filo.bot
Get started

Privacy policy

Last updated: 6 May 2026

We collect the minimum data needed to operate filo.bot and we do not sell it. This page explains what we collect, why, who we share it with, how we secure it, and what rights you have.

1. Who we are

filo.bot is operated by filo.bot ("we", "our"). For privacy questions or to exercise any of the rights below, contact us at [email protected].

2. What we collect

Account data

  • Email address you signed up with.
  • A salted hash of your password (never the password itself).
  • Account creation and last-login timestamps.

Hyperliquid integration

  • The Hyperliquid API key you provide, stored encrypted with AES-256-GCM. The key is decrypted into memory only at the moment of trade execution and discarded after each job.
  • Your Hyperliquid wallet address, derived from the key.
  • Logs of fills, positions, and PnL retrieved from Hyperliquid's public API for trades placed by the Service on your behalf.

Service usage

  • Copy settings (trader, allocation, leverage cap, position cap, active state).
  • Signals received and actions taken (open/close/skipped) by the bot.
  • Builder approval state (max-fee authorisation, signing wallet address, on-chain verification timestamps).

Telegram (optional)

  • Telegram user ID and (optionally) username, used only to send you trade notifications.

Operational logs

  • Server access logs (IP, user agent, request path, timestamp) for security and debugging. Retained for up to 30 days.
  • Application error traces. May incidentally include identifiers needed to reproduce a bug.

What we do NOT collect

  • We do not run third-party advertising trackers or analytics that build cross-site profiles.
  • We do not sell or rent personal data to third parties.
  • We do not require KYC documents (passport, ID, selfie). Your Hyperliquid account already has whatever KYC it requires.

3. Why we use it

  • Operate the Service. Authenticate you, execute copy trades, deliver notifications, route on-chain builder fees.
  • Quality scoring. Compute trader Quality Scores from public on-chain data — no personal data of subscribers is part of trader scoring.
  • Security and abuse prevention. Detect suspicious access, rate-limit abusive traffic, investigate incidents.
  • Improve the product. Aggregate usage signals to fix bugs and prioritise features. We use anonymised data wherever practical.
  • Legal compliance. Respond to lawful requests, retain records where required.

4. Lawful basis (GDPR / similar regimes)

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to secure our service, prevent fraud, and improve the product.
  • Consent — for optional integrations (e.g. Telegram), withdrawable at any time by unlinking from your settings.
  • Legal obligation — when retention or disclosure is mandated by law.

5. Who we share data with

We share only what is strictly necessary, with the following categories of processors:

  • Hyperliquid — every trade signed with your API key is submitted to Hyperliquid. They process the trade per their own privacy policy.
  • Telegram — for notification delivery, if you choose to link your Telegram.
  • Cloud and infrastructure providers hosting our servers, databases, and email delivery.
  • Authorities when legally required (court order, regulatory request, fraud investigation).

We do not authorise these processors to use your data for their own marketing.

6. Security

  • API keys are encrypted with AES-256-GCM using a key never present in source control. Decryption happens only in memory at the moment of execution and the plaintext is discarded immediately after.
  • Passwords are stored as bcrypt hashes with per-record salt. We never store, log, or transmit plaintext passwords.
  • All public-facing traffic is encrypted in transit with TLS 1.2+.
  • Internal credentials and signing secrets are stored in environment-only configuration, not in the repository.
  • Access to production systems is limited to a short list of operators, audited via cloud-provider IAM logs.

7. How long we keep data

  • Account data — for the life of your account, plus up to 90 days for backup-rotation purposes after deletion.
  • API keys — encrypted, until you remove them or close your account, then immediately purged.
  • Trade and signal history — kept up to 24 months for your own dashboard and our auditing.
  • Server access logs — up to 30 days.

8. Your rights

Depending on where you live, you may have the right to access, correct, port, restrict processing of, or delete your personal data; to object to processing based on legitimate interests; and to lodge a complaint with a supervisory authority. To exercise these rights, contact [email protected]. We respond within 30 days.

9. Children

filo.bot is not intended for anyone under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children.

10. International transfers

Our infrastructure may run in regions outside your country. Where we transfer personal data internationally, we rely on appropriate safeguards such as standard contractual clauses where applicable.

11. Cookies

We use only first-party storage strictly necessary to operate the Service: a JWT access token and refresh token kept in localStorage for authentication. We do not set advertising or cross-site tracking cookies.

12. Changes to this policy

If we change this policy materially we will email registered users and update the "Last updated" date at the top. Non-material changes will simply be reflected on this page.

Privacy questions or requests: [email protected]. Security concerns or vulnerability reports: [email protected].