPA Request"
Calling +1 212 826 7392 and asking to speak with our Privacy Officer
Completing our online privacy request form at /contact

We will verify your identity by matching the information you provide (e.g., name, email address, account details) with the information we have on file. If we cannot verify your identity, we may ask for additional information. You may designate an authorized agent to make a request on your behalf by providing written authorization signed by you and verifying your identity directly with us. We will respond to verified requests within 45 days (extendable by an additional 45 days with notice).

14. Nevada Privacy Rights

If you are a resident of Nevada, USA, you have the right to opt out of the sale of your personal information under Nevada Revised Statutes Chapter 603A. We do not sell personal information as defined by Nevada law. However, if you wish to submit a request regarding the sale of your data, please contact us at [email protected] with the subject line "Nevada Opt-Out Request." We will respond within 60 days as required by law.

15. Virginia, Colorado, Connecticut & Utah Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have additional privacy rights effective as of their respective enforcement dates. These rights include:

Confirmation of Processing: The right to confirm whether we process your personal data.
Access & Portability: The right to access and obtain a copy of your personal data in a portable format.
Correction: The right to correct inaccuracies in your personal data.
Deletion: The right to delete personal data provided by or obtained about you.
Opt-Out: The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Appeal: The right to appeal a refusal to take action on a request. If your appeal is denied, you may contact the relevant state attorney general.

To exercise these rights, please use the contact methods listed in Section 13.6 above. We will respond within 45 days (extendable by 45 additional days with notice). For Virginia residents specifically, we will respond within 45 days and may extend once by 45 days if reasonably necessary.

16. European Economic Area & UK Users

This section applies if you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom. BalancerTrade LLC is the data controller for your personal data. Where GDPR or UK GDPR applies, we rely on the following legal bases for processing:

Performance of a Contract: Processing necessary to provide our DeFi portfolio management services (Article 6(1)(b) GDPR).
Legal Obligation: Processing necessary to comply with AML/CTF and other regulatory requirements (Article 6(1)(c) GDPR).
Legitimate Interests: Processing for security, fraud prevention, analytics, and direct marketing (Article 6(1)(f) GDPR). Our legitimate interest assessment is available upon request.
Consent: Processing for non-essential cookies and marketing communications (Article 6(1)(a) GDPR). You may withdraw consent at any time.

16.1 Your GDPR Rights

In addition to the rights described in Section 7, EEA and UK users have the right to:

Lodge a Complaint: File a complaint with your local supervisory authority. For EEA residents, this is the data protection authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO).
Data Portability: Receive your data in a structured, commonly used, and machine-readable format and transmit it to another controller where technically feasible.
Object to Automated Decision-Making: Object to decisions based solely on automated processing, including profiling, that produce legal effects concerning you. We do not currently engage in such automated decision-making.

16.2 International Transfers

As described in Section 5, we transfer personal data from the EEA/UK to the United States and other countries. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK International Data Transfer Agreement (IDTA) for UK transfers. We also participate in the EU-US Data Privacy Framework (DPF) and the Swiss-US DPF where applicable. You may request a copy of the relevant transfer safeguards by contacting [email protected].

17. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws. Our DPO is reachable at:

Email: [email protected]
Post: BalancerTrade LLC, Attn: DPO, 350 Fifth Avenue, Suite 3300, New York, NY 10118, USA

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a complaint that you would like to escalate, please contact our DPO first. We will endeavor to resolve your concern within 30 days. If we cannot, we will inform you of the reason and the expected timeline for resolution.

18. Specific Provisions for New York Residents

As a company headquartered in New York, we comply with the New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act). Under this law, we maintain a comprehensive data security program that includes:

Risk assessments and employee training on data security.
Secure disposal of data when no longer needed.
Incident response and breach notification procedures.
Encryption of personal information where feasible.

New York residents have the right to be notified of a data breach affecting their personal information in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. We will provide such notification in writing or electronically as required by New York General Business Law § 899-aa.

19. Data Breach Notification Procedures

Despite our comprehensive security measures, data breaches can occur. BalancerTrade has established a formal incident response plan to address any unauthorized access, disclosure, or loss of personal data. Our breach notification process is designed to comply with all applicable state and federal laws, including the New York SHIELD Act, California Civil Code § 1798.82, and the GDPR/UK GDPR breach notification requirements.

19.1 Incident Detection & Assessment

Our security operations center (SOC) monitors systems 24/7 for potential security incidents. When a suspected breach is detected, our incident response team is immediately activated. The team assesses the scope, severity, and nature of the breach, including which categories of personal data are affected and the number of impacted individuals. This assessment is completed within 24 hours of detection.

19.2 Containment & Remediation

Upon confirmation of a breach, we take immediate steps to contain the incident and prevent further unauthorized access. This may include isolating affected systems, revoking compromised credentials, patching vulnerabilities, and engaging external forensic investigators. We work to restore the integrity and security of our systems as quickly as possible.

19.3 Notification Timeline

US State Laws: We will notify affected residents of states with breach notification laws (including New York, California, Texas, and others) without unreasonable delay and within the specific timeframes required by each state (typically 30–60 days from confirmation).
GDPR/UK GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to the rights and freedoms of natural persons. Affected data subjects will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Other Jurisdictions: We will comply with all applicable local laws regarding breach notification, including those in Canada, Australia, Singapore, and other regions where we have users.

19.4 Content of Notification

Our breach notifications will include, to the extent possible:

A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
The name and contact details of our Data Protection Officer or other point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures we have taken or propose to take to address the breach, including measures to mitigate its potential adverse effects.
Recommendations for affected individuals to protect themselves (e.g., changing passwords, monitoring accounts, placing fraud alerts).

19.5 Cooperation with Authorities

We fully cooperate with law enforcement and regulatory authorities during breach investigations. We maintain logs and records of all incidents for a minimum of 5 years, including the steps taken to investigate, contain, and remediate each incident. Our incident response plan is reviewed and updated at least annually, or after any significant breach, to incorporate lessons learned.

20. Third-Party Services & Links

Our platform may contain links to third-party websites, services, or applications, including blockchain explorers (e.g., Etherscan), DeFi protocols (e.g., Balancer, Uniswap), and social media platforms (e.g., Twitter, Discord, Telegram). This Privacy Policy applies solely to information collected by BalancerTrade. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies before providing any personal data.

When you interact with smart contracts or decentralized applications (dApps) through our interface, your transactions are processed on public blockchain networks. These networks are not controlled by us, and any data you submit to them (including wallet addresses and transaction amounts) is publicly visible and immutable. We cannot control how other parties may use this on-chain data. You should exercise caution and understand the public nature of blockchain transactions before engaging.

We also integrate with third-party service providers for identity verification, analytics, and customer support. These providers are contractually bound to process your data only in accordance with our instructions and to implement appropriate security measures. However, we recommend reviewing their privacy policies for complete transparency. A list of our current key service providers and links to their privacy policies is available upon request via [email protected].

21. Your Choices & Account Management

We believe in giving you control over your data. Here are the choices you have regarding your personal information on our platform:

21.1 Account Settings

You can review and update your account information at any time by logging into your account dashboard. You may update your name, email address, phone number, and communication preferences. For security reasons, changes to certain information (e.g., wallet address, KYC documents) may require additional verification.

21.2 Marketing Communications

You may opt out of receiving promotional emails from us at any time by clicking the "unsubscribe" link in any marketing email or by updating your communication preferences in your account settings. Please note that even if you opt out of marketing communications, we may still send you service-related messages (e.g., transaction confirmations, security alerts, policy updates).

21.3 Cookie Preferences

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of our website. You may also adjust your browser settings to block or delete cookies. However, disabling essential cookies may affect the functionality of our platform.

21.4 Account Deletion

You may request deletion of your account and associated personal data by contacting our support team at [email protected] or using the account deletion option in your dashboard. Upon receiving a verified deletion request, we will delete your personal data within 30 days, subject to legal retention obligations (e.g., AML records must be retained for 5 years after account closure). Blockchain transaction data cannot be deleted as it is recorded on public ledgers.

21.5 Data Portability

You may request a copy of your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). We will provide this data within 30 days of a verified request, free of charge. For additional copies, we may charge a reasonable fee based on administrative costs.

22. Automated Decision-Making & Profiling

BalancerTrade does not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you, as defined under GDPR Article 22 and similar laws. However, we do use automated systems for the following purposes, which may involve profiling:

Risk Assessment: We use automated algorithms to assess transaction risk and detect potentially fraudulent or suspicious activity. This may involve analyzing your transaction patterns, device fingerprint, and geolocation data. If a transaction is flagged as high-risk, it may be temporarily blocked pending manual review by our compliance team.
KYC/AML Screening: When you complete identity verification, automated systems screen your information against sanctions lists, politically exposed persons (PEP) databases, and adverse media. If a match is found, your verification may be paused for manual review by a compliance officer.
Personalization: We use analytics to understand your preferences and behavior on our platform, which helps us recommend relevant services, content, and features. This profiling does not produce legal effects and you may opt out of personalization by adjusting your cookie preferences.

If you believe an automated decision has been made that unfairly affects you, you have the right to request human intervention, express your point of view, and contest the decision. Please contact [email protected] with details of your concern, and we will review the decision manually within 14 business days.

23. Data Retention Schedule (Detailed)

This section provides a detailed schedule of our data retention practices, organized by data category. Retention periods are determined based on legal requirements, operational needs, and the purpose for which the data was collected.

23.1 Account & Profile Data

Active Accounts: Retained for the duration of account activity plus 5 years after account closure.
Inactive Accounts: Accounts with no activity for 3 years are flagged as inactive. We will attempt to contact you before deletion. If no response is received within 90 days, the account and associated data are deleted, subject to legal holds.

23.2 KYC & Identity Documents

Approved Verifications: Retained for 5 years after account closure or the end of the business relationship.
Rejected Verifications: Retained for 5 years from the date of rejection for AML compliance purposes.
Pending Verifications: Retained for 2 years from the date of submission if verification is never completed.

23.3 Transaction Data

Platform Transactions: Retained for 7 years to comply with tax and financial reporting obligations (IRS, FinCEN).
Blockchain Transactions: Immutable and publicly available on the blockchain. We cannot delete on-chain data, but we will disassociate it from your account upon request where technically feasible.

23.4 Communication Records

Support Tickets & Chat Logs: Retained for 3 years from the date of last interaction.
Email Correspondence: Retained for 3 years from the date of the last email in the thread.
Marketing Communications Preferences: Retained indefinitely (or until you opt out) to honor your preferences.

23.5 Analytics & Usage Data

Personally Identifiable Analytics: Retained for 26 months from collection.
Aggregated/Anonymized Analytics: Retained indefinitely for statistical purposes. Anonymization is irreversible and cannot be linked back to you.

23.6 Security Logs

Access Logs: Retained for 12 months.
Security Incident Logs: Retained for 5 years from the date of incident closure.

When retention periods expire, data is securely deleted using industry-standard data destruction methods (e.g., cryptographic erasure, secure overwriting, physical destruction of storage media). We maintain a data retention policy that is reviewed annually by our Data Protection Officer and legal team.

24. Complaints & Dispute Resolution

We are committed to resolving any concerns you may have about our handling of your personal data. Our complaint process is designed to be accessible, transparent, and efficient. Here is how to raise a concern and what you can expect:

24.1 Internal Complaint Process

Step 1: Contact our Privacy Team directly at [email protected] or via our Contact page. Please provide a detailed description of your concern, including any relevant account information and the specific issue you are experiencing. We will acknowledge receipt within 3 business days.

Step 2: Our Privacy Team will investigate your complaint, which may involve consulting with our legal, security, and compliance teams. We will provide a substantive response within 30 days of receipt. If we need additional time due to the complexity of the issue, we will notify you and provide an expected resolution date (not to exceed 60 days total).

Step 3: If you are unsatisfied with our response, you may escalate your complaint to our Data Protection Officer (DPO) at [email protected]. The DPO will review the case independently and provide a final determination within 15 business days.

24.2 External Recourses

If your complaint is not resolved to your satisfaction through our internal process, you have the right to lodge a complaint with the relevant supervisory authority:

United States (Federal): Federal Trade Commission (FTC) — reportfraud.ftc.gov
California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
New York: New York Attorney General — ag.ny.gov
European Economic Area: Your local Data Protection Authority (list available at edpb.europa.eu)
United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

We will not retaliate against you for filing a complaint with a regulatory authority. We encourage you to contact us first so we can address your concerns directly and efficiently.

25. Supplementary Information for Specific Jurisdictions

In addition to the rights and protections described elsewhere in this Privacy Policy, the following provisions apply to residents of specific jurisdictions where we operate or have users.

25.1 Canada (PIPEDA)

For users in Canada, your personal information is collected, used, and disclosed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. You have the right to access and correct your personal information held by us. We will obtain your consent before collecting or using your information for any new purpose not previously disclosed. Our Privacy Officer can be reached at [email protected]. If you have an unresolved privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

25.2 Australia (Privacy Act 1988)

For users in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to access and correct your personal information, and to make a complaint if you believe your privacy has been breached. We will respond to your complaint within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Please note that our services are provided from the United States, and your data may be transferred and processed there.

25.3 Brazil (LGPD)

For users in Brazil, we process your personal data in accordance with the Lei Geral de Proteção de Dados Pessoais (LGPD). We have appointed a representative in Brazil for LGPD compliance purposes. You have the rights under LGPD, including confirmation of processing, access, correction, anonymization, blocking, deletion, portability, and revocation of consent. To exercise these rights, contact [email protected]. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

25.4 South Korea (PIPA)

For users in South Korea, we comply with the Personal Information Protection Act (PIPA). We have a domestic representative in South Korea to handle privacy inquiries and data subject requests. You have the right to access, correct, delete, and request suspension of processing of your personal information. We will respond to your request within 10 days. If you are unsatisfied, you may contact the Personal Information Protection Commission (PIPC) at pipc.go.kr.

25.5 Japan (APPI)

For users in Japan, we handle your personal information in accordance with the Act on the Protection of Personal Information (APPI). You have the right to request disclosure, correction, addition, deletion, or suspension of use of your retained personal data. We will respond to your request without undue delay. For inquiries, contact [email protected]. You may also contact the Personal Information Protection Commission (PPC) at ppc.go.jp.

25.6 Singapore (PDPA)

For users in Singapore, we comply with the Personal Data Protection Act (PDPA). You have the right to access and correct your personal data, and to withdraw consent for the collection, use, or disclosure of your data, subject to legal or contractual restrictions. We will respond to your request within 30 days. You may contact our Data Protection Officer at [email protected]. If you have an unresolved complaint, you may contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

26. Data Security Incident Response Plan Summary

Our comprehensive incident response plan is designed to quickly detect, contain, and remediate any security incidents involving personal data. The plan is aligned with the NIST Cybersecurity Framework and ISO 27001 standards. Key components include:

Preparation: Regular training, tabletop exercises, and updated playbooks for common incident types (ransomware, data exfiltration, insider threats, DDoS).
Detection & Analysis: Automated monitoring tools (SIEM, EDR, NDR) that generate alerts for anomalous activity. Our SOC operates 24/7/365.
Containment, Eradication & Recovery: Immediate isolation of affected systems, forensic analysis, removal of threats, and restoration from secure backups.
Post-Incident Activity: Root cause analysis, lessons learned documentation, and implementation of corrective measures to prevent recurrence.
Communication: Internal escalation to management and legal counsel, external notification to affected individuals and regulators as required by law.

We test our incident response plan at least twice annually through simulated breach exercises. Our security team maintains relationships with external incident response firms, cyber insurance providers, and law enforcement agencies to ensure rapid support when needed.

27. Vendor Due Diligence & Data Processing Agreements

All third-party service providers who process personal data on our behalf undergo a rigorous vendor due diligence process before engagement. This process includes:

Security Assessment: Review of the vendor's security certifications (e.g., SOC 2, ISO 27001, PCI DSS), penetration testing reports, and security policies.
Data Processing Agreement (DPA): A legally binding contract that specifies the scope, purpose, and duration of data processing, as well as the vendor's obligations regarding data security, confidentiality, breach notification, and sub-processing.
Privacy Compliance: Verification that the vendor complies with applicable privacy laws (GDPR, CCPA, etc.) and maintains appropriate data protection measures.
Ongoing Monitoring: Annual reviews of vendor security posture, including reassessment of certifications and review of any security incidents reported by the vendor.

We maintain a register of all vendors who process personal data on our behalf, which is reviewed quarterly by our Data Protection Officer. Current key vendors include: Amazon Web Services (cloud infrastructure), Google Cloud (analytics), SendGrid (email delivery), Jumio (identity verification), and Amplitude (product analytics). A complete list of sub-processors is available upon request via [email protected].

28. Contact Information & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us. We are committed to responding promptly and transparently.

28.1 Primary Contact

Email: [email protected]
Phone: +1 212 826 7392
Postal Address: BalancerTrade LLC, Attn: Privacy Office, 350 Fifth Avenue, Suite 3300, New York, NY 10118, United States

28.2 Data Protection Officer (DPO)

Email: [email protected]
Postal Address: BalancerTrade LLC, Attn: DPO, 350 Fifth Avenue, Suite 3300, New York, NY 10118, United States

28.3 EU/UK Representative

For users in the European Union and the United Kingdom, we have appointed a representative for data protection matters as required by Article 27 of the GDPR and Article 27 of the UK GDPR. Our EU representative is BalancerTrade Europe Ltd, registered in Ireland. For UK-specific matters, our UK representative is BalancerTrade UK Ltd. Both representatives can be contacted at [email protected] or via post at the address provided upon request.

29. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

Personal Data / Personal Information: Any information relating to an identified or identifiable natural person, including name, email address, IP address, wallet address, and other identifiers.
Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Controller: The entity that determines the purposes and means of processing personal data. For this platform, BalancerTrade LLC is the data controller.
Data Processor: A third party that processes personal data on behalf of the data controller, such as cloud infrastructure providers or analytics services.
Data Subject: The individual to whom the personal data relates (i.e., you).
Supervisory Authority: An independent public authority responsible for monitoring the application of data protection laws (e.g., ICO, CNIL, DPA, CPPA).
DeFi: Decentralized Finance — blockchain-based financial services that operate without traditional intermediaries.
KYC/AML: Know Your Customer / Anti-Money Laundering — regulatory compliance procedures used to verify the identity of clients and prevent financial crime.

30. Accessibility of This Policy

We are committed to ensuring that this Privacy Policy is accessible to all users. If you require this policy in an alternative format (e.g., large print, audio, or translated into another language), please contact us at [email protected] and we will provide a suitable version within 14 days. We support the Web Content Accessibility Guidelines (WCAG) 2.1 AA standards across our platform, including this policy page.

31. Effective Date & Version History

This Privacy Policy is effective as of March 15, 2025. It supersedes all previous versions. We maintain a version history of material changes for transparency:

Version 2.4 (March 15, 2025): Updated CCPA/CPRA disclosures, added Section 25 for supplementary jurisdiction-specific provisions, revised data retention schedule, and updated contact information.
Version 2.3 (October 1, 2024): Added sections on automated decision-making (Section 22) and vendor due diligence (Section 27). Updated cookie categories and consent mechanisms.
Version 2.2 (June 15, 2024): Enhanced breach notification procedures (Section 19) and added detailed data retention schedule (Section 23).
Version 2.1 (March 1, 2024): Added Virginia, Colorado, Connecticut, and Utah privacy rights (Section 15). Updated international transfer mechanisms (Section 5).
Version 2.0 (January 1, 2024): Comprehensive rewrite to align with evolving regulatory requirements, including expanded CCPA/CPRA compliance, GDPR Article 27 representative appointment, and enhanced security disclosures.

We encourage you to review the current version each time you use our platform. If we make material changes that affect your rights or our use of your data, we will notify you as described in Section 11. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

32. Acknowledgment

By using BalancerTrade's platform and services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein. If you do not agree with any part of this policy, please discontinue use of our platform and contact us to close your account.

Thank you for trusting BalancerTrade with your personal information. We are committed to protecting your privacy and providing you with a secure, transparent, and innovative DeFi portfolio management experience.