Back to Home

Privacy Policy

Last updated: 25 April 2026 · Operator: Nikita Datsichin (see Impressum)

What we store

  • Account identity — email address, password hash (bcrypt via Supabase Auth), account creation timestamp, last sign-in timestamp.
  • Trading credentials — Alpaca API key + secret, AI provider API key (Anthropic, OpenAI, etc.). These are encrypted at rest with AES-256-GCM using a server-side key (APP_ENCRYPTION_KEY) before being written to the database. Plaintext is never stored.
  • Trading state — your portfolio history, decision logs, agent outputs, scheduled orders, equity curve. This is what powers the dashboard.
  • Billing identifiers — Stripe customer ID, subscription ID, plan tier, activation timestamp. We do not store payment card details — Stripe handles those directly.
  • Operational logs — request timestamps, IP addresses (used only for rate limiting), error traces. Logs auto-expire after 30 days.

Where it lives

All user data is stored in Supabase (PostgreSQL), hosted on AWS in the EU (eu-central-1, Frankfurt). The application server runs on Vercel (region iad1, Washington DC) — Vercel processes requests but does not retain user content.

Outbound calls happen to: Alpaca (broker, your trading), Anthropic / OpenAI / Google / Groq / Perplexity / Qwen (only the AI provider you selected), NewsAPI + Polygon(market data, no PII), and Stripe (billing). None of these counterparties receive your password.

How long we keep it

  • Account + trading state — until you delete your account.
  • Decision logs and scanner candidates — pruned to the most recent 90 days.
  • Operational logs (request, error) — 30 days.
  • Billing records — kept while the subscription is active, then 7 years (German tax law).

Your rights (GDPR)

If you are an EU resident, you have the right to access, correct, export, or delete the personal data we hold about you. Most of these are self-service from the dashboard:

  • Access / export — every dashboard panel reads from the same data we store; nothing is hidden.
  • Correction — change your email or keys from Settings.
  • Deletion — Settings → Delete Account purges your row, encrypted keys, and trading state.
  • Objection / restriction — email contact@desktopwallstreet.com; we respond within 30 days.

Cookies

We set one HttpOnly cookie for your authenticated session (Supabase JWT) plus a small localStorageentry for your active account selector. No third-party tracking, no advertising, no analytics that profile you across sites.

Contact

Questions about this policy or your data: contact@desktopwallstreet.com. See Impressum for the operator's full contact + postal address.