Privacy Policy

Account Data: Email address, hashed password, subscription status.

Trading Credentials: Kalshi API keys, encrypted with AES-256 (Fernet) at rest. Keys are never logged, never stored in plaintext, and never transmitted to third parties.

Usage Data: Trade history, bot configuration preferences, session analytics. This data is used to provide the service and improve the platform.

Technical Data: IP address (for rate limiting only, not stored long-term), browser type, device information via standard web analytics.

We use your data exclusively to:

• Provide and operate the trading platform
• Execute trades on your connected exchange account
• Process subscription payments via Stripe
• Send critical service notifications (downtime, security alerts)
• Improve the probability model and platform reliability

We do not sell, rent, or share your personal data with advertisers or data brokers. Ever.

Your Kalshi API credentials receive the highest level of protection:

• Encrypted at rest with AES-256 (Fernet symmetric encryption)
• Encryption key derived from a server-side secret, not stored alongside data
• Decrypted only in server memory when executing trades
• Never exposed to frontend code, logs, or error reports
• Permanently deleted when you remove them or delete your account

We use the following third-party services:

• Stripe— payment processing. Stripe receives your email and payment method. See Stripe's privacy policy.
• Kalshi— trade execution via their API using your credentials. Subject to Kalshi's terms and privacy policy.
• Cricbuzz (via RapidAPI) — live cricket data. No user data is sent to Cricbuzz.

Account data is retained while your account is active. Trade history is retained for 12 months after account deletion for regulatory compliance, then permanently deleted. Encrypted credentials are deleted immediately upon request or account deletion. You may export your trade data at any time.

You have the right to:

• Access your personal data via the Settings page
• Delete your account and all associated data
• Export your trade history
• Revoke exchange credentials at any time
• Opt out of non-essential communications

We use only essential cookies for authentication (JWT session token stored in localStorage). We do not use tracking cookies, advertising pixels, or analytics cookies. No cookie consent banner is needed because we don't track you.

FreshLoop is not intended for users under 18. We do not knowingly collect data from minors. If we learn that a minor has created an account, we will delete it immediately.

We will notify you of material changes via email. The "Last updated" date at the top reflects when this policy was last revised.

For privacy-related questions or data requests, contact us at privacy@freshloop.com.