Privacy Policy
1. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Email, display name, password hash (via Firebase), authentication tokens. | You; our auth provider (Firebase). |
| Billing | Subscription tier, billing period, payment method last-4 and card brand, invoice history. We do not store full card numbers. | Stripe (our payment processor). |
| Trading content | Plans, journal entries, screenshots, scanner configs, ideas, scores, notes you submit. | You. |
| Broker & market data | Broker account number, balance, equity, open positions, order history, OHLC bars, symbol metadata — sent by your VPS Bridge. | Your broker terminal via the VPS Bridge you install. |
| API keys | Bring-your-own-key (BYOK) AI provider keys (Anthropic, OpenAI). Encrypted at rest with Fernet. | You. |
| Usage & technical | IP address, user agent, request paths, log timestamps, AI token usage, feature interactions, error traces. | Automatically collected. |
| Communications | Support emails, in-app feedback, waitlist signups (email, country, tier interest, optional Reddit handle and notes). | You. |
2. How we use information
- Provide the Service — render your plans, score setups, run scanners, relay trade commands to your broker via the Bridge, send notifications.
- Account & billing — authenticate you, manage subscriptions, process payments, prevent fraud, send transactional emails.
- Improve the Service — diagnose errors, monitor performance, analyse aggregated, de-identified usage patterns. We do not train third-party AI models on Your Content.
- Support & communication — respond to your questions; send service announcements; with consent where required, send product updates.
- Compliance & safety — enforce our Terms, meet legal obligations, protect users, investigate abuse, respond to lawful requests.
3. Legal bases (EEA / UK)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
- Contract — to provide the Service you've signed up for, including all paid features and the Bridge.
- Legitimate interests — to secure the Service, prevent fraud, improve features, and communicate about your account.
- Consent — for optional analytics or marketing where required by local law. You may withdraw consent at any time.
- Legal obligation — to comply with applicable laws, tax requirements, and lawful requests.
4. AI processing & BYOK
Gatekeeper sends portions of your trading content (e.g. plan checklists, screenshots, journal entries) to AI providers in order to produce scores, summaries, and coaching. Two modes exist:
- Managed AI (paid tiers) — we send requests to providers (currently Anthropic and OpenAI) under our own API keys. Allowances reset each billing cycle. AI providers process your prompts as data processors / sub-processors and do not use it to train their public models under their commercial terms.
- BYOK — when you supply your own provider API key, requests are sent to that provider on your behalf using your key. Your relationship with the provider, including data-handling, billing, and retention, is governed by that provider's terms.
We do not use Your Content to train any model that is shared across users. AI output can be inaccurate; see the no-investment-advice notice in the Terms.
5. Who we share information with
We share personal information only with the following categories of recipients, and only as needed:
- Infrastructure — Google Cloud (hosting, Cloud Run, Cloud SQL/Postgres) for hosting and storage.
- Authentication — Firebase / Google for sign-in.
- Payments — Stripe, Inc. for billing and tax collection.
- AI providers — Anthropic, OpenAI (managed mode) or whichever provider key you supply (BYOK).
- Email & support — providers used to send transactional and support email.
- Professional advisers — accountants, lawyers, and auditors under confidentiality.
- Legal & safety — law enforcement and regulators when required by valid legal process or to protect rights, property, or safety.
- Corporate transactions — in a merger, acquisition, financing, or sale of assets, where the recipient agrees to honour this policy.
We do not sell personal information, and we do not share it for cross-context behavioural advertising.
6. International transfers
Gatekeeper is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US and other countries where our service providers operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers from the EEA, UK, or Switzerland.
7. Data retention
- Account, plan, journal, and trading records are retained while your account is active and for a reasonable period afterwards for backups, dispute resolution, and legal compliance (typically up to 12 months after deletion, longer where required by law).
- Billing records are retained as required by tax and accounting law (typically up to 7 years).
- Encrypted BYOK API keys are deleted when you remove them from settings; ciphertext is purged from backups on the normal backup-rotation cycle.
- Server logs are retained for a limited period (typically 30–90 days) for security and debugging.
- Waitlist signups are retained until you ask us to delete them or the waitlist programme ends.
8. Security
We use industry-standard safeguards including:
- TLS in transit for all web traffic.
- Encryption at rest for the database, with Fernet field-level encryption for sensitive columns such as BYOK API keys.
- Firebase-managed authentication, password hashing, and JWT validation.
- Role-based access controls and audit logging for administrative actions.
- Principle-of-least-privilege access to production data.
No system is perfectly secure. You are responsible for safeguarding your own credentials, your VPS, and your broker account. If you believe your account has been compromised, contact us at support@resqua.com.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict our processing of your personal information, and to object to certain processing. You can exercise most of these rights directly inside the app (edit profile, delete content, cancel subscription, remove BYOK key, delete account). For everything else, email support@resqua.com. We respond within the period required by applicable law.
If you are in the EEA or UK, you may also lodge a complaint with your local data protection authority.
10. California & US state rights
Residents of California (CCPA/CPRA) and certain other US states may have the right to know what personal information we collect, to request a copy, to request deletion or correction, and to opt out of sale or sharing for cross-context behavioural advertising. Gatekeeper does not sell personal information or share it for cross-context behavioural advertising. To exercise your rights, email support@resqua.com. We will not discriminate against you for exercising your rights.
11. Cookies & analytics
We use first-party cookies and similar technologies that are strictly necessary to run the Service (e.g. authentication, CSRF protection, preferences). Where we use optional analytics, we describe them on a cookie banner or in settings and obtain consent where required. We do not use advertising cookies.
12. Children
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we will give you reasonable advance notice (for example, by email or in-app notice). The "Last updated" date at the top reflects the most recent revision.
14. Contact
Questions, requests, or complaints? Contact our privacy team at support@resqua.com, or write to:
Resqua, Inc.
169 Madison Ave STE 99571
New York, NY 10016