# Backt Privacy Policy **DRAFT — pending final legal review.** **Effective Date:** [TO BE SET AT LAUNCH] **Last Updated:** [TO BE SET AT LAUNCH] ## 1. Scope This Privacy Policy describes how Backt collects, uses, and discloses information about you when you use the Service. Capitalized terms not defined here have the meaning given in the Terms of Service. ## 2. Information We Collect **Account information.** Email address, display name, role (investor or capper), password hash. **Payment information.** Processed and stored by Stripe, our payment processor. Backt receives only tokens and event metadata; we do not store full card numbers. **Kalshi API keys (if you enable Auto or Notify modes).** Your Kalshi API key ID and RSA private key are encrypted at rest using Supabase Vault and are accessible only by Backt's server-side execution code. We never log keys in plaintext. Keys are used only to place orders authorized by you in response to picks from cappers you follow. **Activity data.** Picks you post (capper) or follow (investor), subscription status, Kalshi execution log, engagement mode per capper. **Technical data.** IP address, browser type, device identifiers, approximate geolocation (for state eligibility gating). ## 3. How We Use Information We use your information to: - Provide and improve the Service - Process subscription payments via Stripe - Execute Kalshi orders authorized by you - Send transactional notifications (pick delivery, balance warnings, settlement confirmations) - Detect fraud and abuse - Comply with legal obligations (tax reporting, subpoenas, court orders) - Communicate with you about the Service ## 4. Sharing We share information with: - **Stripe** — for subscription billing - **Kalshi** — for order execution, when you enable Auto or Notify mode - **Supabase** — our infrastructure provider - **Cappers you follow** — they see aggregate subscriber counts, not individual investor identities - **Law enforcement** — when required by valid legal process We do not sell your personal information. ## 5. California Consumer Rights (CCPA) California residents have the right to: - Know what personal information we collect, use, and share - Delete their personal information (subject to legal retention requirements) - Opt out of the sale of personal information (we don't sell, so this is automatic) - Non-discrimination for exercising these rights To exercise these rights, contact [support@backt.app]. We will verify your identity before responding. ## 6. Data Retention - Account information: retained while your account is active, plus 7 years for tax/compliance - Picks and execution records: 7 years (CFTC recordkeeping requirement for registered CTAs) - Kalshi keys: deleted within 24 hours of revocation request - Payment records: per Stripe's retention policies and applicable tax law ## 7. Security - Passwords stored as bcrypt hashes (never plaintext) - Kalshi RSA private keys encrypted at rest via Supabase Vault (pgsodium-based) - All client-server traffic over HTTPS/TLS - Row-level security on all user data tables - Service-role access restricted to edge functions No system is perfectly secure. If we learn of a breach that compromises your information, we will notify you within 72 hours as required by law. ## 8. Children's Privacy The Service is not intended for anyone under 18. We do not knowingly collect information from minors. If you believe we have collected information from a minor, contact us immediately. ## 9. International Users Backt is operated from the United States. If you access the Service from outside the US, you consent to the transfer of your information to the US for processing. Users in the European Economic Area have additional rights under GDPR, including the right to access, correct, delete, restrict processing of, or port their personal data. Contact [support@backt.app] to exercise these rights. We rely on legitimate interest (providing the Service) and contract performance as lawful bases under GDPR. ## 10. Changes to This Policy Material changes will be announced with 30 days' notice. Continued use after the effective date constitutes acceptance. ## 11. Contact [support@backt.app]