Looks legit.

Suggestion:
To further silence doubts, you could maybe create a read only API key pair for bittrex and publish it after a buyback? This way everyone can easily check what happened - big plus regarding transparency. After a few days simply remove or deactivate the keypair until next buyback.