1. Overview
Plutheia ("we", "us", "our") takes your privacy seriously. This Privacy Policy explains what personal data we collect when you use our platform, how we use it, and the rights you have over your data.
This Policy applies to all users of plutheia.com and any associated mobile or desktop applications. It complies with the UK GDPR, the EU General Data Protection Regulation (2016/679), and the California Consumer Privacy Act (CCPA).
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — used for login, notifications, and support.
- Name — displayed in your profile and Telegram notifications.
- Password — stored as a one-way bcrypt hash. We cannot recover it.
- Profile picture URL — if you sign in via Google OAuth.
- Google subject ID — if you sign in via Google OAuth.
2.2 Risk Consent Record
At signup we record the timestamp and version of the risk disclosure you acknowledged. This record is required for regulatory and audit purposes and cannot be deleted.
2.3 Security & Authentication Data
- Login timestamps, login count, and IP address (last login only).
- Two-factor authentication status and encrypted TOTP secret (if you enable 2FA).
- Hashed one-time backup codes (if you enable 2FA).
- Session tokens stored in an
httpOnlycookie.
2.4 Trading Configuration
User-defined trading settings (risk percentage, position limits, scanner thresholds, mode selection) stored in our database. This is configuration data, not financial account data.
2.5 Trade & Order Data
When automated execution is active, we log order submissions, fills, and closes for your account. This includes: ticker symbol, order type, quantity, price, timestamps, and broker order IDs. This data is necessary to provide the Service.
2.6 Telegram Data
If you connect Telegram, we store your Telegram chat ID to send you notifications. We do not store the content of Telegram messages after they are sent.
2.7 Usage & Technical Data
We collect standard server logs including your IP address, browser type, pages visited, and timestamps. These are used for security monitoring and service reliability. We do not sell this data.
3. How We Use Your Data
- Providing the Service — running the trading engine, generating pattern alerts, placing orders with your broker.
- Account security — authentication, 2FA, session management, detecting suspicious activity.
- Notifications — sending Telegram and email alerts about technical signals, trade activity, and account events.
- Customer support — investigating issues you report.
- Legal compliance — maintaining records required by applicable law.
- Service improvement — aggregate, anonymised analytics to improve the platform.
We do not use your data to train AI models, sell advertising, or profile you for third-party marketing purposes.
4. Legal Basis for Processing (GDPR)
For users in the UK and EU, we process your personal data under the following legal bases:
- Contract (Art. 6(1)(b)) — processing necessary to provide the Service you have signed up for.
- Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, service improvement.
- Legal obligation (Art. 6(1)(c)) — retaining consent records and order history as required by applicable law.
- Consent (Art. 6(1)(a)) — marketing communications (if you opt in). You may withdraw consent at any time.
5. Data Sharing
We do not sell your personal data. We share data only with:
- Hosting & infrastructure — cloud providers (currently Vercel for the web app, Railway/AWS for the trading engine) who process data on our behalf under data processing agreements.
- Email delivery — Resend (resend.com) for transactional emails (password resets, alerts). Resend receives your email address.
- Database — Supabase or managed PostgreSQL for data storage.
- Bot protection — Cloudflare Turnstile at signup. Cloudflare processes the challenge token; we receive only a pass/fail result. No personal data is retained by Cloudflare from this interaction beyond their standard network logs.
- Legal requirements — we may disclose data if required by law, court order, or to protect our legal rights.
6. Broker API Credentials
If you connect a brokerage account, you provide API credentials (key and secret). These are stored encrypted using AES-256-GCM with a unique nonce per credential pair. The encryption key is stored separately from the database. Credentials are never logged or transmitted in plaintext.
We use your broker credentials solely to place, modify, and cancel orders on your behalf as directed by the Platform. We do not share them with any third party.
You can revoke access at any time by rotating your API keys in your broker's dashboard or by disconnecting the broker in Plutheia Settings.
7. Cookies & Tracking
We use the following cookies:
- Session cookie (
payload-token) — anhttpOnly,Secure,SameSite=LaxJWT cookie required for authentication. Without it, you cannot use the Service. It expires when you sign out, or after 30 days if you selected "Stay signed in".
We do not use advertising trackers, third-party analytics cookies, or fingerprinting. We may add privacy-respecting, server-side analytics in the future; we will update this section if we do.
8. Data Retention
- Account data — retained while your account is active and for up to 2 years after deletion, to comply with legal obligations.
- Risk consent record — retained indefinitely as a legal record. It cannot be deleted.
- Trade & order history — retained for 7 years as required by financial record-keeping regulations.
- Server logs — retained for 90 days.
- Session tokens — invalidated on sign-out; expired tokens are deleted within 24 hours.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- Passwords hashed with bcrypt (cost factor 12).
- Broker credentials encrypted with AES-256-GCM.
- TOTP secrets encrypted with AES-256-GCM.
- All data transmitted over TLS 1.2+.
- Session cookies are
httpOnlyandSecure. - Two-factor authentication available (and encouraged) for all accounts.
- Database access restricted to application servers only.
No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@plutheia.com.
10. Your Rights
UK & EU Users (UK GDPR / EU GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (subject to legal retention requirements).
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint — with your national data protection authority (UK: ICO at ico.org.uk).
California Users (CCPA)
California residents have the right to:
- Know what personal information is collected and how it is used.
- Delete personal information (subject to legal retention).
- Opt out of the sale of personal information — we do not sell personal information.
- Non-discrimination for exercising CCPA rights.
To exercise any of these rights, contact us at privacy@plutheia.com. We will respond within 30 days (or 45 days where permitted).
11. International Data Transfers
Your data may be processed outside your country of residence, including in the United States. Where we transfer data from the UK or EU to third countries, we do so under appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.
12. Children's Privacy
The Service is not directed at individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us immediately at privacy@plutheia.com and we will delete the account.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on the Platform. The "Last updated" date at the top of this page reflects the most recent revision.
14. Contact & Data Protection
For privacy-related queries, data subject requests, or to report a concern:
- Email: privacy@plutheia.com
- Security disclosures: security@plutheia.com
- General support: support@plutheia.com
We aim to respond to all privacy requests within 30 days.