Privacy Policy
StratScribe AI ("we," "us," or "our") is incorporated under the laws of Ontario, Canada. This Privacy Policy explains what personal data we collect, how we use and protect it, and your rights with respect to it.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Scope and Applicability
This Policy applies to all users of StratScribe globally, including users in the European Economic Area (EEA), the United Kingdom, Canada, the United States, and all other jurisdictions. Where applicable law imposes additional requirements, we comply with those requirements as described below.
2. Data Controller
StratScribe AI
Email: hello@stratscribe.com
Canada
3. Data We Collect
3.1 Account Data
Email address and hashed password, stored via Supabase Auth. Account creation date and subscription plan.
3.2 Strategy Data
Trading strategy descriptions you enter, generated code, backtest results, and version history. Stored in your account only and not shared with other users.
3.3 Broker Credentials
API keys and tokens you provide to connect third-party broker accounts. Stored encrypted at rest using AES-256 encryption. Never stored in plaintext. Never logged in application logs. Access is restricted to the automated execution service only.
3.4 Usage Data
Anonymised, aggregate usage events (page views, feature interactions) collected via Plausible Analytics. Plausible operates without cookies and without collecting personally identifiable information. No cross-site tracking occurs.
3.5 Payment Data
Payment processing is handled entirely by Stripe, Inc. We do not store, log, or transmit card numbers, bank account details, or other payment credentials. Stripe's collection and use of payment data is governed by Stripe's Privacy Policy.
3.6 Communications Data
If you contact us by email or through support channels, we retain those communications for the purpose of resolving your inquiry.
3.7 Data We Do Not Collect
We do not collect sensitive personal data such as government ID numbers, biometric data, health information, or precise geolocation. We do not use tracking cookies, third-party advertising pixels, or cross-site tracking technologies.
4. How We Use Your Data
We use your personal data only for the following purposes and legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the strategy generation, validation, and backtesting service | Performance of contract |
| Sending transactional emails (trial reminders, billing notices, account alerts) via Resend | Performance of contract |
| Processing payments via Stripe | Performance of contract |
| Improving the product based on anonymised, aggregated usage patterns | Legitimate interests |
| Responding to support requests | Legitimate interests / Performance of contract |
| Complying with applicable legal obligations | Legal obligation |
We do not sell your personal data. We do not use your strategy descriptions or generated code to train AI models. We do not use your data for advertising or marketing purposes beyond transactional communications related to your account.
5. Third-Party Data Processors
We share data with the following sub-processors solely to the extent necessary to provide the Service:
| Processor | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase, Inc. | Authentication and database hosting | United States | SOC 2 Type II |
| Stripe, Inc. | Payment processing | United States | PCI DSS Level 1 |
| Resend, Inc. | Transactional email delivery | United States | — |
| Anthropic, PBC | AI code generation (strategy descriptions are sent to Anthropic's API) | United States | Anthropic Privacy Policy |
| Plausible Analytics | Privacy-first usage analytics | European Union | GDPR compliant |
Important note regarding Anthropic: When you submit a strategy description, that description is transmitted to Anthropic's API to generate code. Your strategy descriptions are processed by Anthropic subject to Anthropic's API data usage policies, which currently state that API inputs are not used to train models. You should review Anthropic's Privacy Policy at anthropic.com/privacy before submitting confidential or proprietary trading logic.
We do not permit any sub-processor to use your personal data for their own purposes beyond providing services to us.
6. International Data Transfers
We are based in Canada, which the European Commission has recognized as providing an adequate level of data protection for purposes of GDPR. Where we transfer data to processors located in the United States or other jurisdictions, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) or the processor's adherence to an approved certification framework.
7. Data Retention
- Active accounts: Account data, strategy data, and usage data are retained for the duration of your active subscription.
- After cancellation: Your data is retained in read-only mode for 90 days following cancellation, after which it is permanently deleted from our systems.
- Early deletion: You may request deletion of your account and all associated data at any time by emailing hello@stratscribe.com. We will action deletion requests within 30 days.
- Legal holds: We may retain certain data longer where required by applicable law or to resolve a pending legal dispute.
8. Data Security
We implement the following technical and organisational measures to protect your personal data:
- AES-256 encryption for stored broker credentials.
- Encrypted data transmission via TLS/HTTPS.
- Access controls limiting employee access to personal data on a need-to-know basis.
- Regular security reviews of third-party sub-processors.
No method of transmission or storage is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required, relevant supervisory authorities, within the timeframes required by applicable law (72 hours under GDPR; as required under applicable Canadian and US state breach notification laws).
9. Cookies
We do not use tracking cookies or advertising cookies. We may use strictly necessary session cookies for authentication purposes only. These cookies are essential to the operation of the Service and cannot be disabled. For full details, see our Cookie Policy.
10. Your Rights
All users:
- Right to access: request a copy of the personal data we hold about you.
- Right to correction: request correction of inaccurate or incomplete data.
- Right to deletion: request deletion of your personal data, subject to legal retention obligations.
- Right to data portability: request your data in a machine-readable format.
EEA and UK users (GDPR / UK GDPR):
- Right to restrict processing.
- Right to object to processing based on legitimate interests.
- Right to withdraw consent where processing is based on consent.
- Right to lodge a complaint with your local supervisory authority.
California residents (CCPA / CPRA):
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information.
- Right to opt out of the sale or sharing of personal information. We do not sell or share personal information.
- Right to non-discrimination for exercising your privacy rights.
Canadian residents (PIPEDA / Law 25):
- Right to access and correct your personal information.
- Right to withdraw consent, subject to legal and contractual restrictions.
To exercise any of these rights, email hello@stratscribe.com. We will respond within 30 days (or within the shorter period required by applicable law). We may need to verify your identity before processing your request.
11. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, you may cancel your account before the effective date.
13. Contact and Complaints
Privacy inquiries:
hello@stratscribe.com
StratScribe AI, Canada
If you are located in the EEA or UK and are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In Canada, this is the Office of the Privacy Commissioner (priv.gc.ca).