Privacy Policy
Last updated June 29, 2026
TEMPLATE / SKELETON — NOT LEGAL ADVICE. This is a product-specific drafting starting point and has not been reviewed by counsel. It must be completed and reviewed for your specific data practices and applicable laws (e.g., CCPA/CPRA, GLBA, state privacy laws, and financial-data rules) before publication.
Last updated: June 29, 2026 · Controller: Zap · Contact: support@tryzap.net
1. Scope
This policy explains how Zap collects, uses, shares, and protects information when you use the Service. It does not cover Robinhood, Stripe, or other third parties whose own policies govern their handling of your data.
2. Information We Collect
You provide:
- Account data: email, authentication credentials, and profile/settings.
- Configuration: chosen strategy, risk level (conservative/moderate/aggressive), and autonomy mode.
- Verification data (if you pursue full-auto): identity/eligibility information collected to satisfy compliance gating
[describe what is collected and by whom]. - Broker connection configuration: the credentials/configuration needed to connect Zap to your Robinhood Agentic wallet (see Section 5).
- Support communications.
Generated by use of the Service:
- Trading records: proposed and executed trades, order details, strategy and reasoning summaries, mode, timestamps, and guardrail/circuit-breaker events, written to an append-only audit log.
- Wallet/portfolio data retrieved from your broker to compute balances, positions, and P&L for the connected wallet.
- Billing data: subscription status and identifiers (full card details are handled by Stripe, not stored by us).
- Technical/usage data: log, device, and diagnostic data
[describe cookies/analytics if used].
3. How We Use Information
To operate the Service (propose/execute trades, enforce guardrails, compute wallet state); to authenticate and secure accounts; to process subscriptions; to enable and gate full-auto; to provide support; to maintain audit, compliance, and record-keeping; to detect abuse and fraud; to improve the Service; and to comply with law. We do not use your trading data to provide personalized investment advice, and we do not sell your personal information [confirm "sale"/"share" definitions under CCPA/CPRA].
4. Service Providers (Processors)
We share information with vendors that process it on our behalf under contract:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Database, authentication, hosting of app data | Account, configuration, trading records, encrypted connection config |
| Stripe | Subscription billing and payment processing | Billing/contact identifiers, subscription status (card data held by Stripe) |
| Anthropic | AI models that generate trade ideas | Market context and prompts needed to generate strategy output [confirm exactly what is sent; minimize PII] |
| Robinhood | Brokerage execution via the Agentic interface | Orders and wallet data for the connected wallet |
[Hosting/Vercel] | Application hosting/CDN | Technical/log data |
[Resend/email] | Transactional email | Email address, message content |
[Confirm whether Anthropic and others act as processors and that DPAs/zero-retention or no-training terms are in place where applicable.]
5. Protection of the Broker Connection Configuration
The configuration used to connect to your Robinhood Agentic wallet is treated as highly sensitive. It is encrypted at rest (AES-256-GCM), stored server-side only, never exposed to the browser, and never written to logs. Access is restricted to backend processes that need it to place trades on your behalf, enforced by database row-level security and server-only access controls.
6. Security
We use technical and organizational measures including encryption at rest for sensitive config, row-level security so users can only access their own data, append-only audit logging, and least-privilege access to secrets. No method of storage or transmission is 100% secure, and we cannot guarantee absolute security.
7. Retention
We retain account and configuration data while your account is active. Trading and audit records may be retained on an append-only basis for the period required by our record-keeping and compliance obligations [specify retention period with counsel], even after account closure. We retain billing records as required for tax/accounting. Where we no longer have a lawful basis to keep data, we delete or de-identify it.
8. Your Rights
Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to opt out of certain processing, and to non-discrimination for exercising these rights. To exercise them, contact support@tryzap.net [add verification process and response timelines]. Note that certain trading/audit records may be retained despite a deletion request where retention is legally required; deletion may also require disconnecting your wallet and canceling your subscription.
9. Disconnecting and Deletion
You can disconnect your Robinhood wallet and cancel your subscription at any time. On account deletion, we remove or de-identify personal data except records we are required or permitted to retain (e.g., append-only audit/trading and billing records), consistent with Section 7.
10. Children
The Service is not directed to and may not be used by anyone under 18.
11. International Users
The Service is intended for U.S. users. If you access it from outside the U.S., your data may be processed in the U.S. [address transfers if you accept non-U.S. users].
12. Changes
We may update this policy; material changes will be communicated [method/notice]. The "Last updated" date reflects the current version.
13. Contact
Zap, [address] — support@tryzap.net.