Privacy Policy

BottomUP, Inc., a Delaware corporation (“BottomUP”), is the controller of personal data collected through bupcore.ai and the BottomUP mobile apps (together, the “Service”).

• Account data — email, phone number, name, avatar, provider ID (Google, Apple, phone), and anything you add to your profile.
• Trading data — setups you clap or watchlist, trades executed through a connected exchange API, subscription and Credits activity. For connected OKX accounts we store the API key, secret, and passphrase encrypted at rest, plus your exchange UID.
• Device & usage data — IP address, user agent, country/region (derived from IP), page views, feature interactions, approximate load times. Used for analytics and security.
• Cookies & similar — essential cookies (session), preference cookies (theme, language), and analytics tags. See §7 below.
• Communications — messages you post in community channels and support tickets.

We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact [email protected].

• To provide the Service you requested (contract).
• To prevent fraud, sanctions breaches, and market manipulation (legitimate interests / legal obligation).
• To show you relevant signals and creators (legitimate interests).
• To bill subscriptions and Credits (contract).
• To send transactional and (with consent) marketing email or push notifications.
• To comply with tax, audit, and record-keeping obligations (legal obligation).

• Infrastructure providers — Railway (hosting), Postgres/Redis on Railway, Firebase (auth, messaging, Firestore), Cloudflare (DNS/edge). Each is bound by a data processing agreement.
• Analytics — Google Tag Manager / Google Analytics 4 for aggregated usage statistics. You can opt out with a GPC signal or cookie banner.
• AI provider — Anthropic (Claude) processes anonymised setup metadata for Foxy AI verdicts. No personal identifiers are sent.
• Third-party exchange — OKX. If you connect an OKX account, we send API requests on your behalf for reading balances and placing orders.
• Law enforcement — when compelled by a valid legal process, limited to what is required.

We never sell personal data. We never share your OKX credentials with any third party, including AI providers.

Primary storage is in Railway’s Europe-West region; some Firebase data resides in the United States (europe-west1 and us-central1). By using the Service from outside these regions you consent to the transfer and processing of your data in those locations. Transfers from the EEA / UK rely on the European Commission’s Standard Contractual Clauses.

• Account data: until you delete your account, plus 30 days.
• Trading & billing data: 7 years to meet tax and record-keeping requirements.
• Community messages: until you delete them or close the account.
• Security & fraud logs: up to 24 months.

We use strictly necessary cookies for authentication and security; functional cookies for your preferences; and analytics cookies (via Google Tag Manager) to understand aggregate usage. You can disable non-essential cookies at any time using the cookie banner or your browser controls. We honour the Global Privacy Control (GPC) signal as a request to opt out of sale / sharing under the California Consumer Privacy Act (CCPA).

Depending on where you live, you may have the right to:

• access, correct, delete, or port your personal data;
• object to or restrict certain processing;
• withdraw consent at any time for consent-based processing;
• (California residents) know what categories of data we collected, to whom we disclosed it, and to opt out of “sale” or “sharing” — we do not sell, and you can opt out of analytics-based sharing via the cookie banner or a GPC signal;
• (EEA / UK) lodge a complaint with your local supervisory authority.

To exercise any right, email [email protected]. We respond within the deadlines required by GDPR (30 days) and CCPA (45 days).

Access to production systems is restricted, logged, and secured with MFA. All traffic is TLS-encrypted. OKX credentials are stored encrypted at rest. No system is perfectly secure; if we learn of a breach affecting you, we will notify you without undue delay as required by law.

We may update this Policy. Material changes will be announced on the Service and by email. The effective date will be updated at the top of this page.

Privacy inquiries: [email protected].
Postal: BottomUP, Inc., Corporation Trust Center, 1209 Orange Street, Wilmington, Delaware 19801, USA.