Privacy Policy

Account Information

• Email address
• Username
• Password (hashed, never stored in plain text)
• Subscription and billing information (processed by Stripe)

Trading Data

• Trading preferences and configuration settings
• Trade history and execution records
• Portfolio positions and performance metrics
• Safety limit configurations

Usage Data

• Device information (browser type, operating system)
• IP address and approximate location
• Pages visited and features used
• Session duration and interaction patterns

Brokerage Data

• OAuth tokens for brokerage API access (encrypted at rest)
• Account identifiers from connected brokerages
• We do NOT store your brokerage username or password

• Provide and operate the Service, including signal generation and trade execution
• Process your subscription payments through Stripe
• Send account-related notifications (trade alerts, security events)
• Improve our ML models and trading algorithms (using aggregated, anonymized data)
• Enforce our Terms of Service and safety limits
• Respond to support requests
• Comply with legal obligations

We do not sell your personal information. We share data only in these circumstances:

• Stripe: Payment processing. Stripe's privacy policy governs their handling of your payment data.
• Brokerage providers: Trade execution data is sent to your connected brokerage (e.g., Charles Schwab) via their API to execute orders you authorize.
• Legal requirements: We may disclose information if required by law, subpoena, or government request.

We use the following third-party service providers to operate the Service. Each processes only the data needed for its function:

• Stripe — subscription billing and payment processing.
• Sentry — application error and performance monitoring. May receive your IP address, device/browser information, and technical diagnostic data.
• Charles Schwab (and other connected brokerages) — execution of trades you authorize, via their official APIs.
• Resend — transactional and account-related email delivery.
• Firebase Cloud Messaging (Google) — delivery of push notifications you have enabled.

Each provider processes your data under its own privacy policy. We do not sell or rent your personal information to any third party.

We implement reasonable security measures to protect your data:

• All data in transit is encrypted via TLS (HTTPS)
• Passwords are hashed using industry-standard algorithms
• Brokerage OAuth tokens are encrypted at rest
• JWT authentication with short-lived access tokens (15 minutes)
• Rate limiting on authentication endpoints
• Per-user data isolation — users cannot access each other's data

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

• Account data: Retained while your account is active. Deleted upon account closure, subject to legal retention requirements.
• Trading history: Retained for the duration of your account for performance analytics. Anonymized data may be retained indefinitely for model improvement.
• Payment data: Managed by Stripe per their retention policies. We store only Stripe customer IDs and subscription status.
• Usage logs: Retained for 90 days for debugging and security purposes.

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your trading history and data
• Opt out of non-essential communications
• Disconnect your brokerage account at any time

To exercise these rights, contact us at [email protected].

We use in-memory storage for short-lived access tokens and secure HttpOnly cookies for session persistence. A non-sensitive session flag is stored in local storage. We do not use advertising or cross-site tracking cookies. We use Sentry for error and performance monitoring, which may set cookies or store identifiers necessary to diagnose crashes and performance issues; this is described in "Sub-Processors" below. Session data is cleared when you log out.

The Service is not intended for users under 18 years of age. We do not knowingly collect information from minors. If we become aware that a minor has provided personal information, we will delete it promptly.

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request its deletion, to request correction of inaccurate information, and to access it in a portable form. We do not sell or share your personal informationas those terms are defined under the CCPA/CPRA. To exercise these rights, contact [email protected]. We will not discriminate against you for exercising them.

EEA/UK Residents (GDPR)

If you are in the European Economic Area or the United Kingdom, the data controller is [ENTITY LEGAL NAME]. We process your data on the lawful bases of performance of our contract with you (operating the Service), your consent (optional communications), and our legitimate interests (security and service improvement). You have the right to access, rectify, erase, restrict, and port your data, and to object to processing. You may also lodge a complaint with your local supervisory authority. To exercise these rights, contact [email protected].

For privacy-related questions or requests, contact us at [email protected].