Privacy Policy

1.1. Information You Provide Directly. When you register for an account or use the Service, we may collect: (a) your email address, provided during account registration and used for authentication, session management, and transactional communications; (b) a password, which is cryptographically hashed using bcrypt with a cost factor of 12 and is never stored or transmitted in plaintext; (c) your WhatsApp telephone number (optional), provided voluntarily for the purpose of receiving alert notifications via the WhatsApp messaging platform; and (d) Wallet Credentials, including blockchain private keys, API keys, API secrets, and API passphrases, provided voluntarily for the purpose of enabling automated stop-loss order execution on third-party prediction market platforms.

1.2. Information Collected Automatically. When you access the Service, we automatically collect: (a) anonymous page view and interaction analytics via Vercel Analytics, which does not use cookies and does not collect personally identifiable information; (b) Core Web Vitals performance metrics via Vercel Speed Insights, including Largest Contentful Paint (LCP), First Input Delay (FID), and Cumulative Layout Shift (CLS); (c) IP addresses, which may be transiently processed by our hosting infrastructure (Vercel) for the purposes of request routing, rate limiting, and abuse prevention, but are not stored or logged by the Company; and (d) browser user-agent strings and device metadata, processed transiently for the purpose of rendering the Service and not stored by the Company.

1.3. Information We Do Not Collect. We do not collect, store, or process: (a) your name, physical address, date of birth, or government-issued identification; (b) financial account information, credit card numbers, or banking details (all payment processing is handled exclusively by Lemon Squeezy as a third-party payment processor); (c) the content or outcome of your prediction market positions (position data is stored locally in association with your account but is not analyzed, profiled, or shared); or (d) biometric data, geolocation data, or device identifiers beyond what is described in Section 1.2.

2.1. We use the information collected for the following purposes, and no other purposes:

• Account Authentication: Your email address and hashed password are used solely to authenticate your identity and maintain your session via JSON Web Tokens (JWT).
• Alert Delivery: Your email address and/or WhatsApp number are used to deliver price alerts and new market notifications that you have explicitly configured.
• Automated Order Execution: Your encrypted Wallet Credentials are decrypted and used exclusively at the point of stop-loss order execution to submit sell orders to the Polymarket CLOB API on your behalf.
• Service Operation: Anonymous analytics data is used to monitor Service performance, identify errors, and improve the user experience.
• Transactional Communications: Your email address may be used to send account-related notifications, including subscription confirmations, payment receipts (via Lemon Squeezy), and material changes to these policies.

2.2. We do not use your information for: (a) targeted advertising or behavioral profiling; (b) sale or rental to third parties; (c) automated decision-making or algorithmic profiling that produces legal effects; or (d) any purpose not explicitly described in this Policy.

3.1. Infrastructure. The Service is hosted on Vercel's edge network. Application data, including user accounts and position records, is stored in a PostgreSQL database hosted by Neon (neon.tech) with TLS encryption in transit and encryption at rest. Transient caching is handled by Upstash Redis with TLS encryption.

3.2. Wallet Credential Encryption. All Wallet Credentials are encrypted at rest using AES-256-GCM (Advanced Encryption Standard with 256-bit key length in Galois/Counter Mode). Each credential field (private key, API key, API secret, API passphrase) is independently encrypted with a unique initialization vector (IV) derived from a cryptographically secure random number generator. The encryption key is stored as a Vercel encrypted environment variable and is never committed to source code, logged, or exposed in client-side code.

3.3. Password Security. User passwords are hashed using the bcrypt adaptive hashing algorithm with a computational cost factor of 12. Plaintext passwords are never stored, logged, or transmitted after the initial hashing operation. The bcrypt algorithm incorporates per-hash salting, rendering precomputed rainbow table attacks infeasible.

3.4. Transport Security. All data transmitted between your browser and the Service is encrypted using TLS 1.2 or higher. The polystop.app domain enforces HTTPS via HSTS (HTTP Strict Transport Security) headers. The .app top-level domain requires HTTPS by default at the registry level.

3.5. Security Limitations. While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting Wallet Credentials, we will make commercially reasonable efforts to notify affected users within seventy-two (72) hours of discovery.

4.1. We engage the following third-party service providers in the operation of the Service. Each provider processes data only as necessary to provide their respective services:

• Vercel, Inc. — Hosting, edge network, serverless function execution, anonymous analytics, and speed insights. Data processed: HTTP requests, anonymous page views, Core Web Vitals. Privacy Policy: vercel.com/legal/privacy-policy
• Neon, Inc. — PostgreSQL database hosting. Data processed: all persistent application data including user accounts, positions, alerts, and encrypted credentials. Data is encrypted at rest and in transit.
• Upstash, Inc. — Redis caching layer. Data processed: transient cached API responses. No personally identifiable information is stored in cache.
• Resend, Inc. — Transactional email delivery. Data processed: recipient email address and email content for alert notifications. Privacy Policy: resend.com/legal/privacy-policy
• Twilio, Inc. — WhatsApp message delivery. Data processed: recipient WhatsApp number and message content for alert notifications. Privacy Policy: twilio.com/legal/privacy
• Lemon Squeezy, LLC — Payment processing and subscription management. Data processed: email address, payment method details (handled directly by Lemon Squeezy; we never receive or store payment card information). Privacy Policy: lemonsqueezy.com/privacy
• Polymarket (Third-Party Platform) — Prediction market API. Data processed: Wallet Credentials (at the point of order execution only), order parameters. We do not control Polymarket's data practices.

4.2. We do not share your data with any third party for advertising, marketing, or data brokerage purposes.

5.1. The Service uses the following client-side storage mechanisms: (a) a session cookie set by NextAuth.js for the purpose of maintaining authenticated sessions (httpOnly, secure, sameSite: lax); (b) localStorage for theme preference (light/dark mode) — this is a non-tracking, functional storage mechanism containing no personal data.

5.2. The Service does not use: (a) third-party tracking cookies; (b) advertising pixels or beacons; (c) cross-site tracking mechanisms; (d) browser fingerprinting techniques; or (e) any tracking technology that follows users across websites.

5.3. Vercel Analytics operates without cookies and collects only anonymous, aggregated page view data. It does not track individual users across sessions or identify returning visitors.

6.1. Account data (email, hashed password, notification preferences) is retained for the duration of your account's existence.

6.2. Encrypted Wallet Credentials are retained until you explicitly delete them via the Service interface or request account deletion.

6.3. Position and alert data is retained for the duration of your account's existence and is deleted upon account deletion.

6.4. Anonymous analytics data is retained by Vercel in accordance with Vercel's data retention policies and cannot be attributed to individual users.

6.5. Upon account deletion (initiated via support@polystop.app), all personally identifiable data, including encrypted Wallet Credentials, will be permanently and irreversibly deleted from our databases within thirty (30) calendar days.

7.1. Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right of Rectification: You may request correction of inaccurate personal data.
• Right of Erasure: You may request deletion of your personal data, subject to our legal obligations and legitimate interests.
• Right to Restrict Processing: You may request that we limit the processing of your personal data under certain circumstances.
• Right to Data Portability: You may request a machine-readable export of your personal data.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

7.2. To exercise any of these rights, contact us at support@polystop.app. We will respond to verifiable requests within thirty (30) calendar days.

7.3. We will not discriminate against you for exercising any of your privacy rights.

8.1. The Service is operated from infrastructure located in the United States. If you access the Service from outside the United States, your data may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate.

8.2. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may not provide the same level of data protection as your home jurisdiction.

8.3. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, data transfers are conducted in reliance on: (a) Standard Contractual Clauses (SCCs) adopted by the European Commission, where applicable; or (b) other lawful transfer mechanisms recognized under applicable data protection law.

10.1. We reserve the right to update this Privacy Policy at any time. Material changes will be communicated via email to the address associated with your account at least fourteen (14) days before taking effect.

10.2. Your continued use of the Service following the effective date of any modification constitutes acceptance of the revised Policy.

10.3. Prior versions of this Policy will be archived and made available upon request.