🔒 Privacy Policy
Last Updated: 2026-02-09
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our trading automation platform.
1. Information We Collect
1.1 Information You Provide
| Data Type |
Purpose |
Retention |
| Email address |
Account identification, communications |
Until account deletion |
| Password (hashed) |
Authentication |
Until account deletion |
| Brokerage API keys (encrypted) |
Trade execution |
Until you revoke or delete |
| Trading preferences |
Strategy configuration |
Until account deletion |
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, actions taken
- Device Information: Browser type, operating system, IP address
- Trading Activity: Agent performance, trade history (through your brokerage)
- Log Data: Server logs for debugging and security
1.3 Information We Do NOT Collect
- Your brokerage account password
- Your bank account information
- Your Social Security Number
- Personal financial statements
2. How We Use Your Information
- Service Delivery: Execute trades, run strategies, display dashboards
- Account Management: Authentication, support, billing
- Improvements: Analyze usage to improve features
- Communications: Service updates, alerts, marketing (with consent)
- Security: Detect fraud, protect against unauthorized access
- Legal Compliance: Meet regulatory requirements
3. API Key Security
Your API keys are treated with the highest security:
- Encrypted at rest using AES-256 encryption
- Encryption keys stored separately from encrypted data
- Keys only decrypted in isolated execution environment
- Never logged or displayed in plain text
- Access restricted to essential personnel only
- Regular security audits conducted
4. Information Sharing
We do NOT sell your personal information. We may share information only:
- With Your Brokerage (Alpaca Markets): API calls to execute your trades. Alpaca receives your API key and trade instructions.
- Market Data Providers: We receive data from Polygon.io and Yahoo Finance. We do NOT share your personal information with them.
- Service Providers: Hosting, analytics (bound by confidentiality)
- Legal Requirements: When required by law or legal process
- Business Transfers: In case of merger or acquisition (with notice)
- With Your Consent: When you explicitly authorize sharing
4.1 Third-Party Services
| Provider |
Purpose |
Data Shared |
| Alpaca Markets |
Trade execution, account data |
Your API key, trade orders |
| Market Data Providers |
Historical & real-time market data |
None (we use our own API keys) |
| Keycloak (Self-hosted) |
Authentication |
Email, password hash |
5. Data Retention
| Data Type |
Retention Period |
| Account information |
Until account deletion + 30 days |
| API keys |
Until you delete or revoke access |
| Trading history |
7 years (regulatory requirement) |
| Server logs |
90 days |
| Analytics data |
26 months (anonymized) |
6. Your Rights
Depending on your location, you may have the following rights:
6.1 All Users
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Delete your account and data
- API Key Revocation: Remove brokerage connections
6.2 California Residents (CCPA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we don't sell)
- Right to non-discrimination for exercising rights
6.3 EU/UK Residents (GDPR)
- Right to access, rectification, erasure
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent
- Right to lodge complaint with supervisory authority
7. Cookies and Tracking
We use cookies for:
- Essential: Authentication, session management
- Functional: Remembering your preferences
- Analytics: Understanding usage patterns (can be disabled)
You can control cookies through your browser settings.
8. Security Measures
- HTTPS encryption for all data transmission
- Regular security assessments and penetration testing
- Employee access controls and training
- Incident response procedures
- Regular backups with encryption
9. Third-Party Links
Our Service may contain links to third-party websites (e.g., Alpaca, educational resources). We are not responsible for their privacy practices. Review their policies before providing information.
10. Children's Privacy
Our Service is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.
11. International Transfers
Your information may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on the Service. Your continued use after changes constitutes acceptance.
13. Contact Us
For privacy-related questions or to exercise your rights:
For EU residents, our Data Protection Officer can be reached at: legal@bened.works