Privacy Policy

Effective date: April 3, 2026

Unfair ("we," "us," or "our") operates the trading platform at unfairtrading.cc. This policy explains how we collect, use, and protect your personal information.

1. Information We Collect

Information you provide

  • Access request — name, email, trading experience level, intended use, and optional interest note when you request access.
  • Account registration — email address and password when you accept an invitation and create your account.
  • Profile information — display name, which you can update in settings.
  • Brokerage credentials — Alpaca API key and secret key, encrypted with AES-256-GCM and stored in our database. We never store these in plaintext.
  • Trading preferences — risk limit settings (max position size, sector exposure, drawdown threshold).

Information collected automatically

  • Authentication data — session tokens, MFA enrollment status, and login timestamps managed by Supabase Auth.
  • Trading activity — orders placed, positions held, rebalance decisions, and signal evaluations generated by the platform on your behalf.
  • Server logs — IP addresses, browser type, and request timestamps collected by our hosting provider (Vercel).
  • Cookies — essential cookies for authentication session management and MFA state. We do not use advertising or analytics cookies.

Information from third parties

  • Alpaca — account information (account ID, equity, positions, order history) retrieved via their API using your credentials.

2. How We Use Your Information

  • Execute automated trades on your behalf through your connected brokerage account.
  • Generate personalized trading signals and position-sizing recommendations.
  • Send transactional emails (access approvals, trading alerts, circuit breaker notifications).
  • Monitor platform health and trading system performance.
  • Improve signal accuracy and platform reliability.

We do not sell, rent, or share your personal information with third parties for their marketing purposes. We do not use your trading data to inform other users' trading decisions.

3. Third-Party Services

We use the following services to operate the platform. Each has its own privacy policy:

  • Supabase — database hosting, authentication, and row-level security.
  • Alpaca — brokerage API for paper and live trading execution.
  • Vercel — website and API hosting.
  • Resend — transactional email delivery (access invitations, trading alerts).
  • Finnhub — market data (analyst estimates, company news, fundamentals).
  • Unusual Whales — market data (options flow, congressional trades, dark pool data).
  • FRED — macroeconomic indicators (interest rates, credit spreads).
  • SEC EDGAR — public filings (Form 4 insider transactions, 8-K material events).

Market data from these sources is used to generate signals. Your personal information is not shared with data vendors — they provide market-wide data, not per-user services.

4. Brokerage Credential Security

Your Alpaca API credentials are encrypted using AES-256-GCM with a server-side encryption key before storage. Credentials are decrypted only at the moment of trade execution and are never logged, cached, or transmitted in plaintext. The encryption key is stored in environment variables managed by Vercel, not in the codebase.

You can disconnect your brokerage account at any time from Settings. Disconnecting immediately nulls your stored credentials.

5. Data Isolation

All user data is isolated via Supabase row-level security (RLS). Your trading activity, positions, orders, and settings are visible only to you and platform administrators. Other users cannot access your data through the platform.

6. Data Retention

  • Trading data (orders, rebalance decisions) — retained for the life of your account.
  • Performance snapshots — retained for the life of your account.
  • Admin audit logs — retained for 90 days.
  • Notifications — retained for 30 days.
  • Brokerage credentials — deleted immediately upon disconnect or account termination.

7. Data Security

We use industry-standard security measures including:

  • HTTPS/TLS encryption for all connections.
  • HSTS (Strict-Transport-Security) headers.
  • Content Security Policy (CSP) headers.
  • Mandatory two-factor authentication (TOTP) for all accounts.
  • CSRF protection on all state-changing API requests.
  • AES-256-GCM encryption for brokerage credentials.
  • Row-level security (RLS) for data isolation.

8. Children's Privacy

Unfair is not directed to anyone under 18. You must be of legal age to open a brokerage account in your jurisdiction to use this platform. We do not knowingly collect information from anyone under 18.

9. Your Rights

You have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and associated data.
  • Disconnect your brokerage account at any time.
  • Disable email notifications in settings.

To exercise any of these rights, email admin@unfairtrading.cc.

10. Changes to This Policy

We may update this policy from time to time. Updated policy will be posted on this page with a new effective date. Continued use of Unfair after changes constitutes acceptance.

11. Contact

Questions about this privacy policy? Contact admin@unfairtrading.cc.