Effective date: 11 July 2026
Coinlight ("we", "us") is a free cryptocurrency paper-trading simulator. No real money is involved anywhere on this site. This policy explains what data we handle and why. We aim to collect the minimum possible.
Who is responsible. Coinlight is operated by its individual developer. Contact for all privacy matters: [email protected].
Account data (only if you register). A username, a display name, and a password. The password is stored only as a salted cryptographic hash; we cannot read it. We do not ask for or store your email address, real name, phone number, or any payment information.
Simulation data. Your virtual trades, virtual balances, portfolio snapshots, follows, and leaderboard statistics. All balances are simulated; none of this is financial data about real assets you own.
Technical data. To prevent abuse (bot registrations, password guessing, scraping), we rate-limit requests using your IP address. The IP is processed only as a keyed cryptographic digest (HMAC-SHA256); we do not store your IP address in readable form, and we cannot reconstruct it from what we store. For signed-in users, we record a coarse last-active time and one activity day per UTC day to support online status and return-rate metrics. Our hosting provider additionally keeps standard short-lived server logs, which may include IP addresses, as part of operating the infrastructure.
Coinlight has social features. If you register, the following is visible to anyone on the internet, including visitors without an account: your username, display name, join date, your trade history, your current simulated asset allocation and holdings, your follower and following lists, and your leaderboard performance (return %, simulated profit/loss, simulated portfolio value). If you enable it in Settings, your public profile also shows a coarse status such as “Online now”, “Active recently”, or “Offline”; it never shows an exact last-seen timestamp. Do not choose a username or display name you don't want publicly associated with this activity. Your password and login activity are never public.
We set one cookie: a session cookie that keeps you logged in. It is HttpOnly and expires after 30 minutes of inactivity (8 hours maximum). It is strictly necessary to provide the login feature you request, which is why no consent banner is shown for it. We use no advertising cookies or cross-site tracking. Cloudflare Web Analytics does not use analytics cookies; it collects aggregate page-performance metrics.
Your watchlist preferences (which coins you track) are stored in your browser's localStorage and never leave your device.
When you use the market dashboard, your browser requests data directly from:
/cdn-cgi/rum endpoint) — aggregate page-load timing and Core Web Vitals. Cloudflare states that it does not track individual end users across customers' Internet properties. See Cloudflare's Web Analytics data-collection documentation.We do not send them anything about your account; these are ordinary content requests made by your browser.
The site is hosted on Heroku (Salesforce, Inc.), with servers located in the United States. If you access the site from outside the US, your data is processed in the US.
The "sponsored break" shown before virtual deposits is a simulated advertisement generated by Coinlight itself. No advertising network is involved and no advertising data is collected. If real advertising is ever introduced, this policy will be updated first.
Where the GDPR applies: we process account and simulation data to perform our contract with you (providing the simulator, Art. 6(1)(b)); abuse-prevention hashing and security measures are based on our legitimate interest in keeping the free service operational (Art. 6(1)(f)).
Your data is kept while your account exists. You can close your account at any time in Profile → Settings → Close account (password confirmation required). Closing your account immediately disables login and removes your profile, trades, and statistics from all public pages and leaderboards. The underlying records are archived, not immediately erased.
If you want your archived records permanently erased, email [email protected] with a description of the account (since we hold no email, be prepared to prove control of the account by logging in or describing account details only its owner would know). Erasure requests are honored within 30 days.
Depending on where you live (e.g., GDPR in the EU/EEA/UK), you may have rights to access, rectify, erase, restrict, or port your personal data, to object to processing, and to lodge a complaint with your local supervisory authority. Exercise any of these via [email protected]. You can also see essentially everything we hold about you directly in the app (your profile, trade history, and archived runs are all displayed in your account).
We do not sell personal data, we do not share it for advertising, and we make no automated decisions with legal effects about you.
Coinlight is not directed at children under 13, and we do not knowingly collect data from them. If local law sets a higher age for consenting to data processing (up to 16 in parts of the EU), that higher age applies.
If this policy changes materially, the effective date above changes and the new version is posted here. Continued use after a change means acceptance.