Your privacy. Our obsession.

We hold two things that demand absolute protection: your personal identity and your exchange API keys. This document explains exactly what we collect, how we secure it, and what we will never do with it — in plain language and with full technical detail.

This Privacy Policy is published by FreedomBot.ai, operated by a registered company in India.

Last updated: 12 April 2026

1. What we collect and why

We collect only what is necessary to operate the platform. Nothing more.

Identity (via Google Sign-In)

· Email address — used to identify your account and send transactional notices
· Display name — shown in your dashboard
· Firebase UID — a unique, opaque identifier that links your account to your data

We never see your Google password. Authentication is handled entirely by Google Firebase Auth.

Exchange API credentials

· Your API key and API secret — encrypted immediately on receipt, never stored in plaintext (see Section 3)
· Last 4 characters of your API key — stored unencrypted solely for display purposes in your dashboard
· An HMAC-SHA256 fingerprint of your API key — used to detect duplicate registrations without exposing the key itself
· Exchange name and bot type — to route your bot to the correct trading system

Trade activity

· Trade records (symbol, direction, PnL, timestamps) — to display your dashboard and maintain on-chain records
· Bot deployment status — to know whether your bot is active or stopped

Waitlist entries (if applicable)

· Name, email, and optionally phone — encrypted using AES-256-GCM before storage, identical to how API keys are protected
· Country and asset type interest — stored unencrypted for aggregate analytics only (not personally identifiable)

Decrypted waitlist data is accessible only to verified FreedomBot admins via a token-protected API route. It is used solely to notify you when your requested bot goes live.

2. What we never collect

✕ Your exchange password or 2FA codes — we never ask for these
✕ Withdrawal permissions — our setup guides explicitly instruct you to leave withdrawal access disabled
✕ Your trading capital or funds — your money stays in your exchange account at all times
✕ Browsing history, device fingerprints, or advertising identifiers
✕ Any biometric or government-issued identity data

FreedomBot operates with read and trade permissions only. It is structurally impossible for our system to initiate withdrawals, transfers, or any movement of funds out of your exchange account.

3. How we encrypt your API keys

This is the most sensitive data we handle. We have designed the encryption pipeline so that a complete breach of our database would yield nothing usable.

Algorithm: AES-256-GCM

We use AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). GCM is an authenticated encryption mode — it simultaneously encrypts the data and produces a cryptographic authentication tag. This means any tampering with the stored ciphertext is detected and the decryption is rejected before any data is returned.

→Algorithm: AES-256-GCM

→Key size: 256 bits (32 bytes)

→IV size: 128 bits (16 bytes), randomly generated per encryption

→Auth tag: 128 bits (16 bytes), appended to ciphertext

→Storage format: base64(IV ‖ AuthTag ‖ Ciphertext)

Key derivation: scrypt

The encryption key is not used raw. It is derived using scrypt, a memory-hard key derivation function designed to make brute-force attacks computationally prohibitive even with specialised hardware. The master key is sourced from a server-side environment variable and is never present in source code or committed to version control.

→KDF: scrypt (Node.js crypto.scryptSync)

→Input: ENCRYPTION_KEY environment variable (≥ 32 chars)

→Salt: application-level fixed salt

→Output: 32-byte derived key used as AES-256 key

Per-encryption random IV

A new 16-byte random Initialization Vector (IV) is generated using a cryptographically secure random number generator (crypto.randomBytes) for every single encryption call. This means that even if two users have identical API keys, their stored ciphertext will be completely different. It also means that re-saving the same key produces a different ciphertext each time, preventing any pattern analysis on the stored data.

What is actually stored in our database

The Firestore document for your credentials contains:

→encryptedKey: base64(IV + AuthTag + AES-256-GCM(apiKey))

→encryptedSecret: base64(IV + AuthTag + AES-256-GCM(apiSecret))

→keyLastFour: last 4 characters of API key (plaintext, for UI display only)

→keyFingerprint: HMAC-SHA256(exchange + apiKey) — for duplicate detection only

→exchange: e.g. BYBIT (plaintext)

The plaintext API key and secret exist in memory only for the duration of the HTTP request — the time it takes to encrypt them. They are never logged, never written to disk, and never transmitted beyond the point of encryption.

Credential isolation

Credentials are stored in a user-scoped Firestore subcollection: users/{uid}/secrets/{exchangeDocId}. Firestore security rules ensure that no user can read or write another user's secrets. Server-side routes additionally re-verify the Firebase Auth ID token and scope all queries to the authenticated uid before any database read or write.

Key verification before storage

Before encrypting and storing your credentials, we make a live call to your exchange to verify that the keys are valid and have the correct permissions. If the exchange rejects the keys, they are discarded immediately — nothing is written to the database.

4. Where your data is stored

All user data is stored on Google Firebase / Firestore, hosted on Google Cloud infrastructure. Firebase provides encryption at rest and in transit by default for all stored documents.

· Authentication: Firebase Authentication (Google Cloud Identity Platform)
· User credentials and deployment records: Google Cloud Firestore
· Trade records and bot state: Google Cloud Firestore
· Waitlist entries: Google Cloud Firestore (PII fields encrypted before storage)

Your encrypted credentials never leave our Firestore database except to be decrypted in memory on our own server-side API routes at the moment they are needed to place a trade. They are never sent to a third-party service, cached in a CDN, or written to any log file.

5. On-chain trade records and public data

Every trade our own system closes is permanently written to the Solana blockchain. These are records of FreedomBot's aggregate trading activity — not individual user records. They are public, immutable, and verifiable by anyone at freedombot.ai/records.

On-chain records contain: trade direction (long/short), entry and exit prices, profit/loss, and timestamp. They are system-level records only — your personal identity, your exchange account, your API keys, your individual trade history, and any other personally identifiable information are never written to the blockchain. We deliberately designed it this way to give the public full visibility into our system's performance while maintaining complete privacy for every individual user.

6. Authentication and access control

Every API route that touches user data requires a valid Firebase ID token in the Authorization: Bearer header. This token is verified server-side using the Firebase Admin SDK before any database operation is performed. Tokens are short-lived (one hour) and automatically refreshed by the Firebase client SDK.

We use Google Sign-In exclusively. We do not implement or store passwords. Your authentication is delegated entirely to Google's identity infrastructure, which provides phishing-resistant login, brute-force protection, and optional 2FA through your Google account settings.

The master ENCRYPTION_KEY used to derive the AES-256 key is stored as a server-side environment variable (Vercel encrypted environment). It is never exposed to the client, never committed to source code, and is accessible only to authenticated server-side API processes.

7. Data sharing and third parties

We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes. Ever.

The only third parties that interact with your data:

· Google Firebase — authentication, database, and application hosting infrastructure
· Your chosen exchange (e.g. Bybit) — receives trade orders signed with your API key; they hold your funds and execute trades

8. Your rights and controls

You have full control over your data:

·Revoke API access instantly — Delete the API key from your exchange dashboard. This immediately cuts off all trading access — no action needed on our side.
·Stop your bot — Use the Stop Bot button in your dashboard. This marks your deployment as inactive and the bot will place no further trades.
·Request data deletion — Email us at privacy@freedombot.ai and we will permanently delete your account, encrypted credentials, and all associated data within 30 days.
·Request a data export — You can request a copy of all personal data we hold about you by emailing privacy@freedombot.ai.

9. Cookies and tracking

We use a minimal session cookie set by Firebase Auth to persist your login state. This cookie contains no personal information — only an opaque session identifier.

We do not use advertising cookies, third-party tracking pixels, or analytics services that profile individual users. No data from your visit to FreedomBot.ai is sold to or shared with advertising networks.

10. Changes to this policy

If we make material changes to this Privacy Policy, we will update the "Last updated" date at the top of this page and, where appropriate, notify active users by email. Continued use of FreedomBot.ai after changes are posted constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions, data requests, or concerns, please use our contact form and mention your request in the message:

We aim to respond to all privacy enquiries within 5 business days.

FreedomBot.ai · Trading involves risk. Past performance does not guarantee future results.