UntiltHQ
Legal

Privacy Policy

Last updated: 2026-05-18

Plain English summary: we collect the minimum we need to run the service. We don't sell your data. Your trades are yours — export anytime, delete anytime.

1. What we collect

Account data — username, email, hashed password.

Trade data — what you log manually, import via CSV, or sync from a connected broker.

Broker credentials — API key and secret you choose to provide. Stored encrypted at rest.

Subscription data — plan, billing status. Payment details are handled by Stripe and never touch our servers.

Technical data — IP address, browser type, basic request logs (kept up to 30 days for security and debugging).

2. How we use it

  • Run your account and deliver the service
  • Process payments via Stripe
  • Send transactional emails (signup confirmation, billing receipts) and — if opted in — your weekly coach digest
  • Detect abuse, fraud, and security incidents
  • Improve the product (in aggregate, not on individual users)

3. AI processing

When you generate a coach review, we send a summary of your aggregated trade statistics and detected patterns to Anthropic's Claude API. We do not send personal information (no name, email, broker keys). Anthropic's terms apply to that processing — see anthropic.com/legal/privacy.

4. Sharing

We don't sell your data. We share it only with:

  • Stripe — payment processing
  • Anthropic — AI coach reviews (aggregated patterns only)
  • SendGrid / Mailgun / Postmark — email delivery
  • Hosting provider — infrastructure
  • Law enforcement — only when legally compelled

5. Your data rights

You can:

  • Access — see everything from your dashboard and account settings
  • Export — download your trades as CSV anytime
  • Correct — edit any trade or account field directly
  • Delete — remove your account from account settings. Deletion is permanent and completes within 30 days.
  • Object / Restrict — opt out of weekly digest emails; revoke broker access; cancel subscription

EU/UK users — these are your GDPR rights. California users — your CCPA rights cover the same ground. To exercise any of them, email hello@untilthq.com.

6. Data retention

  • Active accounts: data retained as long as your account exists
  • Deleted accounts: removed within 30 days, except where law requires retention (billing records up to 7 years)
  • Server logs: 30 days
  • Email delivery logs: 90 days (via provider)

7. Security

Passwords are hashed (PBKDF2). Broker API credentials are encrypted at rest. All traffic is TLS-encrypted in transit. Webhook signatures verified. We don't store credit card data — Stripe does, under PCI-DSS.

8. Cookies

We use only essential cookies: a session cookie to keep you logged in, and a CSRF cookie for form security. No tracking, no third-party analytics, no advertising cookies.

9. Children

Untilt HQ is not directed at users under 18. We don't knowingly collect data from minors. If you believe a minor has created an account, email us and we'll delete it.

10. International transfers

Our infrastructure may be hosted in the US or EU. By using the service you consent to data transfer to and processing in these regions, with appropriate safeguards.

11. Changes

We'll notify you by email of material changes at least 14 days before they take effect. The current version is always at this URL.

12. Contact

Privacy questions? Email hello@untilthq.com or use the contact form.