Privacy Policy

Last Updated: [DATE — update before publishing] Effective Date: [DATE — update before publishing]

1. Introduction

This Privacy Policy describes how Prometheus ("we", "us", "our") collects, uses, and protects information from users ("you") of our website, dashboard, API, and related services (collectively, the "Service").

By using the Service, you consent to the practices described here. If you do not agree, do not use the Service. This Privacy Policy should be read alongside our Terms of Service.

2. Information We Collect

2.1 Information You Provide

  • Email address — required for account creation, login, and service communications
  • Name or username — optional, displayed on your account
  • Payment information — processed by our payment processor (e.g., Stripe). We do not store full credit card numbers; we receive only a payment token and transaction metadata
  • Communications — messages you send to support, feedback forms, or survey responses

2.2 Information Collected Automatically

  • Usage data — pages viewed, scanner runs, API calls made, features used, timestamps
  • Device and browser data — IP address, browser type, operating system, device type, screen size, referrer URL
  • Log data — server logs including request paths, status codes, error traces
  • Cookies and similar technologies — session cookies for authentication, analytics cookies to understand usage

2.3 Information We Do NOT Collect

We never collect, store, or transmit:

  • Exchange API keys, secret keys, or tokens
  • Passwords for any third-party service
  • Cryptocurrency wallet private keys or seed phrases
  • Wallet addresses (unless voluntarily provided in support tickets)
  • Tax identification numbers, Social Security numbers, or other government IDs
  • Bank account or routing numbers
  • Trading history at exchanges (you retain that data at your exchange)

If you voluntarily share any of the above in support communications, we will advise you to redact it and will not retain it in our systems.

3. How We Use Information

We use collected information to:

  • Provide the Service — authenticate you, deliver data, process API requests, send alerts you've opted into
  • Improve the Service — understand usage patterns, identify bugs, develop new features
  • Process payments — via third-party processors
  • Communicate — send service announcements, product updates, and (if you opt in) marketing emails
  • Enforce our Terms — detect abuse, fraud, or prohibited use
  • Comply with law — respond to legal requests, protect rights

4. Legal Basis For Processing (GDPR)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under the following legal bases:

  • Performance of a contract — providing the Service you signed up for
  • Legitimate interests — security, fraud prevention, product improvement
  • Consent — marketing communications, optional analytics cookies
  • Legal obligation — compliance with applicable laws

You may withdraw consent at any time without affecting lawful processing already performed.

5. Sharing And Disclosure

We do not sell your personal information.

We may share information with:

  • Service providers — cloud hosting, email delivery, analytics, payment processing — bound by confidentiality and data protection obligations
  • Legal authorities — when required by law, court order, or to protect our rights, safety, or property
  • Acquirers — if we're part of a merger, acquisition, or sale of assets, information may transfer (you'll be notified)
  • With your consent — any other sharing requires explicit consent

6. Third-Party Services

We rely on third-party services to operate. Their privacy policies govern their handling of your data:

  • Stripe (or equivalent payment processor) — payment processing
  • Hosting provider (AWS, Cloudflare, or similar) — infrastructure
  • Email provider (e.g., Postmark, SendGrid) — transactional email
  • Analytics (e.g., Plausible, Google Analytics) — anonymized usage
  • Anthropic API — AI-generated content in verdicts (we send de-identified market data, not user-specific information)
  • Cryptocurrency data providers (CoinGecko, Finnhub, Polygon, Etherscan, etc.) — market data retrieval (no user data sent)

Review their respective policies before using the Service.

7. Cookies And Tracking

We use cookies for:

  • Essential functions — session management, authentication (required for the Service to work)
  • Preferences — remembering your settings (language, theme)
  • Analytics — understanding aggregate usage patterns

You can manage or disable cookies through your browser settings. Disabling essential cookies may prevent parts of the Service from working.

We do not use cookies for cross-site advertising or behavioral profiling.

8. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for sensitive fields (e.g., hashed passwords)
  • Access controls limiting who can view user data
  • Regular security updates and monitoring

No system is perfectly secure. You acknowledge that transmitting data over the internet involves inherent risk, and we cannot guarantee absolute security.

If we discover a data breach that affects your personal information, we will notify you and applicable regulators in accordance with applicable law.

9. Data Retention

We retain personal data for as long as necessary to:

  • Provide the Service
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our agreements

Specifically:

  • Account data — retained while your account is active, plus up to 24 months after closure for fraud prevention and legal compliance
  • Usage logs — typically 12 months, anonymized thereafter
  • Payment records — retained per tax and financial-reporting obligations (typically 7 years in the US)
  • Support communications — 24 months after resolution

You can request earlier deletion (see Section 10), subject to legal obligations that may require retention.

10. Your Rights

10.1 General Rights

You may:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (subject to retention obligations above)
  • Export your data in a portable format
  • Object to certain processing
  • Restrict processing under certain circumstances

To exercise these rights, contact us at [CONTACT — add before publishing]. We will respond within 30 days (or as required by applicable law).

10.2 GDPR Rights (EU/UK/Switzerland)

Residents of these regions have additional rights under GDPR, including the right to lodge a complaint with your national data protection authority.

10.3 California Rights (CCPA/CPRA)

California residents have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of personal information
  • Opt out of the sale or sharing of personal information (we do not sell your personal information)
  • Non-discrimination for exercising these rights

California users may submit requests to [CONTACT — add before publishing].

10.4 Nevada Residents

Nevada residents have the right to opt out of the sale of their personal information. We do not sell personal information. Contact us to confirm.

11. International Data Transfers

Our servers and service providers may be located in the United States or other countries outside your jurisdiction. By using the Service, you consent to the transfer of your information to these locations.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or other legally approved transfer mechanisms where required.

12. Children's Privacy

The Service is not intended for users under the age of 18 (or the local age of majority, whichever is higher). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us immediately and we will delete it.

13. Do Not Track

We do not currently respond to Do Not Track (DNT) browser signals, as there is no universal standard for their interpretation. If that changes, this Policy will be updated.

14. Changes To This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice on the Service at least 30 days before taking effect, where legally required. Continued use after the effective date constitutes acceptance.

The "Last Updated" date at the top of this Policy reflects the most recent revision.

15. Contact

For privacy questions, requests, or complaints:

Email: [CONTACT — add before publishing] Mailing address: [ADDRESS — add before publishing]

For EU/UK users wishing to lodge complaints with regulators:

  • EU: Your national Data Protection Authority
  • UK: Information Commissioner's Office (ico.org.uk)

This Privacy Policy is provided as a template and has not been reviewed by licensed counsel. Before publishing or enforcing, consult an attorney familiar with privacy law in the jurisdictions where your users reside.