Privacy Policy

We collect what we need to run the product (your email, a password hash, your trading activity inside the workspace) and nothing we don't. We do not sell your data. We do not run third-party analytics or advertising trackers. Your broker keys stay encrypted; we never see them in plaintext after you save them. You can delete your account at any time.

• Account info: the email you sign up with, and a password hash stored by Supabase Auth. We never store your password in plaintext, and we cannot recover it for you if you forget it.
• Trading activity inside the workspace: the bots you create, strategies you author or generate, paper orders and fills, watchlists, chart layouts, chat messages with Claude, audit-log entries.
• Live broker connections (Pro tier): we store broker API keys encrypted at rest with AES-256-GCM. The encryption key is held server-side, never sent to the browser, and never written to logs. We use the decrypted keys only to place orders or fetch balances on your explicit instruction.
• Operational logs: server-side logs of your actions for debugging and audit (no passwords, no broker secrets in log output by design). Logs roll off after 30 days unless retained for an active investigation.

• No third-party analytics scripts (no Google Analytics, no Segment, no Mixpanel, no Hotjar, no Facebook Pixel) on the marketing site or in the app.
• No advertising trackers. No cross-site fingerprinting.
• No social-graph or contact-list imports.
• No biometric data, no device sensors.

• To run the product (render your charts, execute your bots, send your order to the broker you connected).
• To enforce safety rails (kill switches, daily-loss limits, per-trade caps).
• To respond to your support requests at the email you sign up with.
• To send transactional notifications you opted into (trade alerts, daily briefs, account confirmations).
• To meet legal or compliance obligations (e.g., responding to a valid legal request).

We do not use your trading activity to train AI models. We do not share your data with third parties for marketing purposes.

We set two first-party cookies: a session cookie via Supabase Auth so we can keep you logged in, and a theme cookie that remembers your light/dark preference. Both are essential for app functionality.

We do not set advertising or analytics cookies. We do not use third-party tracking cookies. Embedded TradingView charts (visible after sign-in) load from tradingview.com and may set their own cookies under that domain; that is outside our control and governed by TradingView's privacy policy.

We use the following third-party services to run the product. Each receives only the data needed to perform its function:

• Supabase, authentication and Postgres database hosting.
• Vercel, web app hosting and edge delivery.
• Railway, worker host (bot ticks, market-data ingestion, broker fan-out).
• Anthropic, Claude AI for chat, post-mortems, daily briefs, and tuning proposals. We send the prompt content needed for each request; we do not store your trading data with Anthropic beyond the request itself.
• Tavily and Firecrawl, search and URL-fetch tools that Claude can call on your behalf when you ask it to research something. Receives the search query or URL Claude derives from your prompt.
• Cloudflare, Turnstile bot-challenge widget on the signup and request-access forms.
• SendGrid, transactional email (account confirmations, alert emails).
• Coinbase / Alpaca / Tradier, brokers you may connect for live execution. Your API keys flow only to the broker you authorized.
• Discord, the system operator's Discord channel may receive operational notifications about activity in the workspace (trades, alerts, daily summary) when configured. The operator does not forward these notifications externally.

We also fetch public market data from CoinGecko, CryptoPanic, DeFiLlama, GitHub, and Reddit for news, sentiment, and on-chain context. These calls do not include your account identity or any personally identifiable data.

We do not transfer your data to any other third party for any other purpose without your consent or a legal requirement.

Your account data is retained while your account is active. When you delete your account, we remove personally identifiable data within 30 days, except for:

• Anonymized audit-log entries (we keep these at least 7 years for compliance and abuse-investigation purposes; they do not contain your email after deletion).
• Aggregate / statistical data that cannot be tied back to you (e.g., total trade counts per strategy template).
• Records we are legally required to retain.

Depending on where you live, you may have the right to access, correct, delete, or export your personal data, or to object to certain processing. To exercise any of these rights, email zachary.vorwaller@gmail.com from the address on your account. We will respond within 30 days.

You can also delete your account at any time by emailing the same address.

We follow defensive engineering practices: per-user query scoping, AES-256-GCM at rest for broker credentials, HTTPS everywhere, no secrets in logs by design, an append-only audit log of every order. No system is perfectly secure; report suspected vulnerabilities to zachary.vorwaller@gmail.com.

LunarEcho is operated from the United States. If you use the Service from outside the US, your data is processed and stored in the US (and in Supabase, Vercel, and Railway regions which may include the US and EU). By using the Service, you consent to this transfer.

The "Last updated" date at the top reflects the current version. Material changes will be communicated via email at least 14 days before they take effect.

Questions, data requests, or privacy concerns: zachary.vorwaller@gmail.com.

See also the Terms of Service.