Privacy Policy
# Privacy Policy
**Last updated: 2026-05-11**
This policy explains what we collect, why, and how to control it. Plain English first, legal nuance second.
## What we collect
| Category | What | Why |
|---|---|---|
| **Identity** | Email | Magic-link sign-in, account-level notifications |
| **Broker credentials** | API keys / account IDs that you paste | Forwarding orders that you authorize to your broker |
| **Strategy state** | Per-user trades, signals, settings | Operating the Service for you |
| **Operational** | IP, user agent, session timestamps | Security audit + abuse prevention |
| **Billing** | Stripe customer + subscription IDs | Subscription management (Stripe stores card data, not us) |
## We do NOT collect
- Your trading-account password (we only accept API keys/tokens, not passwords)
- Marketing trackers, ad cookies, behavioral profiling
- Phone numbers (unless you opt into SMS notifications, none configured today)
## Encryption
Broker credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA-256). The master key is stored on the server only and never sent to your browser. We can never see your raw credentials after they are saved.
## Sharing
We do not sell or share personal data with third parties for marketing. We share data only with: PriceFeedPro (the data feed you use to get ticks, only if you supply your own key — otherwise the key is shared infrastructure), Stripe (for billing), and any broker whose API you connect (to execute trades). We are not affiliated with any of these vendors.
## Your rights (GDPR + general)
- **Access**: request a copy of all data tied to your email.
- **Erasure**: delete your account from Settings — credentials and history are removed within 72 hours, except where retention is required by law.
- **Export**: trade journal is exportable as CSV from Dashboard.
- **Revoke**: revoke broker credentials immediately from Settings without contacting us.
## Logs & retention
Operational logs are kept up to 90 days. Trade history is kept for the lifetime of your account, then deleted on closure. Stripe billing records may be retained longer where tax law requires.
## Cookies
We use a single first-party `ict_session` cookie (HttpOnly, SameSite=Lax) for authentication. No analytics or advertising cookies.
## Contact
[email protected] · Big AL Consulting.
**Last updated: 2026-05-11**
This policy explains what we collect, why, and how to control it. Plain English first, legal nuance second.
## What we collect
| Category | What | Why |
|---|---|---|
| **Identity** | Email | Magic-link sign-in, account-level notifications |
| **Broker credentials** | API keys / account IDs that you paste | Forwarding orders that you authorize to your broker |
| **Strategy state** | Per-user trades, signals, settings | Operating the Service for you |
| **Operational** | IP, user agent, session timestamps | Security audit + abuse prevention |
| **Billing** | Stripe customer + subscription IDs | Subscription management (Stripe stores card data, not us) |
## We do NOT collect
- Your trading-account password (we only accept API keys/tokens, not passwords)
- Marketing trackers, ad cookies, behavioral profiling
- Phone numbers (unless you opt into SMS notifications, none configured today)
## Encryption
Broker credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA-256). The master key is stored on the server only and never sent to your browser. We can never see your raw credentials after they are saved.
## Sharing
We do not sell or share personal data with third parties for marketing. We share data only with: PriceFeedPro (the data feed you use to get ticks, only if you supply your own key — otherwise the key is shared infrastructure), Stripe (for billing), and any broker whose API you connect (to execute trades). We are not affiliated with any of these vendors.
## Your rights (GDPR + general)
- **Access**: request a copy of all data tied to your email.
- **Erasure**: delete your account from Settings — credentials and history are removed within 72 hours, except where retention is required by law.
- **Export**: trade journal is exportable as CSV from Dashboard.
- **Revoke**: revoke broker credentials immediately from Settings without contacting us.
## Logs & retention
Operational logs are kept up to 90 days. Trade history is kept for the lifetime of your account, then deleted on closure. Stripe billing records may be retained longer where tax law requires.
## Cookies
We use a single first-party `ict_session` cookie (HttpOnly, SameSite=Lax) for authentication. No analytics or advertising cookies.
## Contact
[email protected] · Big AL Consulting.