2.7.3.4 Data Protection & Privacy

• Personally Identifiable Information (PII)

• Minimal collection (username, email, perhaps phone for MFA).

• Protect wallet addresses and transaction details as personal data, ensuring user can request anonymization under GDPR if relevant.

• Storage Policies

• Access to PII restricted via RBAC on the database.

• Automated data retention policies for logs (e.g., 30–90 days), with permanent storage for trade records as required by finance regulations.

• GDPR Compliance

• Provide user access and erasure on request (where applicable).

• Cookie consent for tracking analytics; privacy policy describing data usage.

• Data portability if a user wants to export their trade history or personal data.