← Back to VRTUE

Privacy Policy

Last updated 2026-05-02. Beta. Subject to change before public launch (June 2026).

What we collect

• Account info — your email address (via Clerk, our auth provider) and any profile info you choose to add.
• Alpaca API keys — your key and secret, encrypted at rest with AES-256-GCM. Decrypted only inside the bot orchestrator at trade-fire time. Never logged, never exported.
• Trading state — every trade your bot fires, stored on our infrastructure so we can show your dashboard, generate reports, and reproduce historical state if needed.
• Standard server logs — IP address, timestamp, request paths. Used for debugging and abuse prevention. Retained for 30 days then rotated.

What we don’t do

• Sell your data to third parties.
• Run advertising trackers, marketing pixels, or third-party analytics that profile you.
• Share your trading activity with anyone outside VRTUE.
• Log your API keys in plaintext, in error messages, or anywhere else.

Who we share data with

• Alpaca — necessary; we use their API to place your trades. Subject to Alpaca’s privacy policy.
• Clerk — our authentication provider. Stores your login email and session tokens.
• Stripe — payment processor for the monthly subscription. Stores billing details. We never see your card number.
• Cloudflare / Fly.io / Supabase — infrastructure providers. Bound by standard data-processing agreements.

Your rights

You can request deletion of your VRTUE account and all associated data at any time by emailing founder@vrtue.org. We’ll confirm deletion within 7 days. Some data may be retained longer for legal or accounting purposes, but no trading data or API keys will persist after deletion.

Contact

Questions about this policy or anything else: founder@vrtue.org.

Full long-form Privacy Policy ships before the founding cohort opens (June 2026). The substance above describes what VRTUE actually does with your data today.