Privacy Policy DRAFT

Last updated: 2026-03-26 · Effective date: [TBD — set on launch]

Draft Notice: This document has not been legally reviewed. Do not rely on it as a final, binding privacy policy. Publication requires review and approval by qualified legal counsel.

1. Introduction

This Privacy Policy describes how [Skew entity name — HK company name TBD] ("Skew", "we", "us", or "our") collects, uses, stores, and discloses information about users ("you") of the Skew options analytics platform (the "Service").

By using the Service, you agree to the collection and use of information as described in this Policy.

2. Information We Collect

2.1 Account Information

Email address (required for account creation and authentication)
Name (optional, for display purposes)
Password (stored as a hashed value; we never store plaintext passwords)

2.2 Payment Information

Payment card information is collected and processed directly by Stripe, Inc. We do not store full payment card numbers on our systems. Stripe provides us with a tokenized reference and the last four digits of your card for display purposes only.
Billing address (for tax compliance purposes)

2.3 Usage Analytics

Pages and features accessed within the Service
Session duration and frequency of use
Browser type, operating system, and screen resolution (anonymized)
IP address (used for security purposes; not linked to personal profiles)
Ticker symbols and analytics modules accessed

2.4 Technical Data

API request logs (retained for security audit purposes)
Error logs (retained for debugging; stripped of personally identifiable information where possible)

2.5 Data We Do NOT Collect

We do not collect your brokerage account information or trading history.
We do not collect the positions or trades you enter in the position tracker (this data is stored client-side only, or transmitted only for your own analytics display).

3. How We Use Your Information

We use collected information to:

Provide, maintain, and improve the Service
Process subscription payments and send billing confirmations
Send transactional emails (account creation, password reset, billing alerts)
Detect and prevent unauthorized access or abuse
Comply with applicable legal obligations
Respond to support inquiries

We do not sell your personal information to third parties.

We do not use your data to train machine learning models for third parties.

4. Data Storage and Location

Your data is stored on servers located at:
[Cloud provider and region TBD — e.g., Hetzner VPS, Germany / EU or similar]

[OPEN ITEM: Confirm server location before launch. Update this section once cloud provider and region are selected in Phase 4.]

Data is encrypted at rest using [AES-256 placeholder — confirm with infrastructure team] and in transit using TLS 1.2 or higher.

5. Cookies and Tracking

5.1 Session Cookies

The Service uses session cookies strictly necessary for authentication. These expire when you log out or close your browser.

5.2 Analytics Cookies

[PLACEHOLDER: Decide on analytics approach before launch. Options: (a) first-party only, (b) Plausible Analytics (privacy-friendly, no PII), (c) no cookies beyond session. Recommended: Plausible or first-party only to minimize GDPR/CCPA exposure.]

We do not use third-party advertising cookies or cross-site tracking.

5.3 Opt-Out

You may disable cookies in your browser settings. Disabling session cookies will prevent you from logging in to the Service.

6. Data Sharing with Third Parties

We share data with the following third-party processors:

Processor	Purpose	Data Shared
Stripe, Inc.	Payment processing	Email, billing address, tokenized payment info
[Email provider TBD]	Transactional email (password reset, billing alerts)	Email address, account status
[Cloud hosting provider TBD]	Infrastructure hosting	All data stored on their servers per their DPA

All third-party processors are contractually required to handle data in accordance with applicable privacy laws.

We do not share personal data with data brokers, advertisers, or analytics aggregators.

7. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

7.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of that information, the purposes for which it is used, and any third parties it is shared with.

7.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., data required for legal compliance or ongoing transactions).

7.3 Right to Opt Out of Sale

Skew does not sell personal information. You therefore have no action to take under this right; however, you may submit a request for confirmation at [email protected].

7.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights.

7.5 How to Submit a CCPA Request

To submit a rights request, email [email protected] with the subject line "CCPA Request". We will respond within 45 days as required by law.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

Upon cancellation of your subscription:

Your personal data will be retained for [X] days after cancellation (aligned with Terms of Service, Section 6).
After this period, personal data will be permanently deleted.
Anonymized usage analytics and aggregated data may be retained indefinitely as they cannot be linked to you.

Audit logs required for legal or security compliance purposes may be retained for up to [Y] years [placeholder: 3 years recommended].

[OPEN ITEM: Confirm retention periods with legal counsel before launch. Align with ToS Section 6.]

9. Security

We implement industry-standard security measures including:

TLS encryption for all data in transit
Hashed passwords (bcrypt or equivalent)
Token-based authentication with independent rotation capability
Access logs and audit trails for all authentication events
Regular dependency vulnerability scanning (pip-audit)

Despite these measures, no system is completely secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

10. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the Service. Your continued use of the Service after notification constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions, requests, or complaints:

Privacy Contact: [email protected] (placeholder — confirm email routing before launch)

[Skew entity name — HK company name TBD]
Address: [HK company registered address — TBD]

This document is a draft for legal review. It does not constitute a final, legally binding privacy policy until reviewed and approved by qualified legal counsel.