Privacy Policy

Last updated: 19 May 2026

At ArrowTrade AG (“we,” “us,” or “our”), privacy and security are fundamental to our architecture. As the provider of unCoded, a non-custodial software solution, we have designed our system to collect as little data as possible and to never have access to your trading funds or private keys.

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you visit the website at uncoded.ch (the “Website”), use the unCoded software (the “Software”), subscribe to our newsletter, or otherwise interact with us.

We process personal data in accordance with the General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and other applicable laws.

We do not knowingly allow children (persons under the age of 18) to sign up for an unCoded account, and we do not knowingly process children’s personal data. If we discover that a person under 18 has registered for an account, we will take appropriate measures to promptly remove their personal data from our systems. If you believe an underage person has signed up, please contact us at the address in Section 1.

1. Data Controller

The entity responsible for processing your personal data is:

ArrowTrade AG
Nordstrasse 2
3900 Brig-Glis
Switzerland

Email: [email protected]

2. EU Representative (Art. 27 GDPR)

As ArrowTrade AG is established in Switzerland, we have appointed the following representative in the European Union in accordance with Art. 27 GDPR:

TAASC GmbH
Helgolandstr. 1
01097 Dresden
Germany

Email: [email protected]

3. What We Do NOT Collect

To establish trust and security, we want to be clear about what we do not touch:

  • Exchange API keys: Your Binance API keys are stored locally on your own server instance (e.g., your VPS). They are never transmitted to or stored on our servers.
  • Trading funds: We do not have custody of, or access to, your cryptocurrency holdings or exchange balances.
  • Private keys or wallet seeds: We never request, receive, or store wallet private keys or recovery phrases.
  • Full payment card details: Payment card information is processed by our payment provider Stripe and is not stored on our servers.

4. Categories of Personal Data We Process

We may obtain and process the following categories of your personal data:

4.1 Account Data

For account creation and management via Google Sign-In:

  • Email address
  • Name
  • Unique Google identifier
  • Account creation date, last login

4.2 Trading Connection Data

For connecting and verifying your Binance account:

  • Binance User ID (UID)
  • Account verification status
  • Profit Share calculation data (based on realised trading profits reported via the Binance API)

We never receive or store your Binance API keys.

4.3 Payment Data

For Test License purchases and License Balance top-ups via Stripe:

  • Transaction identifiers
  • Billing information (country, postal code as required for VAT determination)
  • Payment status

Full card details are processed by Stripe and not stored on our servers.

4.4 Communication Data

If you contact us via email, Telegram, social media, or other channels:

  • Your name, email address, or messaging handle
  • Date, time, and content of your message
  • Conversation history

4.5 Marketing Data

If you request the “Smart Money Protocol” lead magnet, subscribe to our newsletter, or interact with our marketing:

  • First name, last name, email address
  • Given and withdrawn consents
  • Engagement data (e.g., email opens, link clicks)
  • UTM parameters and referral sources
  • Survey responses

4.6 Technical Data

When you visit the Website or use the Software:

  • IP address
  • Device information (type, model, operating system, browser type and version, language)
  • Log data (referring URL, timestamp, pages visited)
  • Approximate location (down to city level, derived from IP)

4.7 Usage Data

When you use the Website or the Software:

  • Pages visited, features used, actions taken
  • Session duration and frequency
  • Error logs

4.8 Cookie Data

When you visit the Website, we use cookies and similar technologies. For details, please refer to our Cookies Notice.

5. Purposes of Processing and Legal Bases

We process your personal data lawfully and transparently, only where we have a legal basis under Art. 6 GDPR and the FADP:

5.1 Performance of contract (Art. 6(1)(b) GDPR)

  • Creating and managing your Account
  • Providing the Software and related dashboard functionality
  • Calculating and settling the Profit Share
  • Processing payments and managing your License Balance
  • Providing customer support
  • Monitoring the fulfilment of our Terms of Service

Data categories used: Account Data, Trading Connection Data, Payment Data, Communication Data, Technical Data, Usage Data.

5.2 Consent (Art. 6(1)(a) GDPR)

  • Sending newsletters and marketing communications
  • Use of analytics and marketing cookies
  • Delivering lead magnets (e.g., the “Smart Money Protocol”)

Data categories used: Account Data, Marketing Data, Cookie Data.

You may withdraw your consent at any time with effect for the future, by using the unsubscribe link in our emails, by adjusting cookie settings, or by contacting us at the address in Section 1.

5.3 Legitimate interest (Art. 6(1)(f) GDPR)

  • Ensuring the security and integrity of our IT systems and the Website
  • Detecting and preventing fraud, abuse, and unauthorised access
  • Improving the Website, the Software, and the user experience
  • Sending service updates and information about new features to existing users
  • Establishing, exercising, or defending legal claims
  • Conducting due diligence in case of a corporate transaction (merger, acquisition)
  • Disclosing data to professional advisors

Data categories used: All data categories, depending on the specific purpose.

5.4 Legal obligation (Art. 6(1)(c) GDPR)

  • Compliance with accounting and tax retention obligations
  • Responses to lawful requests from supervisory or law enforcement authorities

Data categories used: Account Data, Payment Data, Communication Data, as applicable.

6. Third-Party Service Providers

We use specialised service providers who act as data processors under Art. 28 GDPR and are bound by data processing agreements:

  • Google (Ireland/USA): Authentication via Google Sign-In, Google Analytics, embedded YouTube content.
  • Stripe (USA/Ireland): Payment processing for Test License purchases and License Balance top-ups.
  • Brevo / Sendinblue (France): Email delivery, newsletter management, CRM functionality.
  • Vercel (USA): Website hosting and deployment.
  • Cloudflare (USA): Bot protection (Turnstile) on Website forms, DNS, and content delivery.
  • Meta Platforms / Facebook (USA): Meta Pixel for advertising measurement and retargeting on Facebook and Instagram.
  • Microsoft (Ireland/USA): Internal communication and productivity (where applicable).

7. International Data Transfers

Some of our service providers are based outside the European Economic Area (EEA) and Switzerland. We ensure that your personal data is adequately protected through the following safeguards:

  • Google (USA): EU-U.S. Data Privacy Framework certification and Standard Contractual Clauses (SCCs).
  • Stripe (USA): EU-U.S. Data Privacy Framework certification.
  • Vercel (USA): EU-U.S. Data Privacy Framework certification.
  • Cloudflare (USA): EU-U.S. Data Privacy Framework certification.
  • Meta Platforms (USA): EU-U.S. Data Privacy Framework certification and Standard Contractual Clauses (SCCs).
  • Brevo (France/EEA): No third-country transfer required.

For Swiss residents: Under Art. 16 of the Swiss FADP, we ensure adequate safeguards for all international data transfers through the Swiss-U.S. Data Privacy Framework, Standard Contractual Clauses, and other recognised mechanisms.

A copy of the safeguards applied can be made available on request to the contact details set out in Section 1.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this policy or as required by law:

  • Account Data: As long as your Account is active; deleted within 30 days after Account deletion, subject to legal retention obligations.
  • Trading Connection Data (Binance UID): As long as your license is active.
  • Payment Data: 10 years (Swiss tax and accounting retention obligations under the Swiss Code of Obligations).
  • Communication Data: Up to 6 years from the end of the communication, to establish, exercise, or defend legal claims.
  • Marketing Data: Until you unsubscribe or withdraw consent. After withdrawal, we retain a record of the withdrawal for up to 6 years for administrative purposes.
  • Server logs / Technical Data: Up to 30 days, unless required for security investigation.
  • Google Analytics: 14 months.
  • Meta Pixel data: 90 days.
  • Cookies: As specified in our Cookies Notice.

After the retention period expires, we delete or anonymise the data unless retention is required by law or for the establishment, exercise, or defence of legal claims.

9. Security of Your Personal Data

We take reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or other unlawful processing. These measures include encryption in transit (TLS), access controls, regular security reviews, and isolation of sensitive systems.

However, no security measure is 100% effective. We cannot guarantee absolute security of your data.

We strongly recommend that you take measures to protect your account, including:

  • Enabling two-factor authentication on your Google account;
  • Keeping your Binance API credentials confidential;
  • Using a secure password manager;
  • Avoiding the use of unsecured public Wi-Fi for account access.

10. Your Rights

Under the GDPR and the FADP, you have the following rights with respect to your personal data:

  • Right of access: You may request confirmation of whether we process your personal data, and if so, request access to that data.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure: You may request deletion of your personal data, provided no legal retention obligations apply.
  • Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability: You may request to receive your personal data in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means.
  • Right to object: You may object to processing based on our legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time with effect for the future.
  • Right not to be subject to automated decision-making: We do not engage in automated decision-making that produces legal effects concerning you.

To exercise these rights, please contact us at [email protected]. We will respond within one month of receipt of your request. If your request is complex or numerous, we may extend this period by up to two further months and will inform you of the extension.

11. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority:

12. Automated Decision-Making and AI

We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

We may use AI-based tools (such as customer support assistants) to enhance user experience. Where these tools process personal data, processing is limited to the purposes set out in Section 5 and is subject to the safeguards described in this Policy.

13. Links to External Websites

The Website may contain links to external websites or services not operated by us. This Privacy Policy applies only to the data we process. We have no control over the content or privacy practices of third-party websites and cannot accept responsibility for them. Please review their privacy policies separately.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities or legal requirements. The current version is always available on this page with a revised “Last updated” date. For material changes, we will notify you by email or through the Website.

15. Contact

For any questions, requests, or complaints regarding this Privacy Policy, please contact us:

ArrowTrade AG
Nordstrasse 2
3900 Brig-Glis
Switzerland

Email: [email protected]

EU Representative (Art. 27 GDPR):

TAASC GmbH
Helgolandstr. 1
01097 Dresden
Germany

Email: [email protected]

    Privacy Policy | unCoded by ArrowTrade AG