Features Pricing Support
Get Started
Back to Home
Legal
Privacy Policy
We take your privacy seriously. This policy explains exactly what data we collect, why we collect it, how we store and protect it, and your rights over it.
Last updated: June 1, 2026  ·  Effective immediately upon account creation
Table of Contents
01
Who We Are

BotJinn ("we", "us", "our") operates the automated trading platform accessible at botjinn.com. BotJinn is an independent service and is not affiliated with Polymarket Inc. in any way.

For the purposes of applicable data protection law, including the General Data Protection Regulation (GDPR) where it applies, BotJinn acts as the data controller in respect of the personal data you provide when creating an account and using the Service.

By creating an account and using BotJinn, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

02
Data We Collect

We collect only the data that is strictly necessary to provide the Service. Below is a complete description of every category of data we collect:

Account Information

  • Username and email address - used to identify your account and to send you transactional emails (verification, subscription, payment notifications).
  • Password - stored as a one-way bcrypt hash. We never store or have access to your plaintext password.
  • Display name - the name associated with your account profile.
  • Country of residence - collected at registration for eligibility and regulatory compliance purposes.
  • Date of birth - collected at registration to verify that you meet the minimum age requirement of 18 years.
  • Account creation timestamp - recorded when your account is created.
  • Email verification status and token - a short-lived verification token (valid for 30 minutes) is generated and emailed to you when you register. It is deleted automatically once your email is verified or when it expires.

Polymarket API Credentials

  • Your Polymarket wallet private key, CLOB API key, API secret, and API passphrase.
  • These are provided voluntarily by you to enable the bot to trade on your behalf. They are encrypted before storage using a 256-bit symmetric key (libsodium crypto_secretbox) and are never stored in plaintext.
  • These credentials are transmitted only to Polymarket's own API infrastructure and are never shared with any other third party.

Subscription & Billing Data

  • Your chosen subscription plan, status, billing period, and payment method.
  • If you pay by card: Stripe handles all card data directly. We store only your Stripe Customer ID and Subscription ID - never card numbers, CVVs, or bank details.
  • If you pay with crypto: Coinbase Commerce handles the transaction. We store only the charge ID and hosted URL reference.

Bot Configuration & Activity

  • The trading strategy (Blueprint) you have selected and its configuration parameters.
  • Bot operational state: run/stop events, stop reason, last stopped timestamp, and low-balance warning flags.
  • Your Polymarket wallet USDC balance and the time it was last checked — stored to display your balance on the dashboard and to enforce minimum balance requirements.
  • Your Telegram chat ID (if you connect Telegram notifications).
  • Your Discord webhook URL (if you connect Discord notifications) — stored encrypted.

Security & Access Logs

  • Authentication log: Your IP address, browser user-agent, and event type (login, logout, or failed login attempt) are recorded each time you authenticate. This log is visible to you on the Account page. Entries are automatically deleted after 30 days.
  • Page visit log: For security monitoring and abuse prevention, we record your IP address, the page path visited, HTTP method, browser user-agent, and referrer URL for each page request. If you are logged in, your user ID is also recorded to allow us to investigate account-level security issues. Entries are automatically deleted after 30 days. API endpoints and static assets are excluded from this log.
  • Web server access logs: Standard nginx access logs (IP address, URL, response code, timestamp) are retained for a maximum of 14 days via automatic log rotation, then permanently deleted.

Data We Do NOT Collect

  • We do not collect your Polymarket wallet balance, trading history, or market positions. That data lives solely in your Polymarket account.
  • We do not use advertising trackers, pixel tags, or behavioural analytics of any kind.
  • We do not collect any biometric data or government-issued identification.
03
How We Use Your Data

We use your data only for the purposes for which it was collected. Specifically:

  • Account operation - to authenticate your login, manage your session, and provide access to the platform.
  • Bot execution - to pass your encrypted API credentials to the bot process running on our server so it can place trades on Polymarket on your behalf.
  • Subscription management - to track your subscription status, billing cycle, and plan entitlements, and to enforce access accordingly.
  • Telegram notifications - if you have connected Telegram, to send you trade alerts and bot status updates via your Telegram chat ID.
  • Security - to detect, investigate, and prevent fraudulent or unauthorised access to your account.
  • Legal compliance - to comply with applicable laws, regulations, and lawful requests from public authorities.

We do not use your data for advertising, profiling, or any purpose unrelated to operating the Service. We do not sell, rent, or trade your personal data to any third party.

The legal bases for processing your personal data under GDPR are:

  • Contract performance (Art. 6(1)(b)) - processing necessary to provide the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)) - security monitoring, fraud prevention, and service improvement, where these do not override your rights.
  • Legal obligation (Art. 6(1)(c)) - where we are required to retain or disclose data by law.
  • Consent (Art. 6(1)(a)) - for optional features such as Telegram notifications, where you have actively connected an integration.
04
How We Store & Protect Your Data
Your Polymarket credentials are encrypted using libsodium's crypto_secretbox_easy (XSalsa20-Poly1305) with a 256-bit server-side secret key before being written to the database. They are never stored in plaintext and are never logged.

All data is stored in a MySQL database on a private server. The following security measures are in place:

  • Encryption at rest - Polymarket API credentials (private key, API key, secret, passphrase) are encrypted with a 256-bit symmetric key using authenticated encryption before storage. Decryption requires the server-side key, which is not stored in the database.
  • Password hashing - Passwords are hashed using bcrypt with a sufficient cost factor. We cannot recover your password.
  • HTTPS everywhere - All traffic between your browser and our servers is encrypted in transit using TLS 1.2 or higher via a Let's Encrypt certificate.
  • Access controls - Database access is restricted to the application server only. No external database access is permitted.
  • Dotfile and directory protection - Sensitive server directories (configuration files, includes) are blocked from web access at the server level.
  • Session security - Sessions use HttpOnly and SameSite=Lax cookie flags to mitigate XSS and CSRF risks. Sessions are invalidated on logout.

Despite these measures, no system can guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law, without undue delay.

05
Third-Party Services

We integrate with a limited number of third-party services, each of which has its own privacy policy. We share only the minimum data necessary for each integration to function:

Stripe
Payment processing for card subscriptions. Stripe receives your display name and email address (for customer creation) and handles all card data directly. We never see your card number, CVV, or bank details. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy
CoinGate
Crypto payment processing. CoinGate receives only a charge amount, order reference, and callback URL. No personal account data beyond what is necessary to create and track the payment order is shared. CoinGate Privacy Policy
Resend
Transactional email delivery. All outbound emails (account verification, trial activation, payment confirmations) are sent via Resend's SMTP infrastructure. Resend receives the recipient email address, display name, and email content. Resend Privacy Policy
Telegram
Optional notification delivery. If you connect Telegram, we send trade alerts and bot status updates to your chat ID via the Telegram Bot API. No personal data beyond your Telegram chat ID is transmitted. Telegram Privacy Policy
Google Fonts
Typography. Our interface loads fonts from fonts.googleapis.com. When your browser requests fonts, your IP address is transmitted to Google. Google may use this data in accordance with their privacy policy. No other personal data is shared. Google Privacy Policy
Polymarket
Your encrypted API credentials are decrypted in memory and used solely to make API calls to Polymarket's CLOB API on your behalf. No personal data about you beyond what your own Polymarket account contains is transmitted to Polymarket.

We do not use advertising networks, social media tracking pixels, Google Analytics, or any behavioural analytics scripts.

06
Cookies & Session Data

We use only strictly necessary session cookies. We do not use advertising cookies, tracking cookies, or any form of cross-site tracking.

  • User session cookie (botjinn_sess) - a server-side PHP session cookie set when you log in. It is used to identify your authenticated session. It expires when you close your browser or when you log out. It is flagged HttpOnly (inaccessible to JavaScript) and SameSite=Lax.
  • Admin session cookie (botjinn_admin) - equivalent cookie for administrator access, set only if you have admin privileges and are logged into the admin panel.

Because we use only strictly necessary cookies required for the Service to function, we are not required to display a cookie consent banner under the ePrivacy Directive. No cookies are set before you log in, and no cookies are used to track you across other websites.

07
Data Retention

We retain your data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account data (username, email, password hash) - retained for the lifetime of your account and deleted within 30 days of a confirmed account deletion request.
  • Polymarket API credentials - deleted immediately upon account deletion or when you remove them from the Settings page.
  • Subscription records - retained for up to 7 years after subscription end to comply with financial and tax record-keeping obligations.
  • Authentication logs (login, logout, failed attempts, IP addresses, user-agents) - automatically deleted after 30 days.
  • Page visit logs (IP addresses, page paths, user-agents, referrers) - automatically deleted after 30 days.
  • Web server access logs - automatically rotated and deleted after 14 days.
  • Email verification tokens - deleted immediately upon successful verification or automatically after 30 minutes if unused.
  • Bot configuration and run state - retained for the lifetime of your account and deleted within 30 days of account deletion.

When data is deleted, it is permanently and irreversibly removed from our systems. We do not maintain "soft delete" backups of personal data beyond our standard backup rotation window of 7 days.

08
Your Rights
Under the GDPR and other applicable data protection laws, you have meaningful rights over your personal data. We are committed to honouring these rights promptly and without charge.

You have the following rights regarding your personal data:

Right of Access
Request a copy of all personal data we hold about you (Art. 15 GDPR).
Right to Rectification
Request correction of inaccurate or incomplete personal data (Art. 16 GDPR).
Right to Erasure
Request deletion of your personal data ("right to be forgotten") where no legal retention obligation applies (Art. 17 GDPR).
Right to Restriction
Request that we restrict processing of your data in certain circumstances (Art. 18 GDPR).
Right to Portability
Receive your data in a structured, machine-readable format (Art. 20 GDPR).
Right to Object
Object to processing based on legitimate interests at any time (Art. 21 GDPR).
Right to Withdraw Consent
Withdraw consent for optional processing (e.g. Telegram) at any time without affecting prior lawful processing.
Right to Lodge a Complaint
Lodge a complaint with your local data protection supervisory authority if you believe we have mishandled your data.

To exercise any of these rights, contact us at the address in Section 12. We will respond within 30 days. Identity verification may be required before we act on a request. Exercising these rights will not affect your right to continue using the Service, except where the data is strictly necessary for the Service to operate.

09
Children's Privacy
BotJinn is not intended for use by anyone under the age of 18.

We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, you must not create an account or use the Service. If we become aware that we have inadvertently collected personal data from a person under 18, we will delete that data immediately.

If you believe a minor has created an account with us, please contact us immediately at the address in Section 12.

10
International Data Transfers

Our servers are located within the European Union. If you access the Service from outside the EU, your personal data may be transferred to and processed in a country that may not have equivalent data protection laws to those in your jurisdiction.

Where we share data with third-party processors outside the EEA (for example, Stripe and Coinbase Commerce, which may process data in the United States), we ensure appropriate safeguards are in place, such as:

  • Reliance on Standard Contractual Clauses approved by the European Commission.
  • Transfers to recipients certified under adequacy decisions where applicable.
  • Stripe and Coinbase are each subject to regulatory oversight and maintain their own GDPR-compliant data transfer mechanisms, as detailed in their respective privacy policies.

By using the Service, you acknowledge and consent to such transfers to the extent they are necessary to provide the Service to you.

11
Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service itself. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Display a notice within the platform when you next log in, for changes that materially affect your rights or our data practices.

Your continued use of the Service after any change to this Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account and data.

We encourage you to review this policy periodically. Archived versions of this policy are available on request.

12
Contact Us

For any privacy-related questions, data subject access requests, or complaints regarding our handling of your personal data, please contact us:

We will acknowledge your request within 5 business days and provide a full response within 30 days. If your request is complex or you have submitted multiple requests, we may extend this period by a further two months, in which case we will notify you.

If you are located in the European Union and are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority (for example, the Garante per la protezione dei dati personali in Italy, or the relevant authority in your country of residence).

By using BotJinn, you confirm that you have read and understood this Privacy Policy. For questions or to exercise your data rights, contact [email protected].
Return to Home