← Back

Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy describes how The Mathematical Company ("Company", "we", "us", "our") collects, uses, stores, shares, and protects your personal information when you use the Horizon platform ("Service"). By accessing or using the Service, you consent to the data practices described in this policy.

If you do not agree with this Privacy Policy, you must not use the Service. This policy should be read in conjunction with our Terms of Service.

2. Information We Collect

We collect the minimum information necessary to provide, maintain, and improve the Service. The categories of information we collect include:

2.1 Information You Provide Directly

  • Account data: Name, email address, and authentication credentials (password hash or OAuth token from Google)
  • Exchange credentials: Private keys provided for trading, which are encrypted at rest using AES-256-GCM before storage. We never store or have access to your unencrypted private keys.
  • Strategy data: Strategy descriptions, configurations, AI-generated code, conversation history with the strategy builder, parameters, and risk configurations
  • Research data: Research conversation history, search queries, and shared conversation content
  • Payment data: Billing information processed through Stripe. We do not store credit card numbers, bank account details, or other payment instrument data on our servers.
  • Communications: Any messages, feedback, or support requests you send to us

2.2 Information Collected Automatically

  • Usage data: Actions taken on the platform (deployments, strategy creation, settings changes), feature usage patterns, AI generation counts, backtest runs, and scanner activity
  • Performance data: Trading metrics, backtest results, deployment status, equity curves, and trade logs associated with your strategies
  • Audit logs: Timestamped records of significant account actions including IP address, user agent, and action type
  • Technical data: IP address, browser type, device type, operating system, referring URL, and standard HTTP headers
  • Login data: Login timestamps, IP addresses, and authentication methods used

2.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture URL from Google
  • Stripe: Subscription status, billing period, and payment success/failure events (no card details)

3. How We Use Your Information

We use your information for the following purposes:

  • Service provision: To provide, operate, maintain, and improve the Horizon platform and its features
  • Strategy execution: To execute your trading strategies on third-party exchanges using your encrypted credentials
  • AI processing: To send your conversation content and strategy descriptions to third-party AI providers for code generation, research analysis, and market recommendations
  • Communications: To send transactional emails (account confirmation, password reset, deployment alerts, daily digest, drip emails for onboarding guidance)
  • Billing: To process payments, enforce plan limits, and manage subscriptions
  • Security: To detect, prevent, and investigate fraud, abuse, unauthorized access, and Terms violations
  • Rate limiting: To enforce fair usage limits and prevent system abuse
  • Analytics: To understand usage patterns and improve the Service (aggregated, non-personally identifiable data)
  • Legal compliance: To comply with applicable laws, regulations, legal processes, or governmental requests

We do not sell, rent, lease, or trade your personal information to third parties for marketing, advertising, or any other commercial purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for data processing, our bases include:

  • Contract performance: Processing necessary to provide the Service you requested (account management, strategy execution, billing)
  • Legitimate interests: Processing for security, fraud prevention, service improvement, and enforcement of our Terms, where these interests are not overridden by your rights
  • Consent: Processing based on your explicit consent (e.g., marketing communications, optional data sharing features like leaderboard participation)
  • Legal obligation: Processing necessary to comply with applicable laws

5. Data Storage & Security

Your data is protected by multiple layers of security. While we implement industry-standard measures to protect your data, no method of electronic storage or internet transmission is 100% secure, and we cannot guarantee absolute security.

  • Database: Supabase-managed PostgreSQL with row-level security (RLS) policies ensuring users can only access their own data. All data encrypted in transit (TLS) and at rest.
  • Credential encryption: Exchange private keys encrypted with AES-256-GCM using unique initialization vectors and authentication tags. Keys are decrypted only in-memory during deployment and never written to disk in plaintext.
  • Authentication: Session management via secure HTTP-only cookies. Worker-to-platform communication authenticated via HMAC-SHA256 signatures with per-deployment secrets.
  • CSRF protection: Origin validation on all mutating API requests
  • Rate limiting: Distributed rate limiting via Upstash Redis on API endpoints to prevent abuse and brute-force attacks
  • Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers on all responses
  • Access controls: Principle of least privilege for internal systems. Service role keys used only for server-side operations.

Data is stored on servers located in the United States (Supabase and Vercel infrastructure). By using the Service, you consent to the transfer and storage of your data in the United States.

6. Third-Party Services & Data Sharing

We share data with third-party service providers only to the extent necessary to operate the Service. We do not sell your data. Each provider processes only the minimum data required for their function:

  • Supabase — Authentication, database hosting, row-level security. Processes: account data, all application data.
  • Vercel — Application hosting and serverless function execution. Processes: request data, IP addresses.
  • Anthropic / OpenRouter — AI-powered strategy generation, research chat, and market scanning. Processes: conversation content, strategy descriptions, and code snippets sent for AI processing. Subject to Anthropic's and OpenRouter's data policies.
  • Polymarket CLOB — Trade execution using your own credentials, directly on-chain. Processes: trade orders, market data requests.
  • Stripe — Subscription billing and payment processing. Processes: your payment method, billing address, transaction history. We do not store card numbers.
  • Resend — Transactional email delivery. Processes: your email address and email content for account notifications, alerts, and digest emails.
  • Upstash Redis — Distributed rate limiting. Processes: anonymized rate limit counters only (no personal data).
  • Google — OAuth sign-in authentication. Processes: authentication tokens, profile data (if you choose Google sign-in).

We may also disclose your information if required by law, regulation, legal process, or governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of the Company, our users, or the public; or in connection with a merger, acquisition, or sale of assets (with notice to you).

7. Email Communications

We send the following categories of email:

  • Transactional (required): Account confirmation, password reset, security notifications. These cannot be opted out of as they are essential for account operation.
  • Deployment alerts (configurable): Error notifications, circuit breaker triggers, position changes. Configurable in Settings > Notifications.
  • Daily/weekly digest (opt-in): Portfolio performance summaries. Can be disabled in Settings.
  • Onboarding guidance (opt-in): A time-limited series of emails to help new users get started. Requires communications consent during signup.
  • Service notices (required): Material changes to Terms, Privacy Policy, pricing, or Service availability. These cannot be opted out of.

We do not send unsolicited marketing emails. We do not share your email address with third parties for marketing purposes.

8. AI Data Processing

When you use AI-powered features (strategy builder, research chat, market scanner, deployment analysis), your input data (conversation messages, strategy descriptions, code snippets) is sent to third-party AI providers (currently Anthropic via OpenRouter) for processing. You should be aware that:

  • AI providers may process your data according to their own terms of service and privacy policies
  • We use API-based access to AI models, which typically do not use your data for model training (subject to provider policies)
  • Do not include sensitive personal information, passwords, full private keys, or confidential business data in AI conversations
  • AI-generated outputs may reflect patterns from training data and should not be relied upon as factual or financial advice
  • We log AI usage metadata (token counts, model used, cost) for billing and rate limiting purposes

9. Audit Logging

We maintain audit logs of significant account actions for security and compliance purposes. Audit log entries include: user ID, IP address, user agent, action type, resource affected, and timestamp. Audit logs are:

  • Retained for 90 days
  • Visible to you in your Settings page
  • Accessible to the Company for security investigation and abuse prevention
  • May be disclosed to law enforcement if legally required

10. Shared & Public Content

When you enable sharing features:

  • Shared research conversations are accessible to anyone with the share link. The Company is not responsible for the further distribution of shared content by recipients.
  • Leaderboard participation is strictly opt-in. Only strategy name, description, and aggregated performance metrics are displayed. Strategy code is never shared.
  • Embedded widgets display strategy performance data publicly.
  • You can revoke share links and opt out of the leaderboard at any time, but previously cached or copied content cannot be recalled.

11. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Active account: Data retained as long as your account is active
  • Deleted account: Personal data permanently deleted within 30 days of account deletion, or immediately upon request, except where retention is required by law
  • Audit logs: Retained for 90 days regardless of account status
  • Metrics snapshots: Up to 1,000 per deployment (oldest automatically pruned)
  • Encrypted credentials: Permanently and irrecoverably deleted upon credential removal or account deletion
  • Billing records: Retained as required by tax and financial regulations (typically 7 years)
  • Anonymized analytics: Aggregated, non-personally identifiable data may be retained indefinitely for service improvement

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, use the platform's Settings page or contact us directly. We will respond within 30 days (or sooner if required by law). We may need to verify your identity before processing a request.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

EEA/UK Residents (GDPR)

If you are in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR), including the rights listed above. You also have the right to lodge a complaint with your local data protection authority.

13. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction. By using the Service, you consent to such transfers. Where required, we rely on standard contractual clauses or other approved transfer mechanisms to ensure adequate data protection.

14. Cookies & Tracking

We use strictly essential cookies for authentication session management and security. We do not use:

  • Third-party tracking or analytics cookies
  • Advertising or retargeting cookies
  • Cross-site tracking technologies
  • Browser fingerprinting

No personal data is shared with advertising networks. We may use anonymized, aggregated analytics (e.g., page view counts) to improve the Service, but these do not identify individual users.

15. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to interpret DNT signals, the Service does not currently respond to or alter its practices when a DNT browser signal is received. However, as described in Section 14, we do not use third-party tracking, advertising cookies, or cross-site tracking technologies, so our practices are already consistent with the spirit of DNT requests.

16. Automated Decision-Making

The Service uses automated processing in the following contexts:

  • AI-powered strategy generation: Automated code generation based on your natural language input. You review and approve all generated code before deployment.
  • Automated market scanning: AI-driven discovery and ranking of markets for scanner deployments. You configure criteria and can override automated decisions.
  • Rate limiting and usage enforcement: Automated monitoring of usage against plan limits, which may result in temporary feature restrictions.
  • Abuse detection: Automated systems to identify potential Terms violations or abnormal usage patterns, which may trigger account review.

No automated decisions with legal or similarly significant effects are made without human review. Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. If you believe an automated decision has adversely affected you, contact us to request human review.

17. Children's Privacy

The Service is not directed at and is not intended for use by children under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from a minor, we will promptly delete such data and terminate the associated account. If you believe a minor has provided us with personal information, please contact us immediately.

18. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach (or as required by applicable law)
  • Provide details about the nature of the breach, the types of data affected, and the measures taken or proposed to be taken
  • Report the breach to relevant supervisory authorities as required by law
  • Take immediate steps to mitigate the impact of the breach and prevent recurrence

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Sending a notification to your registered email address
  • Posting the updated policy with a revised "Last updated" date
  • Displaying a notice on the platform (for significant changes)

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you disagree with the changes, you should discontinue use of the Service and delete your account.

20. Contact & Data Protection Inquiries

For questions about this Privacy Policy, to exercise your data rights, to report a data breach, or for any privacy-related inquiries, contact us at The Mathematical Company.

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.