Privacy Policy

1. Information We Collect

We collect the following information when you use BASTION:

• Account data: Email address, username, hashed password
• Exchange API keys: Encrypted at rest using AES-256 (Fernet). We store only what is needed to read positions and execute trades on your behalf
• Trading data: Trade journal entries, War Room messages, alert configurations
• Usage data: API call logs, feature usage patterns, session metadata

2. How We Use Your Information

• Provide and improve the Platform's risk intelligence features
• Execute trades on your behalf when the execution engine is enabled
• Send email notifications (daily digests, signal alerts) if you opt in
• Authenticate your identity and secure your account
• Monitor for abuse and enforce our Terms of Service

3. Data Security

We implement industry-standard security measures to protect your data:

• Exchange API keys are encrypted at rest using Fernet (AES-128-CBC) encryption
• Passwords are hashed using bcrypt with per-user salts
• All connections use TLS encryption in transit
• Sessions are invalidated when you change your password
• API keys use SHA-256 hashing (plaintext never stored)

4. Data Sharing

We do not sell, rent, or share your personal information with third parties, except:

• Exchange APIs: Your API keys are used solely to interact with your exchange accounts
• Email service: We use Resend to deliver transactional emails (verification, password reset, notifications)
• Legal requirements: We may disclose information if required by law

5. Data Retention

Your data is retained as long as your account is active. Upon account deletion:

• Exchange API keys are permanently deleted
• Account credentials are removed
• Trade journal entries and settings are deleted
• War Room messages may be retained in anonymized form

6. Your Rights

You have the right to:

• Access your personal data through your account settings
• Correct inaccurate information
• Delete your account and associated data
• Export your trade journal data
• Opt out of email notifications at any time
• Disconnect exchange API keys at any time

7. Cookies and Local Storage

BASTION uses browser local storage to maintain your session token and UI preferences. We do not use third-party tracking cookies. The service worker caches static assets for offline functionality.

8. AI Model Data

BASTION's AI model (BASTION-32B) runs on our private infrastructure. Your position data is processed in real-time for risk assessment but is not used to train or fine-tune the model. Trading data submitted to the risk engine is not stored beyond the immediate request lifecycle.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via the Platform. Continued use after changes constitutes acceptance.

10. Contact

For privacy-related inquiries, contact us through the Platform's support channels or at the email address listed on our website.