Privacy Policy

This Privacy Policy explains what data SpikeLabs (the "Service") collects, why we collect it, how we use it, and what control you have over it. It applies to the SpikeLabs landing site, the portal at app.spikelabs.app, and the SpikeLabs Telegram bots.

1. Data we collect

The Service is designed to collect the minimum data required to operate. Specifically:

• Account identity. When you sign in via Telegram, we receive your Telegram user ID, public username (if you have one), and chosen language. When you sign in via email magic link, we receive and store your email address. A single account can be linked to both Telegram and email — once linked they merge into one account.
• Subscription settings. Filters you configure inside the bot — market (spot/futures), price-change threshold, timeframe, signal-type toggles, ignored coins list, alert preferences.
• Payment records. When you pay, we keep a record of the plan, amount, payment method (Stars / CryptoBot invoice / manual transfer), and transaction reference. We do not store card numbers, bank details, or wallet seed phrases — the Service never asks for those.
• Signal delivery logs. For each alert sent to you, we keep a short log entry (timestamp, symbol, signal type, the rule that fired). Used for dedup, rate-limiting, and troubleshooting.
• Portal session metadata. For each browser session signed into the portal we record sign-in IP, a browser/device identifier, and session lifecycle timestamps. Used exclusively for security — detecting suspicious sessions, enforcing session expiry, limiting concurrent sessions, and rate-limiting sign-in attempts. Never used for advertising, cross-site tracking, or behavioural profiling.
• Operational telemetry. Server-side logs may include IP addresses, error traces, and similar short-lived diagnostic information.

2. Data we deliberately do NOT collect

• Exchange API keys. The Service operates exclusively on public market data. We never ask for and never accept exchange API keys, secrets, or login credentials.
• Access to your funds. The Service does not hold, custody, transfer, or have signing authority over any of your funds, wallets, or exchange balances.
• Identity documents. No KYC, no passport/ID upload, no proof of address.
• Phone number. Sign-in uses Telegram and/or email magic link only — no SMS verification, no phone tied to your account.
• Real name, address, or other personal information. The Service does not ask for any of these and does not have form fields to collect them.

3. How we use the data

• To operate the Service — match your filters against the live signal stream and deliver only the alerts you've subscribed to.
• To process payments and extend your subscription end-date.
• To diagnose and fix issues (e.g., investigate a missed or duplicated alert).
• To enforce these terms (e.g., detect and block abuse such as scraping or resale).

We do not sell your data, share it with advertisers, or use it for marketing profiling.

4. Third-party services we interact with

The Service relies on a small number of third parties to function:

• Cryptocurrency exchanges (e.g., Binance) — accessed via their public market-data APIs. We do not transmit any of your personal data to exchanges.
• Telegram — required to deliver bot alerts and to authenticate Telegram-linked accounts. Telegram receives whatever it needs to route messages to you (i.e., your Telegram user ID). Your interaction with Telegram is also governed by Telegram's own privacy policy.
• Email delivery provider — used only to deliver magic-link sign-in messages to the email address you supplied. The provider receives your email address and the message content (a one-time sign-in link and a short verification code). We do not use this provider for marketing, newsletters, or promotional emails.
• CryptoBot — used to generate crypto invoices when you choose that payment method. CryptoBot sees the invoice metadata (amount, plan reference) and any data you provide to it directly.
• Client-side device-identification component — produces a stable per-browser identifier used for the security purposes described in Section 1. Runs in your browser; only the resulting identifier is sent to our backend.
• Hosting and database providers — used to run the Service's infrastructure. They store the data described in Section 1 at rest on our behalf, subject to their own security practices.

5. Cookies and browser storage

The marketing site does not set tracking cookies. The portal at app.spikelabs.app uses your browser's localStorage to remember small UI preferences and your portal watchlist (a list of favorite tickers). This data:

• Stays in your browser. We do not send it to our servers.
• Is bound to one browser on one device — using a different browser or clearing site data resets it.
• Can be cleared at any time via your browser's site-settings menu.

6. Data retention

Account data, subscription settings, and payment records are retained for as long as your account exists, plus a reasonable period afterward to satisfy operational, security, and legal needs. Signal delivery logs and diagnostic logs are kept on a rolling basis only for as long as they remain useful for service operation, troubleshooting, and abuse prevention, and are then removed.

7. Your rights — accessing, exporting, deleting

You can interact with your data in two distinct places:

Browser data (portal localStorage)

Clear it yourself any time via your browser's site-settings panel. We have no copy of it server-side.

Server-side data (bot account, settings, payment records, logs)

You may request a copy of your data or its deletion by writing to @SpikeLabsSupportBot from the same Telegram account (or the email address linked to your account, if any). We will verify that the request comes from the account-holder before actioning it, and we will respond to verified requests within a reasonable timeframe.

We reserve the right to:

• Require additional verification before processing a request, especially when account ownership is ambiguous.
• Decline requests that are manifestly unfounded, repetitive, or excessive — including requests that appear to be automated, made on behalf of someone else, or used as a means of disrupting the Service.
• Charge a reasonable fee for repeated requests from the same account within a twelve (12) month period.
• Retain payment records for the period required by applicable accounting and anti-fraud obligations even after the rest of your data is removed.

Deletion is irreversible — once removed, your subscription settings, ignored list, and history cannot be recovered.

8. Children

The Service is intended for adults only. We do not knowingly collect data from anyone under 18 (or the age of majority in your jurisdiction). If you believe a minor has provided us data, contact @SpikeLabsSupportBot and we will delete it.

9. Security

We use reasonable technical and organizational measures to protect data — encrypted transport, access controls, separation of payment infrastructure. No service can guarantee absolute security; you use the Service at your own risk.

10. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be announced via the Service or its official Telegram channels.

11. Contact

For privacy questions or to action one of your rights, contact @SpikeLabsSupportBot. Email is not an officially supported contact channel.