Privacy Policy
Version: 1.0-draft · Effective: 2026-04-25
Placeholder draft — founder and legal counsel must review before public launch. Copy sourced from Termly.io generator template. Amend before the first paying user signs up.
1. What we collect
- Account data: email, display name, plan tier, subscription status.
- Usage data: backtest executions, strategy configurations, paper-trade fills.
- Technical data: browser user-agent, IP address (for rate limiting), session cookies.
- Analytics (with consent): anonymized product events via PostHog EU (signup_started, signup_completed, first_backtest_run, paper_promote_clicked, live_promote_clicked, upgrade_clicked, subscription_completed).
2. What we do NOT collect
- Broker credentials (live trading is local-only).
- Trading account balances or positions from external brokers.
- Payment card details (Lemon Squeezy handles payment processing).
3. Cookies
- Strictly necessary (always on): authentication session cookies.
- Analytics (opt-in via cookie banner): PostHog product analytics.
- Marketing: none in v1.
You can accept or reject analytics cookies via the banner on first visit, and re-open the banner any time from the footer Cookie Settings link.
4. Data residency
- Application database: Postgres on Railway (EU region).
- Analytics: PostHog EU (eu.posthog.com).
- Payment: Lemon Squeezy (global; data residency per Lemon Squeezy policy).
- Email: Resend (EU region).
5. Your GDPR rights
If you are in the EU or UK, you have the right to access, rectify, or delete your personal data. Email support@botpit.com with your request and we will respond within 30 days.
6. Data retention
- Account data: retained while your account is active + 12 months after cancellation for billing and tax records.
- Analytics events: retained in PostHog per PostHog default retention.
- Audit logs: 24 months.
7. Third-party services
- Google OAuth (if you sign in with Google): Google's Privacy Policy applies.
- Lemon Squeezy: handles EU VAT and payment compliance as Merchant of Record.
- PostHog EU: analytics, GDPR-compliant infrastructure.
- Resend: transactional email delivery.
- Railway: application hosting.
- Vercel: frontend CDN.
8. Security
BotPit uses TLS for all traffic, bcrypt for password hashes, and Postgres Row-Level Security for multi-tenant data isolation.
9. Changes
Material changes to this Policy will be announced via email and in-app notice.
10. Contact
Privacy questions: privacy@botpit.com