Makerless — Privacy Policy
Last updated: when first published
Der rechtliche Text wird in englischer Sprache als verbindliche Fassung veröffentlicht. Übersetzungen folgen nach juristischer Prüfung.
This Privacy Policy explains what personal data Digitap World SRL ("we," "us"), a Romanian company with registered office in Cluj-Napoca and EU VAT number RO37932232, processes in connection with Makerless, in what role, and what your rights are. It is written to comply with Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC ("ePrivacy"), and Romanian Law 190/2018.
1. Our role
For most of the data you generate while using Makerless — trading data, conversations with Claude, strategy parameters, PnL, order flow, fills, and any personal data your operation may touch — you are the data controller, and that data lives entirely on infrastructure you own (your droplet). We have no routine access to it.
For the narrow set of account and operational data listed in Section 3 below, we are the data controller.
Where you ask us to access your droplet for incident response, onboarding, or other support — and only then — we act as your processor under Article 28 GDPR, governed by a written Data Processing Agreement (DPA).
For encrypted backup blobs stored on our infrastructure, we hold ciphertext that we cannot decrypt. If those blobs contain personal data for which you are controller, we process that ciphertext on your behalf for backup and recovery only.
2. Data Protection Officer and EU representative
We have not appointed a Data Protection Officer under Article 37 GDPR, as our processing activities do not meet the mandatory thresholds. We are established in the European Union, so an Article 27 representative is not required. We maintain written records of processing activities under Article 30 GDPR, available to the supervisory authority on request. For all privacy questions, contact privacymakerless.com.
3. Data we collect, purpose, legal basis
All data below is collected directly from you (GDPR Art. 13). We do not buy or enrich personal data from data brokers.
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account | Email, passkey public key, registration timestamp, business-customer confirmation | Provide the service | Art. 6(1)(b) — contract |
| Payment metadata | Payment provider transaction IDs, invoice numbers, VAT details, billing country | Issue invoices, comply with VAT law | Art. 6(1)(c) — legal obligation (Romanian fiscal law) |
| Token attestation | Contract address, signing wallet address, signature, attestation timestamp | Fraud and market-abuse prevention | Art. 6(1)(f) — legitimate interest |
| Subscription | Active plan, add-ons, license file content, renewal status | Manage your subscription | Art. 6(1)(b) — contract |
| Operational metadata | Droplet provisioning events, license renewals, edge SNI lookups (which subdomain), aggregate connection counts | Operate and secure the service | Art. 6(1)(f) — legitimate interest |
| Sanctions/fraud screening | Name/email/wallet matched against EU, UN, OFAC, UK sanctions lists | Sanctions compliance, fraud prevention | Art. 6(1)(c) and Art. 6(1)(f) |
| Support | Tickets, your messages to us, our replies | Provide support | Art. 6(1)(b) — contract |
| Strictly necessary cookies and local storage | CSRF/session cookies, cookie-consent state, locale preference, theme preference | Make the site work and remember necessary preferences | Art. 6(1)(f); ePrivacy "strictly necessary" exemption |
| Encrypted backup storage | Encrypted backup ciphertext and storage metadata | Disaster recovery | Art. 6(1)(b) — contract; where customer-controller personal data is included, Art. 28 GDPR processor terms |
3.1 Legitimate-interest balancing
For categories relying on legitimate interest, we have weighed our interest in operating, securing, and protecting the service against your interests, rights, and freedoms. The data is minimal, related to operating a service you actively requested, and you may object at any time (see Section 7).
4. Data we do not collect
| Category | Why |
|---|---|
| Exchange API keys | Encrypted in your browser before transmission; we hold ciphertext briefly and never persist |
| Trading conversations | TLS-terminated inside your droplet; our edge is L4-only |
| Strategy parameters | Live on your droplet |
| Order flow, fills, PnL | Live on your droplet |
| Telegram bot tokens | PRF-encrypted at rest on your droplet |
| Passwords | We have none — passkey-only authentication |
| Analytics / advertising / tracking data | No Google Analytics, no Meta Pixel, no third-party trackers |
| Special categories (Art. 9) | Not collected |
5. Cookies and similar technologies
We use only strictly necessary cookies and browser storage. This includes CSRF/session protection, cookie-consent state, locale preference, and theme preference. They are exempt from consent under ePrivacy because they are required to deliver a service you have explicitly requested or to remember necessary interface preferences. We do not use analytics, advertising, fingerprinting, or third-party trackers. If we ever add non-essential cookies or storage, we will request your prior, freely-given, specific consent and you will be able to withdraw it at any time.
6. Automated decision-making and profiling
We do not use personal data to make decisions about you based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). Trading automation runs on your infrastructure under your configuration, your exchange credentials, and any customer-selected AI agent you authorize. We do not profile you for marketing purposes.
7. Your rights under GDPR
You have the right to:
- Access the data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17), subject to our legal retention obligations on payment and invoicing records
- Restrict processing (Art. 18)
- Data portability (Art. 20) — receive your data in a machine-readable format
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time where consent is the basis, without affecting prior processing
- Lodge a complaint with the Romanian DPA (ANSPDCP — Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, B-dul G-ral. Gheorghe Magheru 28-30, Bucureşti, anspdcp.ro) or your local supervisory authority
We will respond to verifiable requests within thirty (30) days and may extend by up to sixty (60) further days for complex requests, with notice. Submit requests to privacymakerless.com.
Where we process your data on the basis of consent, you may withdraw at any time by emailing privacymakerless.com or via your dashboard settings. Withdrawal does not affect processing carried out before your withdrawal took effect.
8. Sub-processors
We use a small number of sub-processors. We have a Data Processing Agreement (or equivalent contractual protection) with each. The list below is current, and we will give thirty (30) days' notice before adding any new sub-processor in respect of customer personal data processed under a DPA.
- Stripe Payments Europe Ltd (Ireland) — card and SEPA payments
- NOWPayments (Estonia) — cryptocurrency payments
- Smartbill (Romania) — invoice issuance and eFactura submission
- Hetzner Online GmbH (Germany) — DNS and edge infrastructure
- DigitalOcean LLC (USA) — encrypted backup ciphertext storage
- Resend Inc. (USA) — transactional email sending and delivery
Anthropic/Claude is a customer-selected third-party service. Claude connects to your executor using credentials and settings you control; Anthropic is not our sub-processor unless we separately contract with Anthropic to process personal data on our behalf for a specific feature.
9. International transfers
Primary processing is within the European Union (Romania, Germany, Ireland, Estonia). Some sub-processors are established in the United States (including DigitalOcean, depending on the selected region and contracting entity). Where personal data is transferred outside the EU/EEA, the transfer is protected by:
- European Commission Standard Contractual Clauses (Decision 2021/914) where adequacy is not in place;
- supplementary technical measures, including end-to-end encryption with keys held inside the EU — DigitalOcean stores only ciphertext that we cannot decrypt; and
- a transfer impact assessment ("Schrems II" TIA) on each US sub-processor.
Where the receiving country is the subject of an adequacy decision under Art. 45 GDPR (e.g., the EU-US Data Privacy Framework, while in force, for participating recipients), the transfer relies on that decision.
Transfers to customer-selected third-party services, such as Anthropic/Claude, are governed by your relationship with that provider.
10. Retention
| Data | Retention | Basis |
|---|---|---|
| Account data | For the life of your account, plus 90 days after closure | Contract, dispute window |
| Payment metadata, invoices | 10 years | Romanian Accounting Law 82/1991, Art. 25 |
| Token attestations | For the life of your account | Fraud prevention |
| Encrypted backups | 3 months (standard) or 12 months (paid add-on) from creation; deleted immediately on account deletion if deletion occurs within the 90-day post-closure grace period | Contract |
| Operational metadata | 90 days | Operational necessity |
| Support tickets | 2 years from resolution | Service-quality and limitation periods |
| Sanctions-screening records | 5 years | EU/RO sanctions compliance practice |
11. Data export and deletion
You can export your account data at any time from the dashboard. Account deletion is self-service from the dashboard — it terminates your subscription, deletes account and operational metadata after the 90-day grace period, and deletes encrypted backup ciphertext immediately. Payment and invoicing records are retained as required by Romanian fiscal law.
12. Children
Makerless is not directed to persons under the age of 18 and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacymakerless.com and we will delete it.
13. Security
The full security posture is described on the Security page. In short: passkey-only authentication, AES-256-GCM for all customer ciphertext, Ed25519 signatures for licenses and reports, TLS 1.3 in transit, no SSH or admin channel to customer infrastructure in normal operation.
14. Data breach notification
Where a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours of becoming aware (Art. 33 GDPR). Where the breach is likely to result in a high risk to you, we will also notify you without undue delay (Art. 34 GDPR).
Where we process personal data on your behalf as processor, we will notify you without undue delay after becoming aware of a personal data breach affecting that processor data.
15. Changes to this Policy
Material changes will be announced by email at least thirty (30) days before they take effect.
16. Contact
Digitap World SRL
Cluj-Napoca, Romania
EU VAT: RO37932232
privacymakerless.com