Privacy Policy

1. What We Collect

We collect only what we need.

• Account: email address, display name (optional), hashed WebSocket token, account-creation timestamp.
• Authentication: magic-link tokens (short-lived), IP address and user-agent of the login request, audit log of sign-ins.
• Billing: Stripe customer ID, subscription product and status. Card numbers are never stored on our servers; Stripe holds them.
• Product usage: which strategy you activated and when, WebSocket connection events, consent acknowledgments with timestamp and IP.
• Bookings: name, email, service, preferred date and time, and any notes you submit.
• Support: any emails or messages you send us.

We do not collect: broker credentials, trading-account balances, position data, or the contents of trades you execute.

2. Why We Collect It

• Run the Service: deliver signals, authenticate you, enforce subscription entitlements.
• Bill you: process payments via Stripe; record receipts for tax and bookkeeping.
• Support you: reply to emails, resolve issues.
• Comply with law: respond to valid legal requests, retain records where required.
• Improve the Service: fix bugs, measure reliability, detect abuse.

3. Legal Basis (GDPR)

For users in the EEA or UK, our bases are: contract performance (running your subscription), legal obligation (tax and financial records), and legitimate interest (security, fraud prevention, service improvement).

4. Service Providers

We share data only with the processors we need to operate:

• Stripe (payments)
• Resend (transactional email)
• AWS (server hosting)
• Cloudflare (CDN, DDoS protection, DNS)

These providers act as our processors and are contractually bound to handle data only on our instructions.

5. We Do Not Sell Your Data

We do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined under the California CPRA. There is no “Do Not Sell” action required, but you can still exercise the rights below.

6. Your Rights

Depending on where you live, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data-protection authority (EEA/UK) or the California Attorney General.

To exercise any of these, use the contact form from the address on file. We respond within 45 days.

7. Cookies

We use a single session cookie to keep you signed in. We do not use advertising or analytics cookies. If you block cookies, authentication will not work.

8. Retention

• Account data: while your account exists, plus 30 days after deletion for abuse-prevention.
• Billing records: 7 years for tax and accounting.
• Magic-link tokens: purged after 10 minutes or first use.
• Auth and admin audit logs: 1 year.
• Consent records: as long as your account exists, plus 6 years.

9. Security

Passwords are replaced by magic links, so there is no password to steal. JWTs are signed; session cookies are HTTP-only and secure. Data in transit is TLS 1.2 or higher. Admin access is role-gated. We log and review privileged actions.

10. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.

11. International Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to the US. Where required, we rely on Standard Contractual Clauses with EEA/UK transfers.

12. Changes

Material changes to this policy will be announced by email and in the dashboard. The date above reflects the current version.

13. Contact

Privacy questions or requests: use the contact form.