Privacy Policy
We collect the minimum data needed to run a paid SaaS, and we never sell your data. This page explains exactly what we store, why, and how to delete it.
What we collect
- Email address — for login, billing, and account recovery.
- Password hash — PBKDF2-HMAC-SHA256, 200,000 iterations, with a per-user salt. We never see your plaintext password.
- Subscription metadata — plan, renewal date, Stripe customer ID, Stripe subscription ID. Used to grant or revoke access.
- Server access logs — IP address, request path, timestamp, response code. Used for rate-limiting and abuse prevention. Retained ≤ 30 days.
- Usage stats — coach calls per day per user, demo calls per IP per day. Used for rate limits and product analytics; never sold.
- Optional chart screenshots — if you upload an image to the coach, it's sent to Anthropic's Claude API for vision analysis and not stored on our servers.
What we do NOT collect
- No exchange API keys, exchange logins, or wallet addresses.
- No credit-card numbers, CVVs, or billing addresses (handled entirely by Stripe).
- No KYC or government-ID documents.
- No third-party advertising trackers, fingerprinting, or session-replay tools.
Third parties we share with (only what's necessary)
- Stripe — receives your email and (when you check out) your payment details. Stripe's privacy policy.
- Anthropic — receives your chart image and asset hint when you use the optional vision feature. Anthropic's privacy policy.
- Render.com — hosts the application server and database. Render's privacy policy.
- Jupiter Aggregator — receives no personal data; only public market queries.
Cookies
We use exactly one cookie: aurum_session. It's HTTP-only,
Secure (HTTPS-only), SameSite=Lax, with a 30-day rolling expiry. It does
not contain any personal data — only a random session token. No analytics,
ad, or tracking cookies are set.
Data retention
- Account data: kept for as long as your account exists.
- Server access logs: ≤ 30 days, then auto-deleted.
- Stripe records: retained per Stripe's policy, typically 7 years for tax / chargeback reasons.
- Deleting your account purges your row, sessions, and rate-limit history within 24 hours.
Your rights
You can request access to, correction of, or deletion of your personal data at any time by contacting us in Discord. We respond within 30 days. If you are in the EU/UK you have the additional rights granted by the GDPR / UK GDPR (data portability, right to object, right to lodge a complaint with your local data-protection authority).
Security
We use HTTPS for all traffic, HttpOnly + Secure session cookies, PBKDF2-hashed passwords with strong iteration counts, server-side rate limiting, and an isolated production database. We will notify affected users within 72 hours of becoming aware of a confirmed breach involving their personal data.
Children
The Service is not intended for users under 18. We do not knowingly collect data from children.
Contact
For privacy questions or data-deletion requests, message the operator in the Aurum Discord.
See also: Terms of Service · Refund Policy