Privacy Policy

1. Information We Collect

• Account information: email address, password hash, display name.
• Alpaca brokerage credentials: Alpaca API key and secret (paper and/or live), or OAuth access tokens issued by Alpaca, stored encrypted at rest. Used solely to read your account state and to place orders that you have explicitly configured.
• Bot configuration: strategy settings, risk parameters, symbols, schedules, and other inputs you provide when building or editing a bot.
• Trade and performance data: orders, fills, positions, account balance snapshots, and computed performance metrics for bots you operate through the Service.
• User-generated content: strategy descriptions, prompts, comments, marketplace listings, and any text you submit to the AI-assisted strategy builder.
• Billing information: we do not store payment card numbers. Payments are processed by Stripe; we receive and store only the Stripe customer ID, subscription status, and the last four digits and brand of the card for display.
• Usage and diagnostic data: pages visited, features used, IP address, browser, device type, referrer, timestamps, and error reports (via Sentry and PostHog) for service operation and improvement.
• Communications: emails you send to our support, legal, or privacy mailboxes; Telegram messages exchanged with our notification bot if you opt in.

2. How We Use Your Information

• To operate, maintain, and execute your trading bots against your connected Alpaca brokerage account (paper or live).
• To authenticate your account and secure access to the Service.
• To compute and display performance, risk, and attribution metrics.
• To send transactional emails and, if opted in, Telegram notifications (trade alerts, weekly digests, security notices).
• To process subscription payments through Stripe and manage your billing.
• To improve the platform, debug issues, monitor uptime, and detect abuse.
• To comply with legal obligations and respond to lawful requests.

3. Alpaca Brokerage Credentials and Trading Authority

When you connect an Alpaca account, you grant Botfolio authority to read account information and, if you deploy a bot to that account, to place orders on your behalf in accordance with the strategy you configured. Credentials are encrypted at rest using authenticated encryption. We never share your Alpaca credentials with third parties. You can revoke our access at any time by deleting the API key from your Alpaca dashboard, by disconnecting the OAuth grant from your Alpaca account settings, or by removing the credentials from your Botfolio account.

Botfolio supports both Alpaca paper trading and Alpaca live trading. Live trading is opt-in: a bot will not place live orders unless you explicitly configure it for a live Alpaca account and deploy it. You are responsible for the configuration and the consequences of every bot you deploy.

4. Use of AI and Large Language Models

Botfolio uses third-party large language model (LLM) providers — currently DeepSeek, Google (Gemini), and OpenAI — to convert your plain-English strategy descriptions into structured bot configurations, to analyze trades, and to power other AI-assisted features. When you use these features, the text you submit, along with related context (such as recent trade history or strategy parameters relevant to the request), is transmitted to the selected provider and processed under that provider's terms. We do not knowingly send your Alpaca credentials, plaintext passwords, or payment card data to any LLM provider.

5. Third-Party Service Providers

We rely on the following processors to operate the Service. Each one processes only the data necessary for its function and is bound by its own terms and privacy policy:

• Alpaca Securities LLC / Alpaca Crypto LLC: brokerage execution.
• Supabase (PostgreSQL hosting, US): primary database.
• Stripe: subscription billing and payment processing.
• Polygon.io / Massive: equities and options market data.
• DeepSeek, Google, OpenAI: LLM inference for AI features.
• Resend (outbound) and Cloudflare Email Routing (inbound): transactional and inbound email.
• Cloudflare: DNS, CDN, WAF, and Cloudflare Tunnel for transport.
• Telegram: optional notification channel.
• Sentry and PostHog: error monitoring and product analytics.
• Amazon Web Services (Simple Email Service): bounce and complaint handling on outbound mail.

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only:

• With the service providers listed above, to the extent necessary to operate the Service.
• In aggregated and anonymized form (such as average returns across a strategy or marketplace leaderboards) where the data cannot reasonably be used to identify you.
• When required by law, valid legal process, or to protect the rights, property, or safety of Botfolio, our users, or the public.
• In connection with a merger, acquisition, financing, or sale of assets, in which case we will provide notice before your information is transferred and becomes subject to a different privacy policy.

7. International Data Transfer

Botfolio operates servers and uses processors primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service you consent to that transfer.

8. Data Security

We use industry-standard practices to protect your data. All web traffic is served over HTTPS. Alpaca credentials are encrypted at rest using authenticated symmetric encryption with a key stored outside the database. Passwords are hashed using a modern key-derivation function. Database access is restricted to the Service and its operators. No system is completely secure; we cannot guarantee absolute security and you use the Service at your own risk.

9. Data Retention and Deletion

We retain account data while your account is active. You may request deletion of your account and associated personal data at any time by emailing [email protected]. We will delete or anonymize your personal data within 30 days of a valid request, except where retention is required by law, by our financial or tax record-keeping obligations, or for the resolution of disputes. Aggregated, anonymized performance data may be retained indefinitely.

10. Your Rights

You may access, correct, export, or delete your personal data at any time by contacting [email protected]. If you are a resident of the European Union, the United Kingdom, or the European Economic Area, you have additional rights under the GDPR, including the right to data portability and the right to object to or restrict processing. If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising these rights. We do not sell personal information as defined under the CCPA.

11. Cookies and Tracking

We use first-party session cookies to keep you logged in and remember preferences. We use PostHog for product analytics and Sentry for error monitoring. We do not use third-party advertising cookies and we do not participate in cross-site behavioral advertising.

12. Children's Privacy

Botfolio is not directed to and is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or by an in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date of an updated policy constitutes acceptance of the updated terms.

14. Contact

Privacy inquiries: [email protected]
General support: [email protected]
Mailing address: Alejandro Verdin, dba Botfolio, 1500 Lincoln Street, North Chicago, IL 60064, USA