Privacy Policy

The Service collects:

• Account information. Email address and a hashed password, managed by Supabase, our authentication provider.
• Brokerage credentials.The username, password, and (optionally) two-factor seed for the brokerage account you connect. These are stored encrypted using AES-256-GCM with a key bound to the operator's hardware (Windows DPAPI). The Operator does not knowingly retain plaintext copies in logs.
• Trading data. Account balance, positions, order history, decision logs, and metadata produced by trades initiated through the Service. This data is stored in a local SQLite database.
• Operational metadata. IP addresses, request timestamps, error logs, and audit trails of authentication and configuration changes.
• Cookies & session tokens. An HTTP-only session cookie is set by Supabase to keep you signed in. The Service does not use third-party tracking cookies.

• To authenticate you and authorize requests on your behalf.
• To log in to your brokerage account on your behalf and place, modify, or cancel orders consistent with your configured mode and risk caps.
• To present your portfolio and trading activity on the dashboard.
• To maintain and debug the Service, investigate suspected fraud, and respond to security incidents.
• To comply with legal or regulatory obligations.

• We do not sell, rent, or share your data with marketing partners.
• We do not use your data to train public AI models.
• We do not embed third-party advertising or analytics trackers.
• The Service does not access social-graph, contacts, or other non-trading data on your devices.

The Service relies on the following third-party providers:

• Supabase for authentication and identity. Their privacy policy applies to data handled by them.
• Robinhood (or another broker you connect) for trade execution. Their privacy policy applies to data handled by them.
• Cloudflarefor CDN, DDoS protection, and tunnelling between the public domain and the operator's host machine.
• Various market-data providers (e.g., Yahoo Finance, CBOE) for quotes and option chains.

The Operator does not control these providers and is not responsible for their independent practices. You should review their privacy policies separately.

The Service uses encryption at rest, transport-layer security between client and server (HTTPS via Cloudflare), and best-effort access controls. No system is perfectly secure. Despite these measures, data including encrypted credentials, trading history, and personal information may be exposed by attack, insider error, or third-party compromise. The Operator does not guarantee that your data will never be accessed without authorization. The Operator will make a reasonable effort to notify affected users of confirmed breaches in accordance with applicable law.

Active accounts retain trading and credential data indefinitely. Terminated accounts may retain encrypted credential data for up to 90 days for legal and regulatory purposes; trade history may be retained indefinitely in anonymized or pseudonymized form for product improvement. You may request deletion of your data at any time by contacting the Operator.

Depending on where you live you may have the right to access, correct, port, or delete personal information the Service holds about you. To exercise these rights, contact the Operator. The Operator may verify your identity before processing such requests and may decline requests that conflict with applicable law or that would compromise the Service for other users.

The Service is not directed to children under 18 and does not knowingly collect data from anyone under 18. If you believe a child has provided data to the Service, contact the Operator and the data will be deleted.

This Privacy Policy may be updated from time to time. Material changes will be reflected in the version identifier and existing users may be prompted to re-acknowledge.