CryptoPatterns.ai is non-custodial by design. We can help you analyse and automate — but we can never withdraw your funds, and you approve every live action.
Your funds never leave your exchange. We can read your account or place trades only with the scope you grant — and never withdraw. Custody stays with you.
Exchange API keys are encrypted at rest, requested at the minimum scope (read-only or trade-only), and revocable by you on your exchange at any time.
bcrypt-hashed passwords, optional TOTP two-factor, Google sign-in, short-lived access tokens and rotating httpOnly refresh tokens with reuse detection.
The AI copilot stages alerts, scans and bots — but a human confirms before anything goes live. Read-only is the default until you opt into trading.
All traffic is served over modern TLS (1.2/1.3) with strict security headers and a content-security policy.
Sensitive endpoints are rate-limited and monitored to protect accounts against brute-force and automated abuse.
We welcome reports from security researchers. If you believe you’ve found a vulnerability, please contact us at security@cryptopatterns.ai or reach the team directly in our Discord. Please give us a reasonable window to investigate and fix an issue before any public disclosure — we’ll keep you updated and credit your help.
Questions about how your data and keys are handled? See our methodology for how our analytics work, or read more about who builds CryptoPatterns.ai.
No. Your funds never leave your exchange. We connect with read-only access by default, and trade-only access when you explicitly opt in — neither permission can withdraw funds. Custody always stays with you on your exchange.
API keys are encrypted at rest. We request the minimum scope needed — read-only for tracking and analytics, or trade-only if you choose to automate — and never withdrawal permission. You can revoke a key on your exchange at any time.
No. The copilot stages actions — alerts, scans, and bot configurations — and you approve every live action before it executes. Nothing touches a live order without your confirmation.
Yes. You can secure your account with TOTP-based two-factor authentication, and sign in with Google if you prefer. Passwords are hashed with bcrypt and sessions use short-lived access tokens with rotating, httpOnly refresh tokens.