Privacy Policy
Last updated: 2/27/2026
CaelumOS ("we", "us", or "our") is committed to protecting your privacy. This policy explains how we collect, use, store, and share your personal information in compliance with GDPR (EU), CCPA (California), and other applicable data protection laws.
1. Data We Collect
1.1 Information You Provide
- Account Information: Email address, username, encrypted password (via Supabase Auth)
- Trading Data: Journal entries, trade screenshots, notes, performance metrics, and custom indicators you voluntarily upload
- Payment Information: Cryptocurrency payment addresses (we do NOT store credit card numbers - payments processed by NOWPayments)
- Communication Data: Support tickets, feedback, and emails you send us
1.2 Automatically Collected Data
- Usage Data: Pages visited, features used, time spent, button clicks (via PostHog analytics)
- Device Information: Browser type, operating system, IP address, device identifiers
- Error Logs: Crash reports and performance metrics (via Sentry)
- Cookies: Session tokens, preferences, authentication state
1.3 Third-Party Data
- OAuth Providers: If you sign in with Google/GitHub, we receive your name, email, and profile picture
2. How We Use Your Data
We use your information for the following purposes:
- Service Delivery: Providing journal, simulator, AI analysis, and pattern recognition features
- AI Processing: Sending your trade data to Groq/Anthropic for analysis (see Section 3)
- Payment Processing: Facilitating credit purchases via NOWPayments
- Product Improvement: Analyzing usage patterns to enhance features and fix bugs
- Communication: Sending transactional emails (password resets, payment confirmations)
- Security: Detecting fraud, preventing abuse, enforcing Terms of Service
- Legal Compliance: Responding to legal requests and protecting our rights
3. AI Processing & Third-Party Sharing
CRITICAL: How AI Providers Use Your Data
When you use AI features (journal analysis, pattern recognition, Pine Script generation), your data is sent to:
- Groq (Primary): Fast LLM inference. Zero-retention policy - your data is NOT used for model training.
- Anthropic Claude: Advanced reasoning for complex tasks. Anthropic does NOT train on customer data per their commercial terms.
- OpenRouter (Fallback): Backup provider when primary is unavailable.
Other Third-Party Services
- Supabase (Database & Auth): Stores all user data, hosted on AWS (SOC 2 Type II certified)
- PostHog (Analytics): Tracks feature usage - you can opt-out via account settings
- Sentry (Error Tracking): Receives error logs and stack traces
- Resend (Email): Delivers transactional emails (password resets, receipts)
- NOWPayments (Crypto Payments): Processes cryptocurrency transactions
We have Data Processing Agreements (DPAs) with all third-party processors to ensure GDPR compliance.
4. Data Security
- Encryption: AES-256 encryption at rest, TLS 1.3 in transit
- Access Control: Row-Level Security (RLS) ensures users can only access their own data
- Authentication: Passwords hashed with bcrypt, session tokens expire after 7 days
- Infrastructure: Hosted on Vercel (SOC 2 certified) and Supabase (ISO 27001 certified)
- Monitoring: 24/7 intrusion detection and automated security scanning
Despite our safeguards, no system is 100% secure. We cannot guarantee absolute security of your data.
5. Data Retention
- Active Accounts: Data retained as long as your account exists
- Deleted Accounts: Personal data deleted within 30 days (except where legal retention required)
- Backups: Encrypted backups retained for 90 days for disaster recovery
- Financial Records: Payment data retained for 7 years per tax regulations
- Legal Holds: Data may be retained longer if subject to legal investigation
6. Your Privacy Rights
6.1 GDPR Rights (EU/EEA Users)
- Right to Access: Request a copy of your data (use "Export Data" in Settings)
- Right to Rectification: Correct inaccurate data (edit in Settings)
- Right to Erasure: Request account deletion (use "Delete Account" or email privacy@caelumos.trade)
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in machine-readable format (JSON export)
- Right to Object: Opt-out of analytics and marketing
- Right to Withdraw Consent: Revoke consent at any time
6.2 CCPA Rights (California Residents)
- Right to Know: Request disclosure of data collection and sharing practices
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: We do NOT sell personal information
- Non-Discrimination: We will not discriminate against you for exercising CCPA rights
6.3 How to Exercise Your Rights
To exercise any of these rights:
- Email privacy@caelumos.trade with subject line: "Data Rights Request"
- Use in-app Settings → Privacy → Export Data / Delete Account
- We will respond within 30 days (GDPR) or 45 days (CCPA)
7. Cookies & Tracking
We use the following types of cookies:
- Essential Cookies: Session authentication, security (cannot be disabled)
- Analytics Cookies: PostHog tracking (can be disabled via "Do Not Track" or Settings)
- Functional Cookies: Preferences, settings, and non-tracking features (can be disabled)
You can block cookies via your browser settings, but this may limit functionality.
8. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including the United States. We ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- Data Processing Agreements with all sub-processors
- SOC 2 / ISO 27001 certified infrastructure providers
9. Children's Privacy
CaelumOS is NOT intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a child has provided us with personal information, contact privacy@caelumos.trade immediately.
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notification. Continued use after changes constitutes acceptance.
11. Contact & Complaints
Data Protection Officer: privacy@caelumos.trade
Support: support@caelumos.trade
EU Users: You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have violated GDPR.