Legal

Privacy Policy

Effective: May 15, 2026

Governing law: Commonwealth of Pennsylvania (as set forth in the EULA §13.1, with which this Privacy Policy is co-incorporated). Controller: ShapeUp LLC d/b/a Rubicon Systems, 2040 Linglestown Road, Suite 109, Harrisburg, PA 17110, United States. Privacy contact: privacy@rubicontrading.io


1. Data the Company collects

The Company collects only the minimum data needed to operate the Platform, validate licenses, process billing, and provide support. The categories are:

1.1 License-validation data (always collected; required for the Platform to function)

(a) License Key and associated activation token.

(b) Machine ID: a deterministic hash derived from stable hardware identifiers on the operator's installed device. The machine ID is used solely to enforce the two-machine seat allocation described in EULA §2.2 and to detect fraudulent License Key sharing. The machine ID is not correlated with advertising identifiers, browser fingerprints, or any third-party tracking identifier, and it is not used for advertising or marketing purposes.

(c) License-server heartbeat metadata: timestamps and IP address of license-server contacts, the Tier and version strings reported by the Platform, and a check-in identifier.

1.2 Billing data

(a) Email address associated with the License Key.

(b) Stripe customer identifier (a token issued by Stripe; the Company does not receive or store card numbers, expiration dates, or CVV codes — those are handled by Stripe under its own privacy policy, available at stripe.com/privacy).

(c) Subscription state (Tier, billing cycle, renewal date, amount, currency).

(d) Refund and chargeback records retained per the Refund Policy and applicable financial recordkeeping requirements.

1.3 Support and feedback data (collected when you initiate contact)

(a) Content of any email, in-product bug report, or feedback form you submit, plus any attachments you elect to include.

(b) Optional log snippets you include in a bug report (presented for your review before send; redaction discipline applies; see §3.2).

1.4 Optional product-improvement telemetry (collected only if you opt in)

(a) Default: OFF. Telemetry is opt-in during First-Run Wizard and at any time thereafter in Settings → Telemetry.

(b) Collected fields when opted in: Platform version, operating system family and version, locale, panel load times, counts and class names of caught exceptions, counts of feature invocations, and license Tier.

(c) Not collected under telemetry: any item enumerated in §2 below.

1.5 Site usage data (website only — desktop app uses no cookies)

The desktop application does NOT use cookies, browser fingerprinting, or any web-tracking technology. The Company's website (rubicontrading.io and subdomains, the "Site") uses essential cookies only — those necessary for authentication, checkout, and session management. No advertising trackers and no third-party analytics SDKs are deployed on the Site as of the v1.0 effective date. Visitors to the Site may have standard server-log data captured by the Site's hosting provider (Cloudflare), including IP address, request path, user-agent string, and timestamp. If non-essential cookies are introduced in the future, this Policy will be updated and a Cookie Notice posted.

2. Data the Company NEVER collects (the "NEVER list")

The following categories of operator data NEVER leave the operator's installed device, NEVER appear in audit logs, NEVER appear in bug reports submitted through the in-product reporter, and NEVER appear in opt-in telemetry events:

(a) Broker credentials, including API keys, passwords, OAuth tokens, and any equivalent authentication artifact;

(b) Broker account numbers and internal Platform account identifiers;

(c) Position data — open positions, sizes, instruments, direction, fill prices;

(d) Profit-and-loss data — current balance, daily P&L, cumulative P&L;

(e) Trade history — past fills, trade-journal contents;

(f) Strategy parameters and strategy content — operator-tunable strategy configuration; the contents of the operator's local strategy registry file (whether the strategies were authored by the operator using the Platform's strategy creation framework or imported into the Platform via the Hermes import translator from a third-party authoring environment such as NinjaScript or Pine Script); and any source strategy material that the Hermes translator processes locally on the operator's installed device;

(g) Journal contents — the operator's local trading journal SQLite database;

(h) Raw market data — bid/ask quotes, tick data, order-book data ingested by the Platform;

(i) LLM provider API keys — the operator's API key for any Platform feature that uses an LLM provider (BYOK; the key remains on the operator's installed device);

(j) LLM prompt and response content — the content of operator prompts to, and responses from, any Platform feature that uses an LLM provider under the operator's own API key (BYOK);

(k) The operator's full legal name (the Company collects only the email address associated with the License Key — billing-name data remains with Stripe);

(l) The operator's billing address and phone number (these remain with Stripe).

3. How the Company uses collected data

3.1 Operational uses

(a) License validation and seat enforcement: to confirm that a License Key is active and that the requesting device is within the operator's seat allocation.

(b) Billing and Tier management: to process recurring charges, refunds, and Tier transitions through Stripe.

(c) Support communications: to respond to operator-initiated emails or bug reports.

(d) Security: to detect and prevent fraud, License Key sharing in excess of the seat allocation, and abuse of Site resources.

(e) Legal and compliance: to retain records for tax, audit, and other legal obligations.

3.2 Bug reporter behavior; PII scrubbing

The in-product bug reporter operates in an operator-review-before-send mode: the operator sees the exact payload before it is transmitted. Log snippets are run through a redaction filter that scrubs known sensitive patterns (API keys, broker account numbers, position data, machine-resolved file paths); the operator can edit or remove any field before sending. Auto-send is disabled by default; bug reports never transmit without explicit operator action.

Crash payloads transmitted to the Sentry error-monitoring service (see §5(d)) are similarly run through a PII-scrubbing filter applied at ingestion. The filter strips items in the NEVER list (§2) before they reach Sentry storage.

3.3 Telemetry uses (only if you opt in)

(a) Aggregate operator-base metrics for product improvement (e.g., median panel load time, frequency of caught exception classes).

(b) Per-version error-rate measurement to triage regressions following a release.

(c) The Company does NOT run per-operator queries on telemetry data except (i) for fraud detection based on the License Key and machine ID, or (ii) where the operator has self-routed data to the Company through a bug report.

3.4 No advertising / no sale of personal data

The Company does not sell or share personal data for advertising purposes. The Company does not engage in cross-context behavioral advertising and does not participate in any third-party advertising network.

4. Legal basis for processing

For operators residing in jurisdictions where a legal-basis disclosure is required:

(a) Performance of contract: processing of license-validation data and billing data is necessary to perform the contract represented by the EULA and the operator's Tier subscription.

(b) Legitimate interests: processing of support and feedback data, fraud-detection signals, and (where opted in) telemetry data is conducted in furtherance of the Company's legitimate interests in operating, securing, and improving the Platform, in a manner balanced against the operator's reasonable expectations.

(c) Consent: processing of optional telemetry data is performed only with the operator's express opt-in consent, which may be withdrawn at any time in Settings → Telemetry or on the Site account portal.

(d) Legal obligation: retention of billing records and certain support records is conducted to comply with applicable financial recordkeeping, tax, and consumer-protection obligations.

5. Third-party processors and sharing

The Company shares personal data only with the following categories of recipients, and only as needed for the purposes described in §3:

(a) Stripe (payment processor): receives and stores payment-method data and processes charges, refunds, and chargebacks on behalf of the Company. Stripe acts as an independent controller for the data it collects directly. Stripe's privacy practices are governed by Stripe's own privacy policy at stripe.com/privacy.

(b) Cloudflare (infrastructure): processes Site and license-server traffic, including IP-level metadata, as a sub-processor of the Company.

(c) SendGrid (transactional email; or equivalent ESP): receives the email address associated with the License Key for the purpose of sending account-related, billing, and security communications (license issuance, receipts, refund confirmations, security notices, material policy updates). SendGrid acts as a processor on behalf of the Company.

(d) Sentry (error monitoring): if deployed, receives crash and exception payloads from the Platform. Sentry ingests payloads that have been passed through the PII-scrubbing filter described in §3.2; in particular, items on the NEVER list (§2) are stripped before transmission. Sentry's processing is governed by Sentry's own privacy policy and the Company's sub-processor agreement with Sentry.

(e) Discord (community surface): where the operator voluntarily joins the Company's Discord server, the operator's Discord user account becomes visible to other participants and to the Company. Discord's collection and use of data is governed by Discord's own privacy policy.

(f) Legal compliance: the Company may disclose personal data when required by law, subpoena, court order, or other binding governmental request, or when reasonably necessary to protect the rights, property, or safety of the Company, its users, or the public.

(g) Business transfers: in the event of a merger, acquisition, financing, reorganization, or sale of all or substantially all of the Company's assets, personal data may be transferred to the acquiring party, subject to commitments regarding the data's continued treatment under this Policy or a successor with no less protective terms.

The Company does NOT sell personal data to third parties for any purpose, including advertising.

6. Data retention

(a) License-validation events: retained for twenty-four (24) months on a rolling basis.

(b) Product-improvement telemetry events (opted in): retained for ninety (90) days on a rolling basis.

(c) Billing records: retained for the period required by applicable financial, tax, and consumer-protection recordkeeping laws (generally seven (7) years under U.S. tax law).

(d) Operator-initiated bug reports and support correspondence: retained for the duration the underlying matter remains open, plus ninety (90) days.

(e) Site server logs: retained per the hosting provider's default rotation, typically not exceeding ninety (90) days.

(f) After a retention period elapses, the corresponding data is deleted or de-identified, except where a longer retention is required by law or is necessary to defend a pending or threatened claim.

7. Security

7.1 Safeguards

The Company implements administrative, technical, and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, and destruction. Specific safeguards include:

(a) atomic-write contracts for local journal and config files to prevent corruption from power loss or crash;

(b) signed JSON Web Tokens for License Key validation, preventing forgery of license artifacts;

(c) cryptographic integrity-checking on bundled legal documents;

(d) operator-review-before-send for bug-report transmissions;

(e) PII-scrubbing filters applied to all crash and telemetry payloads at ingestion;

(f) third-party security tooling on a per-release cadence (DAST, CodeQL, OSV-Scanner);

(g) least-privilege access controls on the Company's license-server infrastructure (Cloudflare Workers + KV + D1).

7.2 No absolute guarantee

No method of electronic storage or transmission is one-hundred-percent secure. The Company makes no representation that its security measures will be effective against all attacks.

7.3 Breach notification

In the event the Company discovers a data breach affecting personal data of operators, the Company will notify affected operators without undue delay and in accordance with applicable law (including, where applicable, the timing requirements of state breach-notification statutes and any international jurisdiction's requirements per §11). Notification will be sent to the email address associated with the affected License Key and, where appropriate, posted as an in-Platform notice and a Site notice. Notification will include the nature of the breach, the categories of data affected, the steps the Company is taking in response, and recommended steps for the operator.

8. Operator rights

Operators residing in any jurisdiction have, at minimum, the following rights with respect to personal data the Company holds about them:

(a) Access: the right to request a copy of personal data the Company holds about the operator.

(b) Correction: the right to request correction of inaccurate personal data.

(c) Deletion: the right to request deletion of personal data, subject to legal retention obligations (e.g., billing records).

(d) Portability: the right to receive personal data in a structured, machine-readable format.

(e) Withdraw consent: for processing based on consent (e.g., telemetry opt-in), the right to withdraw consent at any time without penalty.

(f) Lodge a complaint: the right to lodge a complaint with a supervisory authority (e.g., the operator's state attorney general or, for residents of jurisdictions with a designated data-protection authority, with that authority).

To exercise any of these rights, email the Privacy contact at the top of this Policy with the subject line "Privacy request — [type]." The Company will respond within thirty (30) days, or such shorter period as applicable law requires.

The Company will not discriminate against an operator for exercising any privacy right.

9. California residents (CCPA / CPRA)

If you are a California resident, you have the rights enumerated in §8 above, plus the following rights specific to the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"):

(a) Categories of personal information collected, sold, shared, or disclosed: the categories the Company collects are those listed in §1 of this Policy. The Company does NOT sell or share personal information for cross-context behavioral advertising. The Company does disclose categories of personal information to service providers and third parties as described in §5.

(b) Right to know: you may request, twice per twelve-month period, that the Company disclose (i) the categories of personal information collected about you, (ii) the categories of sources, (iii) the business or commercial purpose, (iv) the categories of third parties to whom the information was disclosed, and (v) the specific pieces of personal information collected.

(c) Right to delete: subject to legal retention exceptions, you may request deletion of personal information the Company has collected about you.

(d) Right to correct: you may request correction of inaccurate personal information.

(e) Right to limit use of sensitive personal information: the Company does not use sensitive personal information for purposes that would trigger this right under CPRA. To the extent it ever does, you may exercise this right.

(f) Right to opt out of sale or sharing: the Company does not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of. The Company will honor a Global Privacy Control signal as a verifiable consumer request to confirm this status.

(g) Right to non-discrimination: the Company will not discriminate against you for exercising any CCPA right.

(h) Authorized agents: you may designate an authorized agent to make a request on your behalf, subject to verification.

To exercise any CCPA right, email the Privacy contact at the top of this Policy. California residents may also reach the Company by mail at the address listed in §14.

10. Children's privacy

The Platform and the Site are not directed to children under the age of eighteen (18), and the Company does not knowingly collect personal data from children. If the Company becomes aware that it has inadvertently collected personal data from a child, the Company will delete that data promptly.

11. International transfers and future jurisdictional extensions

11.1 U.S. operations; international transfers. The Company's operations are based in the United States. Personal data the Company collects is stored and processed in the United States or in regions hosted by the Company's infrastructure providers (Cloudflare). Where data is transferred out of an operator's jurisdiction in connection with the operation of the Platform, the Company relies on the lawful-transfer mechanisms applicable to each receiving party (e.g., Standard Contractual Clauses for transfers from the European Economic Area, where applicable).

11.2 Architectural-at-v1, conditional jurisdictional sections. This Policy is architected at v1 to cover U.S. residents (including California residents under CCPA / CPRA). At the time the Company begins offering the Platform in additional jurisdictions with their own data-protection regimes — including the European Economic Area (GDPR), the United Kingdom (UK DPA), Brazil (LGPD), Canada (PIPEDA), and Australia (Australian Privacy Act) — this Policy will be supplemented with jurisdiction-specific sections addressing the additional rights (including right to object, automated-decision-making rights, and data-portability specifics), legal bases, lead-supervisory-authority designations, representative designations (where required), and procedural protections required in those jurisdictions. The Company will provide notice of any such supplementation per §13.

11.3 Single-policy doctrine. Additional jurisdictional coverage will be implemented as conditional sections of this single Privacy Policy rather than as separate documents.

12. Third-party services, BYOK, and local-only Hermes translation

Transmits to the Company: the categories in §1 — license-validation data, billing data routed through Stripe, opt-in product-improvement telemetry, support communications the operator initiates, and crash payloads sent through the PII-scrubbing filter described in §3.2.

Stays local on the operator's installed device: every item in the NEVER list in §2 — including broker credentials, account numbers, position data, P&L, trade history, strategy parameters, the contents of the operator's local strategy registry (whether strategies were authored using the Platform's creation framework or imported via the Hermes import translator from a third-party authoring environment such as NinjaScript or Pine Script), the local trading journal, raw market data, LLM API keys, and LLM prompt and response content.

Hermes import processing. The Hermes import translator processes source strategy material entirely on the operator's installed device. Imported strategy source, the translation intermediate, and the resulting Platform-executable strategy do not transmit to Company-operated servers at any point.

12.2 Operator-supplied LLM provider (BYOK). Any Platform feature that uses an LLM provider does so under the operator's own API key (BYOK). When you configure such a feature:

(a) the LLM provider API key is stored on your installed device and is never transmitted to the Company (see §2(i));

(b) prompts and responses are transmitted directly between your installed Platform and the LLM provider's endpoint according to that provider's own privacy practices, and never pass through Company-operated servers (see §2(j));

(c) the Company is not a controller of any content of those prompts or responses, and is not a party to the contract between you and the LLM provider.

You should consult the privacy policies of the third-party services you use with the Platform, including (but not limited to) your broker, your Prop Firm, your market-data vendor, and your LLM provider.

13. Updates to this Policy

The Company may update this Privacy Policy from time to time. Material updates take effect upon the earlier of (a) the operator's re-acceptance through the Platform's First-Run Wizard on next launch, or (b) the date that is thirty (30) days following posting of the updated Policy on the Site, except where applicable law requires a longer notice period. Immaterial updates (typographical corrections, clarifications) take effect on posting.

The Company will use reasonable means to notify operators of material updates, including through email to the address associated with the License Key, an in-Platform notification, or a banner on the Site.

14. Contact

For any question, concern, or request relating to personal data:

Email: privacy@rubicontrading.io

Mail: ShapeUp LLC Attn: Privacy 2040 Linglestown Road, Suite 109 Harrisburg, PA 17110 United States


End of Privacy Policy v2.0.