[ Auracle / Privacy ]

Privacy

Effective 2026-05-15. Aurapoint Capital LLC ("Auracle", "we") operates this website and the Auracle self-hosted software. Auracle is a self-hosted platform: your trading strategies, market data, and order history live on your hardware and never reach our servers.

What we collect

• Billing data — your email, name, billing address, and payment-method last-4 are collected by Stripe when you purchase. We see only what Stripe forwards via webhook (email + invoice metadata). Card numbers never reach our servers.
• License-validation pings — your install pings our license server every 6 hours with your license key + a per-install UUID. We use this to confirm your subscription is active and to detect a single key activated on multiple installs.
• Marketing-site analytics — none. This site does not use Google Analytics, Mixpanel, Segment, Posthog, or any third-party analytics. The only request your browser makes off-site from this page is to load fonts from fonts.bunny.net (a privacy-respecting Google Fonts mirror).

What we don't collect

• Your trading strategies, backtest results, orders, positions, P&L, or account balances.
• Your broker credentials (IBKR / Alpaca / ClearStreet / Hyperliquid). These live in your local .env only.
• Your market data ingest. Auracle pulls market data direct from providers (yfinance, Polygon, IBKR) into your local TimescaleDB; we never see it.
• Your IP address on the marketing site, beyond what Vercel's edge logs retain for ~24 hours for DDoS protection.

License-validation telemetry

Each Auracle install pings our central license server every 60 seconds with {license_key, install_uuid, install_type}. The server records the request's source IP and User-Agent in stripe_license_installs.last_ip / last_user_agent so per-seat enforcement can tell a legitimate machine switch from key sharing. Combined with the billing email we already hold, this means we can correlate "subscription → machine fingerprint → approximate location" while a customer is active. We use this only for fraud + per-seat enforcement; we do not sell it, share it, or look at it absent a support ticket or abuse signal. IP + UA rows are dropped 90 days after the corresponding install slot is deactivated.

Where data goes

• Stripe — stripe.com/privacy. Stripe is our payment processor and acts as a separate data controller for billing data.
• Postmark / SMTP — outbound license-key emails. The plaintext key + your email transit through whichever provider you've configured as AURACLE_*_SMTP_* for your install. Our central license server uses Postmark.
• Stripe invoice JSON retention — we keep the full Stripe invoice JSON for 120 days (the chargeback window). After that we null out the PII-bearing fields and keep only aggregated payment metadata for revenue reporting.

Your data rights (GDPR / CCPA)

Because Auracle is self-hosted, most of "your data" never reaches us — it stays on your hardware. The only data we hold is what's described under "What we collect" above (billing metadata from Stripe + license-validation pings). You have the following rights over THAT data:

• Access — request a copy of the records we hold tied to your billing email.
• Deletion ("right to be forgotten") — request that we purge license-server records tied to your billing email. Stripe billing records (subject to their own retention) are managed separately at refunds.
• Portability — we'll export the records we hold as JSON on request.
• Rectification — correct inaccurate records (e.g. wrong billing email on the subscription).
• Withdraw consent / opt out of sale — we do not sell personal information. For CCPA "Do Not Sell" purposes, no action is needed; the answer is "we don't".

To exercise any of these: email contact@aurapointcapital.com with a subject like "GDPR access", "Right to deletion", or "Data portability" and your billing email. We respond within 30 days.

Cookies

This marketing site sets no third-party cookies — no Google Analytics, no Mixpanel, no Facebook pixel, no ad-retargeting. The only browser storage is a session cookie set by Vercel's edge for DDoS protection, which is expired and rotated within hours. Your Auracle install (a separate piece of software running on your own hardware) does set session cookies for its own login flow; those never reach us.

Contact

Privacy questions: contact@aurapointcapital.com.