Privacy Policy
1. Data controller
vorepo ("we", "us") is the operator of this Platform. The platform is currently run as a personal initiative based in Poland (EU); entity details will be published here soon. Until then, the natural-person operator is the data controller for the purposes of GDPR (Art. 4(7)).
For all privacy matters — access, rectification, erasure, portability, objection, complaint — contact [email protected]. We respond within 30 days.
You also have the right to lodge a complaint with the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych — UODO, uodo.gov.pl) or the supervisory authority in your country of residence.
2. Data we collect
We collect the minimum data needed to operate the Platform:
- Account data: email, chosen username, authentication tokens
- Financial data: USDC wallet addresses (Solana), deposit/withdrawal transactions, trade history, in-platform balance. Vorepo currently operates a custodial trading model — your USDC is held on a Vorepo-operated hot wallet while you trade (multisig hardening in active rollout). Custody architecture will evolve toward user-held wallets as the platform grows; details on /security.html.
- Security data (optional): TOTP secret (encrypted at rest) and bcrypt-hashed recovery codes if you enable two-factor authentication. Vorepo does not collect phone numbers — we use TOTP (Google Authenticator, Authy, Apple Passwords etc.) instead of SMS verification.
- Device data: IP address, user-agent, approximate geolocation (city-level from IP) used for fraud prevention
- Interaction data: page views, API calls, feature usage
If, in the future, regulatory thresholds require additional verification on heavy withdrawal volume (e.g. name, date of birth, country), we will notify you in advance and request the data only at that point. We do not collect identity documents today.
3. Purposes & legal basis
| Purpose | Legal basis |
|---|---|
| Provide trading functionality | Contract performance (Art. 6(1)(b)) |
| Account security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Platform analytics (aggregated) | Legitimate interest |
| Marketing emails (opt-in) | Consent (Art. 6(1)(a)) |
4. Sharing with third parties
- Solana network: on-chain transactions for USDC deposits and withdrawals are public by nature of the blockchain
- Email provider (transactional): account verification + withdrawal-confirmation codes only
- Cloudflare (CDN / DDoS protection): IP and request metadata for traffic routing
- Telegram (Mini App, optional): if you choose to access Vorepo from inside the Telegram app, Telegram receives the same data any web request reveals (IP, user-agent). Vorepo additionally receives your Telegram numeric user ID and (if you set one) your public Telegram username — used to authenticate you and link your Telegram session to your Vorepo account. The Mini App is currently in private beta; only invited testers can authenticate. See /security.html for the technical details (HMAC-SHA-256 validation of
initData). - Law enforcement: where legally compelled by valid court order
Optional analytics vendors used only after explicit consent via the cookie banner:
- Microsoft Clarity — session recordings, heatmaps, click tracking. Anonymous data only, no PII collected by default. Microsoft Privacy Statement.
- PostHog (EU Cloud) — product analytics, conversion funnels, web vitals. Hosted in EU (RODO/GDPR compliant). PostHog Privacy.
Both vendors load only after the user opts in via the cookie banner (Analytics category). If consent is rejected or revoked, these scripts are not loaded and no data is sent. Consent expires after 13 months per ePrivacy Directive — banner reappears for renewed choice. We do not currently share data with third-party KYC, sanctions-screening vendors, or behavioural-analytics vendors beyond those listed above.
5. Retention
We keep data only as long as necessary:
- Account data: while account is active
- Transaction data: 5 years from last activity (operational + audit)
- IP logs: 90 days
- Marketing: until opt-out
6. Security
bcrypt-hashed passwords (rounds=12), JWT with 7-day expiry, TLS 1.2+ in transit, encrypted backups, fail2ban on SSH, firewall-restricted DB. Optional two-factor authentication (TOTP) is available in account settings.
Password recovery is provided via email: clicking "Forgot password?" on the login page sends a one-time reset link to the registered address (valid 1 hour). We strongly recommend enabling 2FA so a compromised email cannot, on its own, take over the account.
7. Your rights (GDPR)
- Access — request a copy of your data (JSON export)
- Rectification — correct inaccurate data
- Erasure — delete (subject to AML 5-year retention for accounts with transactions)
- Portability — machine-readable export
- Restriction / objection — pause specific processing
- Withdraw consent — for any consent-based processing
- Complain — to your local data-protection authority (PL: UODO, NL: AP)
Exercise rights: email [email protected]. We respond within 30 days.
8. Cookies
We use the following cookie categories, presented via a granular consent banner on first visit:
- Necessary (always on, no consent required) — authentication session, CSRF tokens. Cannot be disabled; required for the Platform to work.
- Functional (opt-in) — theme preference, settings cache.
- Analytics (opt-in) — Microsoft Clarity + PostHog cookies. Only set after explicit Accept in the cookie banner. See vendor list in Section 4 above.
- Marketing — not used on Vorepo.
Consent expires after 13 months (ePrivacy Directive max). Revoke or change consent any time at /cookies.html.
9. International transfers
Primary processing in the EU. Cloudflare (CDN) routes traffic globally with edge caching; only request metadata is processed at edge nodes. No data is transferred to jurisdictions without adequacy decisions or appropriate safeguards.
10. Children
Vorepo is not for users under 18. We do not knowingly collect data from minors. Contact us if you believe a minor has registered.
11. Contact
Privacy inquiries: [email protected]