Privacy Policy

TL;DR

We collect the minimum needed to deliver signals to your Telegram account and (optionally) to place orders on your connected Alpaca account. All broker credentials are encrypted at rest. Run /exportmydata any time to see exactly what we hold.

What we collect

• Identity: Telegram chat ID, first name / last name / username / photo URL (all fields Telegram sends on login).
• Preferences: risk profile, watchlist, strategy templates, session-alert toggles, signal min-score, and auto-trade rules.
• Signal + trade history: every signal we deliver, every confirmation you tap (“I took this”), and every auto-trade order we submit on your behalf. Used to build your /portfolio and /history.
• Broker credentials (when connected): your Alpaca API key ID and secret key. Both are encrypted (AES-256-GCM) before writing to our database. The plaintext exists only in server memory during order submission. Supabase admins cannot read your keys.
• Smart Money follow state: which funds and insiders you follow and whether mirror mode is enabled.
• Operational logs: last seen timestamp, bot command usage for rate-limiting and abuse prevention.
• Push-notification tokens (when you opt in): a per-device delivery token issued by the OS — Web Push endpoint URL + VAPID keys on web, an APNs token on iOS, an FCM token on the future Android app. We use these only to deliver signals you have asked for. Tokens are purged when you revoke notification permission or sign out on that device.
• Mobile device-link state: a short-lived 6-char code (10-minute TTL) used to bind an iOS app install to your Telegram account. Once the bot consumes the code, the row is deleted within seconds.

What we do NOT collect

• Banking, credit-card, or SSN info. Billing is handled by Stripe; we receive only Stripe’s subscription status callbacks, never card numbers.
• Your Alpaca account balance, positions, or trade history beyond what we submitted via the auto-trader. We explicitly do not pull your full position list from Alpaca.
• Browsing behavior outside edgeniq.com.
• Telegram messages that don’t contain bot commands. We don’t read your other chats.

How we use it

• Deliver signals to the Telegram account you logged in with.
• Submit bracket orders to Alpaca according to the rules you configured on /app/broker. The kill switch halts everything.
• Track performance so you see real win rates in /performance and /accuracy.
• Aggregate anonymized metrics (signal-level win rates per ticker, for example) to improve the scoring model. Your personal identity is never in the aggregate.

What we share — and don't

• Alpacareceives your API credentials (because they belong to you) and the order instructions we submit on your behalf. That’s required for the broker integration to work.
• Supabase hosts our database. They have access to encrypted data at rest — but not the encryption key (which sits in Vercel env, not in the DB).
• Vercel hosts the web app; they see HTTP request logs. They do not see decrypted broker credentials.
• Telegram handles message delivery. They see the signal content we send you (because we send it to them), but not our internal data.
• Anthropic (LLM provider)receives a structured snapshot of the morning-briefing context — regime metrics, sector data, news headlines, analyst rating changes, and a high-level summary of your open positions — to generate the “EdgeNiq Analysis” section. Anthropic does not receive your broker credentials, your full trade history, or your contact details. Per Anthropic’s API terms, data sent through the API is not used to train their models. The provider may change as technology evolves; we will update this policy when it does.
• yfinance / Finnhub / Alpaca / SEC EDGAR are read-only public-data sources we query on your behalf to assemble alerts. We send no personal information to these providers — only ticker symbols and date ranges.
• Stripe (when self-serve billing is enabled) processes your subscription payment. They store your billing details; we receive only their subscription status callbacks and never see card numbers.
• Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM, future Android app) deliver push notifications to your device. They see the notification payload (signal headline + small body) when we route it. They do not see anything you have not opted to receive as a notification. Disabling notifications on the device or revoking permission in OS settings stops delivery.
• We do not sell your data. We do not share it with advertisers, brokers-other-than-Alpaca, or third-party marketing.

Encryption details

Broker API credentials are encrypted with AES-256-GCM using a 32-byte master key held as a Vercel / VPS environment variable (TRADING_ENCRYPTION_KEY). Each credential gets a random 12-byte initialization vector. Even a full database dump would require separate compromise of the environment-variable store to decrypt anything. We rotate the master key on compromise and re-encrypt every stored credential at the same time.

Mobile session tokens (the Supabase-trusted JWT the bot mints when you sign in on iOS / future Android) are stored in the OS keystore: iOS Keychain via Expo SecureStore, and on Android (when shipped) in EncryptedSharedPreferences. The token expires after 30 days; signing out on the device deletes it.

Data retention

• Active account: we retain your data as long as your account is active plus 12 months for audit + tax purposes.
• Soft-deleted accounts (after /deleteaccount): we keep a tombstone for 30 days (in case of accidental deletion) then fully purge PII. Signal-history records are anonymized (chat_id replaced with a hashed token) so aggregate stats remain accurate.
• Broker credentials are purged immediately upon disconnection (not soft-deleted).
• Push-notification tokens are purged on opt-out or when the OS marks the token invalid (which happens automatically when the user uninstalls the app or disables notifications).
• Mobile device-link codes live for at most 10 minutes (server-enforced TTL) and are deleted within seconds of the bot consuming them.

Your rights

• /mydata — see every field we hold about you, inline in the bot.
• /exportmydata — download a full JSON export as a file attachment.
• /deleteaccount — start the soft-delete flow. Two-step (type confirmation in bot).
• To disconnect Alpaca specifically without deleting the rest of your account, use the Disconnect button on /app/broker.

Compliance

We follow GDPR + CCPA data-subject-rights obligations even for users not in those jurisdictions. If you’re in the EU / UK / California and need a formal privacy request (portability, rectification, erasure), contact the admin with your request type and we’ll process within 30 days.