Legal
Privacy Policy
1. Who we are
NavStak is software for paper-first futures analysis and optional exchange-connected automation. The �controller� (or equivalent) of personal data processed by this instance is the Operator who deploys and runs it.
Legal entity: [To be designated]
Domain: [To be designated]
Privacy contact: [To be designated]
2. Scope
This Policy covers the boarding site, Mission console, account/User Center, paper trial data stored by this instance, vault features, share links, Ava help assistant, and related APIs on this deployment. It does not control how third parties (exchanges, AI providers, social networks) process data under their own policies when you use their services with your own accounts or keys.
3. Data we process
Depending on how you use the Service, we may process:
3.1 Account & identity
- Email address, verification status, password hash (if you register with password)
- Phone number and verification status (if you use SMS OTP)
- Display name, timezone, agent preferences, risk acknowledgements
- Optional social handles you save (e.g., X, Instagram, Telegram, Meta) and, if used, OAuth identifiers from those platforms
- Session tokens and approximate IP / user-agent for security
3.2 Vault secrets (sensitive)
- Exchange API credentials you choose to store (encrypted at rest with the instance vault key)
- AI provider API keys you choose to store (encrypted at rest)
- Probe metadata (e.g., whether a futures probe succeeded, timestamps)�not full secret values in logs by design
3.3 Trading & product data
- Paper portfolio state, open/closed trades, equity samples, risk state for this instance
- UI settings (style, aggression, focus pair, paper/live preference)
- Ranks, marks, and analytics caches derived from market data
- Optional shared performance cards you generate (public link content you choose to share)
3.4 Technical & diagnostic data
- Server logs (errors, auth events, bot lifecycle)�may include IP and path
- Audit events in the account database (e.g., vault save, social link, login)
We do not intentionally collect government ID documents or full payment card numbers through NavStak unless a future billing feature is added and disclosed.
4. How we use data
- Provide and secure accounts, sessions, and User Center features
- Run paper simulation and (if you enable) live-related probes or automation with your keys
- Personalize Mission (styles, aggression, focus, agent defaults)
- Operate optional AI features using keys you supply
- Show linked social handles you saved; optional OAuth verification when configured
- Prevent abuse, debug faults, and maintain audit trails
- Comply with law and enforce the Terms of Service
We do not sell your personal information. We do not use your vault secrets to trade for the Operator�s account.
5. Legal bases (where GDPR/UK GDPR or similar applies)
Where required, we rely on:
- Contract � to provide the Service you request (account, paper book, features you enable);
- Legitimate interests � security, fraud prevention, product improvement of this instance, limited analytics of technical logs;
- Consent � where required (e.g., certain cookies or optional marketing if ever added);
- Legal obligation � when we must retain or disclose data under applicable law.
6. Sharing & processors
Data may be processed by:
- You / your browser � local storage of UI state; device security is your responsibility on shared machines;
- Infrastructure host � if the Operator deploys on a VPS/cloud (hosting, backups, logs);
- Email/SMS providers � if configured for OTP (e.g., SMTP, Twilio);
- Exchanges � when you use your API keys (they receive authentication and trading-related requests);
- AI providers � when you use BYOK features (prompts/responses under their policies);
- Social platforms � when you use OAuth or open share intents;
- Authorities � if legally required.
Self-hosted single-user deployments may keep almost all data on the Operator�s machine only; multi-user deployments increase the Operator�s responsibility as a service host.
7. Retention
- Account data � for as long as your account exists, then deleted or anonymized within a reasonable period unless law requires longer retention;
- Vault secrets � until you delete them or the account is removed; encrypted at rest while stored;
- Paper trading history � until reset/archive/delete features remove them or the instance is wiped;
- Logs / audit � typically for a limited operational window (days to months) unless needed for security investigations;
- Public share links � until they expire or are revoked.
8. Security
We implement reasonable technical measures appropriate to a software product of this type, including password hashing, session cookies, encryption of vault secrets with an instance master key, and optional localhost-only binding for self-hosted use. No method is 100% secure. You must protect your device, master keys, and exchange permissions. Prefer futures-trade-only API keys without withdraw/transfer.
9. International transfers
If the Operator or a processor is located in another country, your data may be processed there. Where required, appropriate safeguards (such as standard contractual clauses or adequacy decisions) should be implemented for commercial multi-region hosting.
10. Your rights
Depending on your location, you may have rights to:
- Access, correct, or delete personal data;
- Export certain data;
- Object to or restrict certain processing;
- Withdraw consent where processing is consent-based;
- Lodge a complaint with a supervisory authority.
To exercise rights, contact the Operator using the contact method for this instance. You can also delete vault keys and unlink social handles in User Center where available. Account deletion may be requested from the Operator until self-serve delete is offered.
11. Children
The Service is not directed to children under 16 (or higher age if required locally). We do not knowingly collect personal data from children. If you believe we have, contact the Operator to request deletion.
12. Cookies & local storage
We use essential cookies or similar storage for sessions (e.g., sign-in cookie) and local UI preferences. We do not currently use third-party advertising cookies. If analytics cookies are added later, this Policy will be updated and consent obtained where required.
13. Changes
We may update this Policy by posting a new version on this page and changing the �Last updated� date. Continued use after the effective date means you accept the updated Policy, except where consent is required by law for a specific change.
14. Contact
Privacy inquiries: contact the Operator of this NavStak instance.
Legal entity: [To be designated]
Domain: [To be designated]
Email: [To be designated]