Your data, plainly.

LucraX (operated by the LucraX team) provides hosted infrastructure for self-directed traders to backtest, paper-trade and deploy algorithmic trading strategies across third-party exchanges. We are the data controller for the personal data described below.

Privacy contact: privacy@lucrax.app

2.1 You give us directly

• Email address and password (hashed with bcrypt).
• Optional 2FA secret (encrypted at rest).
• Exchange API keys and secrets (encrypted at rest with AES-256-GCM, per-user-derived keys).
• Strategy configurations, risk settings and preferences.
• Optional Telegram chat ID and notification preferences.
• Anything you submit via the contact or waitlist forms.

2.2 Generated by your use

• Backtest results, simulated trades and performance metrics.
• Live trades placed via your connected exchange (entry, exit, P&L, fees).
• Audit logs of sensitive operations (login, key changes, account closure).
• Standard server logs (IP address, user-agent, request timing) retained for security and debugging.

2.3 We do not collect

• Your exchange account password.
• Your bank or card details (we don't process payments yet; when we do, billing data goes to the payment processor, not us).
• Behavioural advertising profiles or third-party analytics tracking pixels.

• Run the service. Authenticate you, route signals to the right exchange, render your dashboard.
• Send transactional notifications. Trade fills, exits, liquidations and circuit-breaker events to your account email or Telegram (only if you opt in).
• Answer support requests. Reply to messages you send via the contact form.
• Improve and secure the platform. Diagnose bugs, prevent abuse, monitor uptime.
• Legal and tax compliance. Where applicable.

We rely on a small number of vendors to operate the service. Each is bound by their own privacy and security obligations.

• Resend: transactional email delivery.
• Telegram: opt-in alert delivery (only if you enable it).
• Cloud hosting: application servers and database infrastructure.
• Connected exchanges: the venues you yourself authorize via API key (Binance, ByBit, BitMEX, Hyperliquid, LNMarkets, Interactive Brokers).

• Account, strategy, backtest and trade data is retained for as long as your account is open.
• If you close your account, sign-in is disabled immediately and active strategies are halted, but your data remains on file so you can re-open later by contacting support.
• You can request export or permanent deletion of your data at any time by emailing privacy@lucrax.app.
• Server logs are retained for up to 90 days unless required longer for security or legal reasons.

• Passwords hashed with bcrypt.
• Exchange API credentials encrypted with AES-256-GCM, using per-user-derived keys.
• Optional TOTP 2FA at login.
• Short-lived JWT access tokens (30 min) with rotating refresh tokens.
• HTTPS everywhere; CORS locked to our own origins.
• Audit log on sensitive operations.

No system is impenetrable. If you suspect unauthorized access or have a vulnerability to report, email security@lucrax.app and revoke our key from your exchange.

Depending on where you live, you have rights to access, correct, export, restrict or delete your personal data, and to object to certain processing. To exercise any of these, email us. We respond within 30 days.

LucraX is not intended for anyone under 18, and we do not knowingly collect data from children.

Our infrastructure may store and process data in jurisdictions outside your own. Where required, we use standard contractual clauses or equivalent safeguards.

If we make material changes we'll notify active users by email and update the date at the top of this page. Trivial wording changes won't trigger a notification.

Privacy questions: privacy@lucrax.app. Anything else: use the contact form.