Privacy Policy

1. Controller

TradePolaris is operated by ARVV LLC, a Wyoming limited liability company. For any privacy request, contact r@tradepolaris.com.

2. What we collect

• Account data — email, display name, hashed password (Argon2/bcrypt; we never store plaintext), and accepted terms/privacy versions.
• Product data — the strategies, code, backtest runs, reports, and paper deployments you create.
• Operational data — authentication and request logs (IP address, user agent, timestamps), error traces, and usage metrics needed to run, secure, and debug the Service.
• Billing data — credit balance and ledger, subscription status, and invoices. Card details are processed by Stripe and never touch our servers.

We do not sell personal data, and we do not use it for third-party advertising.

3. Why we process it

To provide the Service (contract), to secure it against abuse and fraud (legitimate interest), to comply with legal obligations, and — only with your consent — to send non-essential product updates. OTP verification emails and security notices are essential and always sent.

4. Processors and transfers

We use a small set of processors to run the Service: AWS (hosting, storage, databases), Modal (sandboxed backtest compute), Stripe (payments), Vercel (web hosting), and Resend (transactional email). Each receives only what it needs. Some processors operate outside your country; transfers rely on the processors’ standard contractual safeguards.

5. Retention

Account and product data persist while your account is active. Operational logs and scan telemetry are deleted on rolling windows (typically 90–365 days, billing webhook records up to 180 days). When you delete your account we delete or anonymise personal data within 30 days, except records we must keep by law (e.g. tax and billing records).

6. Your rights (GDPR / CCPA summary)

Depending on your jurisdiction you may have the right to access, correct, export, restrict, or delete your personal data, to object to certain processing, and to lodge a complaint with your supervisory authority. California residents additionally have the right to know, delete, and opt out of “sale or sharing” (we do neither), without discrimination. Email r@tradepolaris.com and we will respond within 30 days.

7. Cookies

We use strictly-necessary, httpOnly session cookies (pw_access, pw_refresh) to keep you signed in. No third-party advertising or cross-site tracking cookies.

8. Security

Data in transit is TLS-encrypted; data at rest is encrypted on AWS. Access to production systems is restricted and logged. User strategy code executes in isolated sandboxes. No system is perfectly secure — report suspected vulnerabilities to r@tradepolaris.com.

9. Changes

We will notify registered users by email of material changes to this policy before they take effect.