Formion AIFORMION AILogin →

Privacy Policy

Effective: May 12, 2026

1. Data we collect

  • Account: email, password hash (bcrypt; we never see the plaintext), display name, locale, optional avatar.
  • Provider IDs: Google account UID (if you sign in with Google), Telegram user ID + username (if you link Telegram via @formiontradingbot).
  • Exchange API keys: stored encrypted at rest (AES-256-GCM); decrypted only in-memory during order placement.
  • Wallet private keys: only if you choose to import a custodial wallet; stored encrypted as above.
  • Trade history: orders you place via Formion, your strategy executions, P&L snapshots.
  • Telemetry: IP, user-agent, session timestamps. We do not use third-party analytics or ad pixels.

2. How we use it

  • Authenticate you and keep your sessions secure.
  • Fetch balances, positions, and history from exchanges you linked.
  • Run AI signals, strategy bots, and Telegram alerts you configured.
  • Detect abuse, fraud, and platform-wide anomalies (e.g. brute-force, mass-scraping).
  • Send service-related email (verification, password resets, security alerts). We do not send marketing email without explicit opt-in.

3. Who can see your data

Only you. Formion staff cannot read your encrypted exchange keys or wallet private keys (the master encryption key lives in a separate secrets vault used only by the bot/dashboard runtime). Telegram interactions are visible to the bot infrastructure but never shared externally.

4. Third parties we send data to

  • Exchanges & chains you connected — we send orders and read balances. Only with your explicit linking action.
  • Cloudflare — DDoS, WAF, Turnstile anti-bot. They see your IP and request metadata.
  • Email transport (SMTP provider) — receives your email address when we send verification or security notifications.
  • Google — only for OAuth login, never for analytics tracking.
We do not sell your data. Ever.

5. Cookies

We use a single first-party cookie (formion_session, HttpOnly, Secure, SameSite=Lax) to keep you logged in. No third-party tracking cookies are set by our app. You can clear this cookie via your browser; doing so logs you out.

6. Data retention

We retain account data while your account exists, plus 90 days after deletion for legal/audit reasons. Encrypted API keys are deleted immediately on account deletion. Trade logs older than 24 months may be archived to cold storage.

7. Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.) you may have the right to access, export, correct, or delete your data, and to object to processing. Request these via [email protected] — we respond within 30 days.

8. Security

AES-256-GCM at rest for secrets, TLS for everything in transit, bcrypt for password hashes, DB-backed revocable sessions, mandatory 2FA on staff accounts. We disclose material breaches affecting your data within 72 hours of confirmation.

9. International transfers

Our infrastructure is in EU/EEA data centers. Exchange and chain APIs you connect may operate globally; data sent to them follows their privacy practices.

10. Children

Formion is not for users under 18. We delete any account we discover violates this requirement.

11. Changes

We'll announce material changes at least 14 days in advance via email and dashboard notice.

12. Contact

Privacy questions: [email protected]
See also: Terms of Service