Privacy Policy

Effective date: May 19, 2026

This policy explains what information AnchorPoint collects, how we use it, and your rights regarding your data. We’ve tried to write this in plain language. If something is unclear, please ask.

The short version

• We collect the minimum data needed to operate the Service.
• We never sell your data to anyone.
• We store your Alpaca API keys encrypted at rest.
• You can delete your account and all associated data at any time.
• We use Google (Firebase) for sign-in. Google sees your authentication, we see only the result.

What we collect

From Firebase Authentication (when you sign in)

• Your Firebase user ID (an opaque identifier)
• The email address associated with your Google account
• Your display name (if Google provides it)
• The timestamp of your most recent sign-in

We do not see your Google password or any other Google profile data beyond the items above. Firebase Authentication handles the sign-in flow entirely.

From you (when you use the Service)

• Alpaca paper trading API keys (stored encrypted)
• Acceptance of the Terms of Service (timestamp)
• Tracked option positions you save in the Service
• Settings and preferences (e.g., default scan parameters)

Automatically (when you visit)

• Standard server logs: IP address, request URL, response time, user agent string. Used for debugging and security; rotated regularly.
• No analytics tracking, no third-party advertising pixels, no behavioral profiling.

How we use your data

We use your information only to:

• Authenticate you and keep you signed in
• Make API calls to Alpaca on your behalf, using your provided keys
• Save and display your tracked positions
• Communicate with you about service changes, security incidents, or account issues
• Diagnose bugs and improve the Service

We do not use your data to train machine learning models, build user profiles, or target advertising.

How your API keys are protected

Your Alpaca API keys are stored using symmetric AES-128 encryption (specifically, the Fernet construction from the Python cryptography library). The encryption key is held in the Service’s runtime environment, separate from the database, and is never logged or transmitted.

When the Service needs to make an Alpaca API call, it decrypts your key in memory, makes the call, and discards the plaintext from memory. The plaintext is never written to disk.

Once a key is added, the API secret is never returned to the frontend again, even to you. To rotate a key, you replace it with a new one.

Who we share data with

We share data with the following third parties, only as needed:

• Google (Firebase Authentication): handles sign-in. Google has its own Privacy Policy.
• Alpaca Markets: receives API requests made with your keys. Alpaca has its own Privacy Policy.
• Render.com (hosting): the Service runs on Render’s infrastructure. Render has its own Privacy Policy.

We do not sell, rent, or trade your data to any party for any purpose. We do not share your data with advertisers, data brokers, or analytics services.

Cookies

We use a minimal set of cookies, all required for the Service to work:

• Firebase Auth uses local storage to maintain your sign-in session
• The Service may set a CSRF protection cookie on form submissions

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Your rights

You can, at any time:

• Access your data — visible in Settings and the tracked positions list
• Update your API keys via Settings
• Delete your account via Settings; this removes your user record, encrypted API keys, and tracked positions from our database
• Export your tracked positions to CSV from the app
• Request additional information about data we hold about you by emailing the contact address on our home page

If you are a resident of the European Union, United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise these rights.

Data retention

We retain your data only for as long as your account is active. When you delete your account, your user record, API keys, and tracked positions are deleted within seven days. Server logs are retained for up to 30 days for security and debugging purposes.

Children’s privacy

The Service is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe a child has provided data to the Service, please contact us so we can delete it.

International users

The Service is hosted in the United States. If you access it from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

Security incidents

If we become aware of a security incident affecting your data, we will notify you by email within a reasonable timeframe, describe what happened, what data may have been affected, and what steps we are taking. If your API keys may have been exposed, we will recommend rotating them immediately.

Changes to this policy

We may update this policy as the Service evolves. If we make material changes, we will update the “Effective date” above and, if practical, notify you by email.

Contact

Questions about privacy can be sent to the contact email shown on the AnchorPoint home page.

← Back to AnchorPoint