Privacy Policy

1. Data Controller

The data controller for the processing of your personal data is:

2. What Personal Data We Collect

We collect and process the following categories of data:

Website visitors (lazyeye.nl)

• IP address (for security and rate limiting)
• Browser type and device information (from server logs)
• Language and theme preferences (stored locally in your browser)

Dashboard users (app.lazyeye.nl)

• Email address (for account creation and communication)
• Password (stored as a bcrypt hash, never in plain text)
• AsterDex API keys (for bot operation)
• Wallet address (for trading)
• Trading activity and bot performance data
• Billing profile: full name, address, postal code, city, country, and optionally company name and VAT number

Contact form submissions

• Name, email address, and message content

3. Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR) — processing your account data and API keys is necessary to provide the trading bot service.
• Legitimate interest (Art. 6(1)(f) GDPR) — server logs and IP addresses for security, fraud prevention, and service stability.
• Consent (Art. 6(1)(a) GDPR) — for any future analytics or marketing communications, we will ask your explicit consent first.

4. Data Retention

• Account data — retained for the duration of your account plus 12 months after deletion.
• Server logs — retained for a maximum of 90 days.
• Contact form messages — retained for up to 12 months after the inquiry is resolved.
• Financial records — retained for 7 years as required by Dutch tax law.

5. Data Sharing & Processors

We do not sell your personal data. We share data only with the following parties, under appropriate agreements:

• Hosting provider — Hetzner — server hosting in Europe (Germany)
• AsterDex — your API keys are used to execute trades on your behalf; we do not share other personal data with AsterDex
• Mollie — payment processing for iDEAL and SEPA Direct Debit (billing data only)
• TransIP — email delivery for transactional emails (invoices, notifications)

All data is stored on servers located in the European Union (Germany). No personal data is transferred outside the European Economic Area (EEA).

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of your data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data
• Right to restriction — restrict processing of your data
• Right to data portability — receive your data in a structured format
• Right to object — object to processing based on legitimate interest

To exercise any of these rights, email us at info@lazyeye.nl. We will respond within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Security

We take appropriate technical and organizational measures to protect your personal data, including:

• Encrypted connections (HTTPS) for all data in transit
• Passwords are securely hashed and never stored in plain text
• Secure session management with industry-standard practices
• Abuse prevention and rate limiting measures
• Restricted server access with strong authentication
• Optional two-factor authentication (TOTP) for user accounts
• API keys are stored only on the bot server with strict file permissions, never in the main database

8. Cookies

For detailed information about the cookies we use, please see our Cookie Policy.

9. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated date. We recommend checking this page periodically.

10. Contact & Complaints

For questions about this privacy policy or to exercise your rights, contact us at info@lazyeye.nl.

You also have the right to file a complaint with the Dutch Data Protection Authority: