Last reviewed: 2026-05-15
Privacy.
Privacy is a feature, not a footer. This is the honest version: what we encrypt, what we don't, and what's coming.
We don't want your trades. We don't sell data. We don't run ad trackers. We don't have a marketing pixel. The whole product is built so that even if our servers were breached, the damage would be bounded.
TL;DR
| Asset | Today (Phase 1) | Pro: ZK Mode (Phase 2) |
|---|---|---|
| Voice audio | Never recorded server-side. Browser ↔ OpenAI WebRTC, direct. | Same. |
| Voice transcripts | Only the AI-extracted structured note (summary, themes, defenses, body cues, next-focus) is stored. Raw transcript is ephemeral. | Same, encrypted with your key. |
| Exchange API keys | AES-256-GCM at rest. Server-side master key. Read-only enforced. | Encrypted with your key — server cannot decrypt. |
| Trade snapshots | Stored in Postgres, 60s cache TTL. | Ciphertext only. |
| Journal entries | Stored in Postgres, readable by our infra for support. | Ciphertext only. |
| Coach memory | Durable cross-session facts. Editable & forgettable on You page. | Ciphertext only. |
| Closing note | Optional one-line at session close. Stored alongside the session. | Encrypted with your key. |
| Analytics | None. Zero third-party trackers. | Same. |
| Logs | PII / position / API-key content scrubbed. | Same. |
What “read-only” means
When you connect an exchange, you give us an API key with read-only permissions. We can see your positions, P&L, and trade history. We cannot place trades, transfer funds, or change settings — even if our servers were compromised.
Enforced two ways: (1) our exchange client only calls read endpoints; there is no code path for createOrder, withdraw, or any state-changing call. (2) you create the key as read-only on the exchange side.
Encryption at rest
EXCHANGE_KEY_ENCRYPTION_SECRET, 96-bit IV per secret, authentication tag stored separately. For production we'll move the master key to a managed KMS.Voice: how it actually works
- You tap the mic. The app requests a short-lived ephemeral token from our server (~60s validity).
- Your browser opens a direct WebRTC connection to OpenAI using that token. Audio flows browser ↔ OpenAI. Our server is not in the audio path.
- After the session, the in-flight transcript is sent once to gpt-4o-mini to produce a structured note (2-3 sentence summary, emotion + pattern tags, 1-4 themes, 0-3 defenses noticed, 0-3 body cues, and ONE “next focus” sentence). That note — not the raw transcript — is stored.
- Memory candidates (durable cross-session facts) are also extracted into a separate, individually-editable list on the You page.
Result: even we can't replay your conversations.
Session memory: how continuity actually works
- Each session writes one journal-entry row with the structured note.
- Each session may add 0-4 memory rows (durable facts) to a separate
coach_memorytable. - The next session's system prompt pulls (a) the most recent
next_focusline, (b) the top-K most salient memories, and (c) frequency-aggregated themes across the last 5 sessions. That's everything the coach “remembers.” - Nothing else from prior sessions is loaded. There is no hidden long-term log the coach reads from.
You can see exactly what the coach remembers on the You page and forget any item with one tap.
What we log
What we will never do
- Sell your data. No data deal will ever be entertained. If we sell the company, this clause survives in any acquirer's terms of use, by contract.
- Train models on your conversations. OpenAI's API tier does not train on inputs by default; we've verified the org setting.
- Add an ad tracker. Ever.
- Require KYC. You can use the app pseudonymously through Telegram.
Report a privacy concern
This document is in source control. Every change is in git log PRIVACY.md. We do not edit privacy claims silently.