Last reviewed: 2026-06-08
Privacy.
Privacy is a feature, not a footer. This is the honest version: what we encrypt, what we don't, and what's coming.
We don't want your trades. We don't sell data. We don't run ad trackers. We don't have a marketing pixel. The whole product is built so that even if our servers were breached, the damage would be bounded.
TL;DR
| Asset | Today (Phase 1) | Pro: ZK Mode (Phase 2) |
|---|---|---|
| Voice audio | Never recorded server-side. Browser ↔ OpenAI WebRTC, direct. | Same. |
| Voice transcripts | Only the AI-extracted structured Mirror Note (summary, themes, protective moves, body cues, next focus) is stored. Raw transcript is ephemeral. | Same, encrypted with your key. |
| Exchange API keys | AES-256-GCM at rest. Server-side master key. Read-only enforced. | Encrypted with your key. Server cannot decrypt. |
| Trade snapshots | Stored in Postgres, 60s cache TTL. | Ciphertext only. |
| Mirror Notes | Stored in Postgres, readable by our infra for support. | Ciphertext only. |
| Coach memory | Durable cross-session facts. Editable, forgettable, and included in the Mirror data export on the You page. | Ciphertext only. |
| What landed | Optional one-line after a session. Stored alongside the Mirror Note. | Encrypted with your key. |
| Analytics | None. Zero third-party trackers. | Same. |
| Logs | PII / position / API-key content scrubbed. | Same. |
What “read-only” means
When you connect an exchange, you give us an API key with read-only permissions. We can see your positions, P&L, and trade history. We cannot place trades, transfer funds, or change settings, even if our servers were compromised.
Enforced two ways: (1) our exchange client only calls read endpoints; there is no code path for createOrder, withdraw, or any state-changing call. (2) you create the key as read-only on the exchange side.
Encryption at rest
EXCHANGE_KEY_ENCRYPTION_SECRET, 96-bit IV per secret, authentication tag stored separately. For production we'll move the master key to a managed KMS.Voice: how it actually works
- You tap the mic. The app requests a short-lived ephemeral token from our server (~60s validity).
- Your browser opens a direct WebRTC connection to OpenAI using that token. Audio flows browser ↔ OpenAI. Our server is not in the audio path.
- After the session, the in-flight transcript is sent once to gpt-4o-mini to produce a structured Mirror Note (2-3 sentence summary, emotion + pattern tags, 1-4 themes, 0-3 protective moves, 0-3 body cues, and one “next focus” sentence). That note, not the raw transcript, is stored.
- Memory candidates (durable cross-session facts) are also extracted into a separate, individually-editable list on the You page.
Result: even we can't replay your conversations.
Session memory: how continuity actually works
- Each session writes one Mirror Note row with the structured note.
- Each session may add 0-4 memory rows (durable facts) to a separate
coach_memorytable. - The next session's system prompt pulls (a) the most recent
next_focusline, (b) the top-K most salient memories, and (c) frequency-aggregated themes across the last 5 sessions. That's everything the coach “remembers.” - Nothing else from prior sessions is loaded. There is no hidden long-term log the coach reads from.
The You page lists coach memory as editable rows. You can edit or forget any item there, and the data controls let you export your Mirror data.
What we log
What we will never do
- Sell your data. No data deal will ever be entertained. If we sell the company, this clause survives in any acquirer's terms of use, by contract.
- Train models on your conversations. OpenAI's API tier does not train on inputs by default; we've verified the org setting.
- Add an ad tracker. Ever.
- Require KYC. You can use the app pseudonymously through Telegram.
Report a privacy concern
This document is in source control. Every change is in git log PRIVACY.md. We do not edit privacy claims silently.