GGoodAI
Legal

Privacy Policy

Last updated: 24 June 2026

This Privacy Policy explains how Good AI Tech Ltd ("GoodAI", "we", "us") collects, uses, and protects your personal data when you use our website (good.ai), our documentation (docs.good.ai), and the GoodAI application (app.good.ai) (together, the "Service"). We are a company registered in the United Kingdom (company number 17249425) and act as the data controller for the personal data described below.

Custody note. GoodAI never holds your funds. We connect to your exchange accounts only through API keys that cannot withdraw, and we never receive your exchange account password.

1. Who we are

Good AI Tech Ltd, company number 17249425, registered in England & Wales, registered office at 20 Wenlock Road, London, England, N1 7GU. For privacy questions, contact us at [email protected] or via our contact form.

2. The data we collect

  • Account data: your email address, a hashed password, and multi-factor authentication settings (TOTP, passkeys/WebAuthn credentials).
  • Exchange connection data: your exchange API keys and secrets, which are encrypted at rest and only ever decrypted within our isolated execution gateway to place trades. We reject keys that have withdrawal permission.
  • Trading and configuration data: the bots, strategies, and settings you create, and records of orders, fills, and balances retrieved from your connected exchanges.
  • Billing data: subscription tier and status. Card payments are handled by our payment processor (Stripe); we do not store your full card details.
  • Technical data: IP address, device/browser information, and usage analytics (see "Cookies and analytics" below).

3. How we use your data

  • To provide the Service — authenticate you, run your bots, and place the trades you direct.
  • To secure your account and detect/prevent abuse and fraud.
  • To process subscriptions and payments.
  • To communicate with you about the Service, including support and important notices.
  • To improve the Service and understand how it is used (aggregate analytics).

4. Legal bases (UK GDPR)

We process your data on the basis of: performance of a contract (to provide the Service you sign up for); legitimate interests (security, fraud prevention, and improving the Service); consent (for non-essential analytics cookies, where required); and legal obligation (to meet our regulatory and accounting duties).

5. How we protect your data

  • Exchange API keys are protected with envelope encryption (AWS KMS in production) and are only decryptable inside our execution gateway, bound to your specific connection.
  • API keys are never written to logs or to our audit records.
  • Security-relevant actions are recorded in an append-only, tamper-evident audit log.
  • Access to production systems is restricted and authenticated.

6. Sharing your data

We do not sell your personal data. We share data only with service providers who help us operate the Service, under appropriate contractual protections, including: our cloud hosting provider, our payment processor (Stripe), our email/communications provider, and analytics providers (Google Analytics). The exchanges you connect receive the API requests needed to execute your instructions. We may disclose data where required by law.

7. International transfers

Some of our providers may process data outside the UK/EEA. Where they do, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or Standard Contractual Clauses.

8. Retention

We keep your personal data for as long as your account is active and as needed to provide the Service, and then for up to seven (7) years after your account is closed to meet our legal, accounting, tax, regulatory, and security obligations — and longer where the law or an ongoing dispute requires it. Trading and audit records, which underpin the integrity of a money-movement system, are retained for at least this period. When data is no longer needed, we delete or anonymise it.

9. Your rights

Under UK data protection law you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and the right to data portability. To exercise these rights, contact [email protected]. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies and analytics

We use essential cookies to keep you signed in and to keep the Service secure. We also use Google Analytics to understand aggregate usage of our site. You can control non-essential cookies through your browser settings.

11. Changes to this policy

We may update this policy from time to time. We will post the updated version here and change the "Last updated" date above. Material changes will be communicated to you.

12. Contact

Questions about this policy or your data? Email [email protected] or use our contact form.