Privacy Policy

1. Information We Collect

Information You Provide

• Account information: Email address, password (hashed), name
• Brokerage credentials: API keys for connected trading accounts (encrypted with AES-256)
• Trading preferences: Risk settings, asset preferences, strategy selections
• Payment information: Processed securely by Stripe (we do not store card details)

Information Collected Automatically

• Usage data: Pages visited, features used, time spent
• Trading activity: Trades executed, performance metrics, AI decisions
• Device information: Browser type, IP address, device identifiers
• Cookies: Session cookies, preference cookies, analytics cookies

2. How We Use Your Information

• Provide services: Execute trades, run AI analysis, manage your account
• Improve AI performance: Analyze trading patterns to enhance our algorithms
• Communication: Send account updates, security alerts, and (with consent) marketing
• Security: Detect fraud, prevent unauthorized access, protect our systems
• Legal compliance: Meet regulatory requirements, respond to legal requests

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data under these legal bases:

• Contract: Processing necessary to provide our services to you
• Consent: Where you have given explicit consent (e.g., marketing emails)
• Legitimate interests: Improving our services, fraud prevention
• Legal obligation: Compliance with applicable laws

4. Data Security

We implement robust security measures to protect your data:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• API credentials: Stored using industry-standard encryption, never in plain text
• Access controls: Strict employee access policies, multi-factor authentication
• Infrastructure: Hosted on Vercel and Supabase with SOC 2 Type II compliance
• Monitoring: 24/7 security monitoring and intrusion detection

While we implement industry-leading security practices, no system is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any breaches.

5. Data Sharing

We do not sell your personal information. We may share data with:

• Connected brokerages: Alpaca, SnapTrade partners (only data necessary to execute trades)
• Service providers: Vercel (hosting), Supabase (database), Stripe (payments)
• Analytics: Aggregated, anonymized data for service improvement
• Legal authorities: Only when required by valid legal process

6. Data Retention

• Active accounts: Data retained while your account is active
• Closed accounts: Data deleted within 90 days of account closure
• Trading records: May be retained up to 7 years for regulatory compliance
• Backups: Removed within 30 days of data deletion

7. Your Rights

All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your account and data
• Opt-out: Unsubscribe from marketing communications

GDPR Rights (EEA Users)

• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request limitation of data processing
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time (without affecting prior processing)
• Lodge complaint: File a complaint with your local data protection authority

CCPA Rights (California Users)

• Know: Request disclosure of data collected about you
• Delete: Request deletion of your personal information
• Opt-out: Opt out of sale of personal information (we do not sell data)
• Non-discrimination: Exercise rights without discriminatory treatment

To exercise any rights, contact us at privacy@aurelius-ai.com

8. Cookies

We use the following types of cookies:

• Essential: Required for site functionality (login, security)
• Functional: Remember your preferences and settings
• Analytics: Understand how you use our service (can be disabled)

You can manage cookie preferences in your browser settings or through our cookie consent banner.

9. International Transfers

Your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EEA transfers.

10. Children's Privacy

Aurelius AI is not intended for users under 18 years of age. We do not knowingly collect information from children. If we learn we have collected data from a minor, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on our website at least 30 days before changes take effect.

12. Contact Us