Privacy Policy

Last updated: April 16, 2026

SurgePilot ("we", "us", or "our") operates the SurgePilot cryptocurrency trading platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Username
  • Email address
  • Password (stored as a one-way cryptographic hash; we never store your plain text password)

OAuth / Social Login

If you sign in using a third-party provider (Google or GitHub), we receive the following from that provider:

  • Your email address
  • Your display name
  • A unique provider identifier

We do not receive or store your password from any third-party provider. We do not request access to your Google Drive, GitHub repositories, or any other provider data beyond basic identity information. We do not store OAuth access tokens or refresh tokens from these providers.

Exchange API Credentials

To enable trading functionality, you may provide API keys for cryptocurrency exchanges (e.g., Coinbase, Kraken). These credentials are stored in encrypted form and are used solely to execute trades and retrieve market data on your behalf.

Trading and Usage Data

We collect data generated through your use of the Service, including:

  • Bot configurations and trading parameters
  • Trade history and execution records
  • Portfolio snapshots and performance metrics
  • AI assistant conversation history

Technical Data

We automatically collect:

  • Log data (IP address, browser type, access times)
  • WebSocket connection metadata

Compliance & Legal Records

When you accept our Terms of Service, we record the version you accepted, the date and time of acceptance, your IP address, and the browser user-agent string. This audit trail is retained as legal evidence of your agreement and is not used for marketing or analytics.

Billing Information

If you subscribe to a paid tier, payment is processed by Stripe. We do not store your full card number or CVV on our servers; Stripe stores payment credentials and returns to us only a customer identifier, subscription identifier, and high-level billing metadata (tier, status, renewal date, last four digits of the card).

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Execute and monitor trading operations on your behalf
  • Calculate portfolio performance and analytics
  • Provide AI-powered trading analysis and recommendations
  • Process subscription payments and manage billing
  • Send transactional emails (password resets, security notifications, billing receipts)
  • Send marketing or product-update emails (only if you have not opted out — see Section 7)
  • Display aggregated performance data on our public leaderboard (only if you have leaderboard visibility enabled — see Section 7)
  • Detect and prevent fraud or abuse
  • Comply with legal obligations and maintain records of Terms-of-Service acceptance

3. Third-Party Services

We integrate with the following third-party services:

  • Google OAuth — For authentication only. Subject to Google's Privacy Policy.
  • GitHub OAuth — For authentication only. Subject to GitHub's Privacy Statement.
  • Cryptocurrency Exchanges (Coinbase, Kraken) — For trade execution and market data retrieval using your provided API keys.
  • OpenRouter — For AI model access. If you provide an OpenRouter API key, your AI conversations are processed through their service. Subject to OpenRouter's Privacy Policy.
  • Stripe — For subscription billing and payment processing. Card details are collected and stored by Stripe, not by us. Subject to Stripe's Privacy Policy.

4. Data Storage and Security

  • All data is stored in a PostgreSQL database
  • Passwords are hashed using bcrypt with automatic salting
  • Authentication uses JSON Web Tokens (JWT) with expiration
  • All communication is encrypted via HTTPS/WSS in production
  • Exchange API credentials are stored in encrypted form

5. Data Retention

We retain your account data for as long as your account is active. Trade history, portfolio snapshots, and performance data are retained to power analytics and historical charting. Terms-of-Service acceptance records are retained indefinitely as legal evidence of your agreement.

When you request account deletion (see Section 6), your account is immediately deactivated and flagged for removal. During a short grace period, an administrator performs the final hard-delete, which cascades through your bots, trades, portfolios, sessions, and AI conversation history. Aggregated or de-identified data that cannot be linked back to you may be retained after deletion.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data (email can be updated directly from Settings → Profile)
  • Delete your account and associated personal data at any time from Settings → Profile → Privacy. This is self-service and does not require contacting support.
  • Export your trading data
  • Opt out of our public leaderboard at any time (see Section 7)
  • Opt out of marketing emails at any time (see Section 7)
  • Revoke OAuth provider access at any time through the provider's settings

7. Your Privacy Choices

Public Leaderboard

By default, your username and aggregated trading performance metrics may appear on the SurgePilot public leaderboard. We do not publish your email address, exchange balances, API credentials, or individual trades. You can toggle leaderboard visibility off at any time from Settings → Profile → Privacy. When you opt out, your existing leaderboard entries are removed immediately and no new entries are generated.

Marketing Emails

If we send product-update or marketing emails, you may opt out at any time by toggling the marketing-email preference in Settings → Profile → Privacy, or by clicking the unsubscribe link in any marketing email we send. Opting out does not affect transactional emails required to operate your account (password resets, security notifications, billing receipts, and service-critical notices).

Account Deletion

You can delete your account directly from Settings → Profile → Privacy. If you are a paying subscriber, cancel your Stripe subscription first to avoid further charges. Deletion is irreversible once the hard-delete completes.

8. Cookies

We use localStorage to store your authentication token for session management. We do not use tracking cookies or third-party analytics cookies.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: [email protected]