# Privacy Policy

**Status:** DRAFT · 2026-05-06 · prepared by engineer for owner review · NOT yet attorney-reviewed · NOT YET PUBLISHED to customers
**Service:** Hunter Killer (the "Service") · operated by Irishman Management LLC ("we", "us")
**Effective date:** [TO BE FILLED on publication]
**Last revised:** 2026-05-06

> **Engineer note to owner:** Conservative starting template covering federated-design principles, k-anonymization, and crypto-platform-specific data handling. Sections marked **⚖ ATTORNEY PASS** require legal review for region-specific compliance (GDPR for EU users, CCPA/CPRA for California, PIPEDA for Canada, LGPD for Brazil if applicable).

---

## 1 · Summary

We collect the minimum data needed to operate the Service. We do not sell your data. We do not run third-party advertising trackers. Your trade journal, API keys, and account preferences are stored per-tenant and isolated from other users by construction.

## 2 · What we collect

| Category | Data | Why | Retention |
|---|---|---|---|
| Account | Email address, password hash (bcrypt), 2FA secret, signup timestamp | Authentication, account recovery | Until account deletion + 30d grace |
| API keys | Exchange API keys + secrets (encrypted at rest with per-tenant HKDF-derived AES-GCM keys) | Required for the dashboard to read your balances and place trades when you instruct | Until you delete the key OR the account |
| Trade journal | Closed positions (symbol, side, entry/exit prices, P&L, your notes/tags/ratings) | Performance review, calendar, equity curve | Indefinite while account active; purged on account deletion |
| Equity snapshots | Daily account-level USD totals | Equity-curve charts | Indefinite while account active |
| Settings | Notification preferences (email, Telegram chat ID, severity threshold), alert categories | Routing notifications | Until you change them or delete account |
| Session | Login session ID, IP address, user agent | Security (anomaly detection, session lockout) | 30 days after session ends |
| Support tickets | Subject, message, optional reply email, page context, IP, user agent | Triaging your support requests | 90 days after resolution |
| Engineer journal entries (operator-side) | Owner audits (engineer pulse, calibration runs, ticket alerts) | Operational integrity | Indefinite (this is platform-internal, not your data) |

We **do not collect**:

- Your trading positions while open (we read them live from the exchanges via your API keys; we don't store snapshots)
- The content of your private exchange wallets beyond what your API keys grant us
- Browser fingerprinting, cross-site cookies, or third-party advertising IDs
- Voice or video data

## 3 · How we use your data

- **To operate the Service:** authenticate you, render dashboards, route alerts, store your journal entries
- **To improve calibration models:** aggregate (k-anonymized, minimum 3 distinct tenants per bucket) signals derived from platform-wide usage. Per-tenant attribution never leaks across tenants.
- **To respond to support:** read your ticket text and any attachments you provide
- **To meet legal obligations:** respond to lawful subpoenas, court orders, or regulatory requests
- **To prevent abuse:** detect and block automated attacks, account takeovers, or terms violations

## 4 · Federated-design isolation

Every dashboard endpoint that returns customer-contributed data scopes by `tenant_id` derived from your authenticated session. Cross-tenant data access is impossible by construction:

- Trade journal queries filter `WHERE tenant_id = ?`
- API key lookups filter by tenant
- Notification dispatch reads only your tenant's preferences
- Aggregate platform analytics (e.g., wallet-consensus verdicts across users) require a minimum of 3 distinct tenants in the bucket; below that, no aggregate is exposed

When the operator (Irishman Management LLC) needs to access a specific tenant's data for support reasons, the access is logged in an append-only `cross_tenant_access_log` table with timestamp, justification, and operator user ID.

## 5 · Encryption and storage

- API keys and secrets: AES-GCM encrypted at rest using per-tenant keys derived via HKDF-SHA256 from a platform master key held in operator-side secrets (never in customer-facing code). Compromise of one tenant's encrypted blobs does not affect other tenants.
- Passwords: bcrypt-hashed with per-account salt.
- 2FA secrets: stored encrypted; secrets never appear in our logs or support tooling.
- Database: hosted on operator-managed infrastructure; backups are encrypted in transit and at rest.

## 6 · Third parties

We share data with:

- **Stripe** — payment processing. They receive your name and payment details (not your trade data).
- **Bybit / OKX / Deribit / Coinbase / Hyperliquid** — your API keys flow to these exchanges when you use the Service to read your account or place trades. The exchanges have their own privacy policies. ⚖ ATTORNEY PASS — exchange data-flow disclosure varies by EU/UK MiCA, US state laws.
- **Email service [TBD]** — transactional emails (signup verification, password reset, billing receipts, alerts). Your email address is shared.
- **Telegram (optional)** — when you configure a Telegram chat ID for alerts, our bot sends messages to that chat using the platform's TELEGRAM_BOT_TOKEN. Telegram's privacy policy applies to the chat content.

We do NOT share data with:

- Advertising networks
- Data brokers
- Analytics platforms that track individual users (we use aggregate logs only)

## 7 · Your rights

⚖ **ATTORNEY PASS — region-specific rights subsections (GDPR Art. 13/15/17/20, CCPA §1798.100, etc.) require precise wording**

Subject to applicable law, you have the right to:

- **Access** your data — use the Settings → Data export card to download CSV/JSON copies of your trade journal, equity curve, and settings
- **Correct** inaccurate data — update via Settings or by contacting support
- **Delete** your account — Settings → Danger Zone → Delete account. 30-day grace period; permanent purge after.
- **Port** your data — exports are in standard CSV / JSON formats consumable by other platforms
- **Object** to processing — for marketing emails, unsubscribe via email link or notification preferences. For service operation, you can stop processing by deleting your account.
- **Restrict** processing — pause account by emailing support; we'll suspend operations while keeping data intact for restoration

For EU residents (GDPR), California residents (CCPA/CPRA), and other regulated regions, additional rights and processes apply. Contact [PRIVACY_EMAIL] to exercise rights specific to your jurisdiction.

## 8 · Data retention

| Data | Retention |
|---|---|
| Active account data (journal, settings, keys) | Until you delete |
| Soft-deleted account data | 30 days, then hard-purged |
| Session logs | 30 days |
| Support tickets | 90 days post-resolution |
| Billing records | 7 years (legal/tax requirement) ⚖ ATTORNEY PASS |
| Aggregate (k-anonymized) platform analytics | Indefinite — these are not personal data |
| Operator audit logs (platform integrity) | Indefinite — operational record |

## 9 · Children's privacy

The Service is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe we have such data, contact [PRIVACY_EMAIL] and we will delete it.

## 10 · International data transfers

Operator infrastructure is currently in [LOCATION TBD: e.g., Hetzner SG datacenter]. EU users' data may be transferred to that location. We rely on Standard Contractual Clauses for any data transfers leaving the EU.

⚖ ATTORNEY PASS — international transfer mechanism (SCCs, adequacy decisions, BCRs) requires jurisdiction-specific review.

## 11 · Security

We follow industry-standard practices:

- All connections require HTTPS (Tailscale Funnel for the operator-current setup)
- Passwords are bcrypt-hashed
- API keys are AES-GCM encrypted with per-tenant keys
- 2FA available and recommended for all accounts
- Access to operator infrastructure is restricted via SSH keys + IP allowlisting

We cannot guarantee absolute security. If we discover a data breach, we will notify affected users without unreasonable delay (within 72 hours for EU residents per GDPR Art. 33-34).

## 12 · Changes to this Policy

Material changes will be announced via:

- Email to your account address with at least 14 days' notice
- Banner on the dashboard
- "Last revised" date update at the top of this document

## 13 · Contact

Privacy-specific questions: [PRIVACY_EMAIL]
General contact: [SUPPORT_EMAIL]
Mailing address: 1931 Cordova Rd., Fort Lauderdale, FL 33316

For EU residents: data protection officer (DPO) contact [TBD if required by GDPR Art. 37 — may not be required for our scale; counsel review].