THESIS Start

Privacy Policy

Last updated: May 15, 2026

Thesis is a software tool for algorithmic trading on accounts you own at third-party brokers (Alpaca Markets, and soon Kraken). This policy describes what data we collect, why, who we share it with, how long we keep it, and how you can delete it.

This policy applies to the Thesis web app at app.thesistrade.app, the marketing site at www.thesistrade.app, and any mobile or desktop builds we ship.

Data we collect

We collect the minimum needed to operate the service. The categories below map to Apple's App Store privacy categories so the in-app nutrition label is verifiable against this page.

Contact information

Your email address and (optional) display name.

Used for: account authentication, transactional email (password resets, verification, billing receipts, optional weekly signal recap), and product support. Linked to you: yes. Used for tracking: no.

Financial information (broker API keys + trade ledger)

The Alpaca (and optionally Kraken) API Key ID and Secret Key you paste during onboarding, plus the trades, positions, and decisions Thesis records against your account.

Used for: placing and managing orders on your broker account; computing P/L, statistics, and AI training signals. Stored how: keys are encrypted with AES-256-GCM envelope encryption, master key in Azure Key Vault. Plaintext keys exist only in volatile memory during order placement and are never logged. Linked to you: yes. Used for tracking: no.

Identifiers

An internal user ID we generate; a session/refresh token; the Google subject ID if you sign in with Google.

Used for: authentication and session management. Linked to you: yes. Used for tracking: no.

Usage data (product analytics)

Page views, feature usage events, and approximate latency numbers via PostHog (our self-hosted-on-cloud analytics provider). We do not collect mouse positions, keystrokes, video, or session replays.

Used for: debugging, feature decisions, error monitoring. Linked to you: yes (your user ID flows to PostHog). Used for tracking: no. We do not link your usage data to advertising identifiers and we do not share it with ad networks.

Diagnostics

Server-side error logs and request traces (no request bodies, no broker keys, no passwords).

Used for: outage detection and bug triage. Logs retain 30 days. Linked to you: via user ID, when relevant to the error. Used for tracking: no.

Tracking and advertising

We do not track you across other companies' apps or websites.

Thesis does not contain third-party advertising SDKs, does not read the Advertising Identifier (IDFA), and does not share data with advertising networks or data brokers. iOS App Tracking Transparency (ATT) prompts are not required, and we will not show one.

Third parties we share with (subprocessors)

  • Alpaca Markets — brokerage execution and market data. We send order requests and read your account/position/activity data via the API key you provide. Alpaca's privacy policy.
  • Kraken (when connected) — crypto spot execution. Same model as Alpaca: your keys, your account. Kraken's privacy policy.
  • Anthropic — Claude AI models for trade-decision reasoning. We send pattern + market context; we do not send your name, email, or broker keys.
  • OpenAI — GPT models for news classification only. We send news headlines, never your account data.
  • Stripe — payment processing for paid plans. Stripe receives the data needed to complete payment. Stripe's privacy policy.
  • Resend — transactional email delivery (verification, password reset, signal recap).
  • Twilio — SMS alerts for copilot signals (opt-in only, can be disabled in Settings).
  • PostHog Cloud — product analytics.
  • Microsoft Azure — hosting (Container Apps, Postgres Flexible Server, Static Web Apps), and Azure Key Vault for the encryption master key. Servers run in the US Central region.

Data retention

  • Account record + trade ledger: kept until you delete your account.
  • Server access logs: 30 days.
  • Analytics events: 12 months in PostHog, then aggregated.
  • Email delivery logs at Resend: 30 days (per their policy).
  • Stripe billing records: per Stripe's retention policy (typically multi-year for tax/audit reasons).

Your rights

Regardless of where you live, you can:

  • Delete your account in-app. Go to Settings → Danger zone → Delete account. This securely overwrites and removes your encrypted broker keys, cancels any active Stripe subscription, and erases your trade history, decisions, and preferences. Stripe billing records and email logs may persist briefly per their retention policies.
  • Export your data. Email privacy@thesistrade.app and we will return a JSON export within 30 days.
  • Correct your data. Most fields are editable in Settings. For anything else, email privacy@thesistrade.app.
  • Opt out of analytics. Set your browser's "Do Not Track" or "Global Privacy Control" flag — we honor both for product analytics. Authentication and transactional logging continues since it's required to operate the service.

GDPR (EU/UK residents)

We process your data under contractual necessity (running the service you signed up for) and legitimate interest (security, fraud prevention). You have the rights to access, rectify, erase, restrict, object, and port your data. Lodge complaints with your local supervisory authority. Email privacy@thesistrade.app for any of the above.

CCPA / CPRA (California residents)

You have the right to know, delete, correct, and opt out of any "sale" or "sharing" of your personal information. We do not sell or share personal information for advertising purposes. Exercise other rights via the methods listed in "Your rights" above. We will not discriminate against you for exercising any right.

Children's privacy

Thesis is not directed to children under 13, and we do not knowingly collect data from children under 13. Securities and crypto trading require adult brokerage accounts. If you believe a child under 13 has provided us data, email privacy@thesistrade.app and we will delete it.

Security

  • Broker API keys encrypted with AES-256-GCM envelope encryption.
  • Master encryption key in Azure Key Vault — never exposed to client code, rotated periodically.
  • All transport TLS 1.2+ (HSTS preload enabled).
  • Session tokens rotated on every refresh; sessions revocable on demand.
  • Passwords (when set) hashed with argon2id.
  • No plaintext logging of secrets, ever.

No system is perfectly secure. If you suspect a security issue, email security@thesistrade.app.

International data transfers

Thesis servers are in the US (Microsoft Azure, US Central). If you access the service from outside the US, your data is transferred to and processed in the US. Our subprocessors (Anthropic, OpenAI, Stripe, Twilio, PostHog, Resend) primarily process data in the US as well.

Changes to this policy

We will update the "Last updated" date at the top of this page when this policy changes. Material changes (new data categories, new subprocessors used in a materially different way) will be announced by email to active users at least 14 days before they take effect.

Contact

Privacy questions: privacy@thesistrade.app
Security: security@thesistrade.app
General support: support@thesistrade.app