Privacy Policy

Version: 1.0-draft · Effective: 2026-04-25

Placeholder draft — founder and legal counsel must review before public launch. Copy sourced from Termly.io generator template. Amend before the first paying user signs up.

1. What we collect

  • Account data: email, display name, plan tier, subscription status.
  • Usage data: backtest executions, strategy configurations, paper-trade fills.
  • Technical data: browser user-agent, IP address (for rate limiting), session cookies.
  • Analytics (with consent): anonymized product events via PostHog EU (signup_started, signup_completed, first_backtest_run, paper_promote_clicked, live_promote_clicked, upgrade_clicked, subscription_completed).

2. What we do NOT collect

  • Broker credentials (live trading is local-only).
  • Trading account balances or positions from external brokers.
  • Payment card details (Lemon Squeezy handles payment processing).

3. Cookies

  • Strictly necessary (always on): authentication session cookies.
  • Analytics (opt-in via cookie banner): PostHog product analytics.
  • Marketing: none in v1.

You can accept or reject analytics cookies via the banner on first visit, and re-open the banner any time from the footer Cookie Settings link.

4. Data residency

  • Application database: Postgres on Railway (EU region).
  • Analytics: PostHog EU (eu.posthog.com).
  • Payment: Lemon Squeezy (global; data residency per Lemon Squeezy policy).
  • Email: Resend (EU region).

5. Your GDPR rights

If you are in the EU or UK, you have the right to access, rectify, or delete your personal data. Email support@botpit.com with your request and we will respond within 30 days.

6. Data retention

  • Account data: retained while your account is active + 12 months after cancellation for billing and tax records.
  • Analytics events: retained in PostHog per PostHog default retention.
  • Audit logs: 24 months.

7. Third-party services

  • Google OAuth (if you sign in with Google): Google's Privacy Policy applies.
  • Lemon Squeezy: handles EU VAT and payment compliance as Merchant of Record.
  • PostHog EU: analytics, GDPR-compliant infrastructure.
  • Resend: transactional email delivery.
  • Railway: application hosting.
  • Vercel: frontend CDN.

8. Security

BotPit uses TLS for all traffic, bcrypt for password hashes, and Postgres Row-Level Security for multi-tenant data isolation.

9. Changes

Material changes to this Policy will be announced via email and in-app notice.

10. Contact

Privacy questions: privacy@botpit.com