Privacy Policy
How Deribook collects, uses, and protects your personal data — compliant with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).
Table of Contents
1. Introduction & Data Controller
This Privacy Policy (“Policy”) describes how SoftFin Tech SA(“Company”, “we”, “us”, or “our”), a company registered under the laws ofSwitzerland, collects, uses, shares, and protects personal data when you use the Deribook platform, including its website, application, APIs, and all related services (collectively, the “Service”).
SoftFin Tech SA acts as the data controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection (“FADP” / “nFADP”) for all personal data processed through the Service.
Switzerland has been recognized by the European Commission as providing an adequate level of data protection. We process data in accordance with both the GDPR and the Swiss FADP to ensure the highest standard of privacy for all users, regardless of their location.
2. Information We Collect
We collect only the minimum personal data necessary to provide, improve, and secure the Service. The categories of data we collect are:
Account Information
When you create an account, we collect your email address, display name, and authentication credentials. If you authenticate via a third-party provider (e.g., Google), we receive your name, email address, and profile picture from that provider. We also store your account preferences, dashboard configurations, and notification settings.
Exchange API Keys
You may provide read-only API keys from supported cryptocurrency exchanges (currently Deribit). These keys are encrypted using AES-256 encryption at rest and stored exclusively in server-side collections — they are never exposed to client-side code. API keys are used solely to retrieve your trading data from the exchange on your behalf.
Trading Data
When you link an exchange account, we retrieve and process trading data including positions, trade history, order history, portfolio balances, and margin information. This data is used exclusively to provide analytics and display dashboards within the Service.
Usage & Device Data
We automatically collect technical information such as your IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, time spent on pages, and interaction patterns. This data is collected via cookies and similar technologies, subject to your consent where required.
3. How We Collect Your Data
We collect personal data through the following means:
- Directly from you — when you create an account, submit API keys, configure dashboard settings, adjust preferences, or contact our support team.
- Automatically — through cookies, server logs, and similar technologies when you access and interact with the Service (subject to your cookie preferences).
- From third-party exchanges — when you authorize us to retrieve trading data via the read-only API keys you provide.
- From authentication providers — when you sign in using a third-party identity provider (e.g., Google), we receive basic profile information from that provider.
4. Legal Basis for Processing
Under GDPR Article 6 and the Swiss FADP, we process your personal data on the following legal bases:
Contract Performance (Art. 6(1)(b) GDPR)
Processing necessary to provide the Service you have requested — including account management, API key storage, trading data retrieval, and analytics computation.
Legitimate Interests (Art. 6(1)(f) GDPR)
Processing necessary for our legitimate interests, such as improving the Service, ensuring security and fraud prevention, performing internal analytics, and maintaining platform stability — provided these interests are not overridden by your rights and freedoms.
Consent (Art. 6(1)(a) GDPR)
Where we rely on your consent — for example, for analytics cookies, marketing cookies, and optional product communications — you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.
Legal Obligations (Art. 6(1)(c) GDPR)
Processing necessary to comply with applicable legal or regulatory requirements, such as tax, accounting, or anti-money-laundering obligations.
5. How We Use Your Data
We use the personal data we collect for the following purposes:
- Service delivery — Providing portfolio analytics, Greeks calculations, P&L tracking, risk metrics, and customizable dashboards.
- Account management — Creating and managing your user account, processing linked exchange accounts, and maintaining authentication sessions.
- Security — Detecting and preventing unauthorized access, fraud, abuse, and security incidents. Monitoring for suspicious activity and enforcing our Terms of Service.
- Communication — Sending transactional emails (e.g., account verification, password resets, security alerts), and, where you have opted in, product updates and feature announcements.
- Improvement & analytics — Analyzing aggregated and anonymized usage patterns to improve platform performance, identify bugs, and develop new features. Where analytics cookies are used, this is subject to your consent.
- Legal compliance — Fulfilling our obligations under applicable laws, resolving disputes, and enforcing our agreements.
Important: We do not use your trading data, positions, or analytics for any purpose other than providing the Service to you. We do not aggregate your trading data to derive trading signals, offer financial advice, or share insights with third parties.
6. API Key Handling & Security
Given the sensitive nature of exchange API keys, we apply the following security measures:
- ■Encryption at rest: All API keys are encrypted using AES-256 encryption before storage.
- ■Server-side only: API keys are stored in server-only database subcollections and are never transmitted to or accessible from client-side code.
- ■Encryption in transit: All data is transmitted over TLS 1.3 encrypted connections.
- ■Read-only access: We only accept API keys with read-only permissions. We do not request or accept keys that grant trading, withdrawal, or other write capabilities.
- ■Immediate deletion: When you unlink an exchange account or delete your Deribook account, the associated API keys are permanently deleted from our systems.
7. Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We share data only in the limited circumstances described below:
Infrastructure & Hosting
Google Cloud Platform / Firebase (authentication, database, cloud functions) and Vercel (hosting, edge network). These providers process data on our behalf under data processing agreements.
Analytics & Error Tracking
Google Analytics (usage analytics), Sentry (error monitoring), and Hotjar (session recordings and heatmaps). These services are activated only with your explicit consent via our cookie banner. See our Cookie Policy for details.
Exchange APIs
Deribit (and, in the future, additional exchanges). Your API keys are transmitted to the exchange API solely to retrieve your trading data. We do not share your personal data with exchanges — only the API credentials you yourself created on those platforms.
Legal & Regulatory
We may disclose personal data if required by applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SoftFin Tech SA, our users, or the public.
All third-party service providers are bound by contractual obligations to protect your personal data and are permitted to use it only for the specific purposes for which it was shared.
8. International Data Transfers
SoftFin Tech SA is based in Switzerland, which the European Commission has recognized as providing an adequate level of data protection (Commission Decision 2000/518/EC as updated). Your data may also be processed by sub-processors located in the United States and other countries.
For transfers to countries without an adequacy decision, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as adopted by our sub-processors (Google, Vercel, Sentry).
- Supplementary measures such as encryption of data in transit and at rest, as recommended by the EDPB.
- Data Processing Agreements with all sub-processors, requiring them to protect your data in accordance with GDPR and Swiss FADP standards.
You may request a copy of the safeguards in place by contacting us at privacy@deribook.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by law. Our retention periods are as follows:
- ■Account data — retained while your account is active and for 30 days after account deletion.
- ■API keys — deleted immediately upon unlinking or account deletion.
- ■Trading data — deleted within 30 days of account deletion. Anonymized, aggregated analytics may be retained indefinitely for statistical purposes.
- ■Usage & device data — retained for up to 26 months, or shorter where mandated by applicable law.
- ■Legal & compliance records — retained for the period required by applicable Swiss and EU law (up to 10 years for certain financial and tax records).
10. Your Rights
Under the GDPR and the Swiss FADP, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — You may request a copy of the personal data we hold about you, together with information on how it is processed.
- Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to data portability (Art. 20 GDPR) — You may request your personal data in a structured, commonly-used, machine-readable format.
- Right to restriction (Art. 18 GDPR) — You may request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data).
- Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent — Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
How to exercise your rights: Send a request to privacy@deribook.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may ask you to verify your identity before processing your request. You also have the right to manage core data (email, display name, linked accounts) directly in your account settings.
Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or with the relevant supervisory authority in your country of residence if you are located in the EU/EEA.
11. US State Privacy Laws
If you are a resident of California, Virginia, Colorado, Connecticut, or another US state with a comprehensive privacy law, you may have additional rights regarding your personal information.
California (CCPA/CPRA)
SoftFin Tech SA does not sell your personal information. However, our use of certain marketing cookies, when you consent to them, may constitute “sharing” of personal information for cross-context behavioural advertising under the CCPA/CPRA. You may opt out by:
- Rejecting marketing cookies via our cookie banner
- Updating your preferences on our Cookie Policy page
- Enabling Global Privacy Control (GPC) in your browser
California residents may also request to know what personal information we have collected, request deletion, and request correction. We will not discriminate against you for exercising these rights. To make a request, contact privacy@deribook.com. We will respond within 45 days.
Virginia, Colorado & Connecticut
Residents of Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) have similar rights to access, delete, and correct their personal data, as well as the right to opt out of targeted advertising and the sale of personal data. Colorado and Connecticut also require us to honour Global Privacy Control signals. To exercise your rights, contact privacy@deribook.com.
For more details on how we use cookies and how to control them, see our Cookie Policy.
13. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete such data promptly. If you believe that we may have collected data from a minor, please contact us at privacy@deribook.com.
14. Data Security
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- ■AES-256 encryption for all API keys at rest
- ■TLS 1.3 encryption for all data in transit
- ■Firebase Authentication with support for two-factor authentication (2FA)
- ■Server-side-only storage of sensitive credentials — never exposed to client code
- ■Access controls and principle of least privilege for internal systems
- ■Regular security reviews and monitoring
While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the competent supervisory authority without undue delay, in accordance with GDPR Article 33 and 34.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated Policy on the Service with a revised “last updated” date.
- Notify you via email and/or a prominent notice on the platform at least 30 days before the changes take effect.
- Where changes affect processing based on consent, obtain renewed consent where required by law.
We encourage you to review this Policy periodically. Your continued use of the Service after the updated Policy becomes effective constitutes your acknowledgment of the changes.
16. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
SoftFin Tech SA
Registered in Switzerland
Privacy inquiries: privacy@deribook.com
General legal: legal@deribook.com
Website: deribook.com
Supervisory authority: You may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or the data protection authority in your country of residence if you are located in the EU/EEA.
Questions about this document?
Contact our legal team at legal@deribook.com