Privacy Policy

This Privacy Policy explains how PolyTRADRR (“we”, “us”) collects, uses, and shares information when you use the website at polyreplay.devand the related trading interface, data API, SDK, and backtesting tools (the “Service”). It should be read together with our Terms of Service.

2.1 Account information

When you sign up via Supabase authentication we collect your email address, a hashed password (never the plaintext), email verification status, and any OAuth profile details you choose to connect. We create a profiles record linked to your auth user that stores your current plan (free / pro), Stripe customer and subscription IDs (if any), your Pro expiry date, and timestamps.

2.2 API keys

When you generate an API key, we store only a SHA-256 hash of the key together with an 8-character display prefix (e.g. ptr_abcd1234…), the assigned plan, and timestamps for creation, last use, and revocation. The plaintext key is shown to you exactly once at creation and is never recoverable.

2.3 Wallet bindings

To pay in USDC on-chain you bind a self-custodied wallet to your account. We store the lowercased wallet address, a random nonce, your EIP-191 signature, and the exact message that was signed, for audit purposes. We never receive or store your private keys or seed phrase.

2.4 Payments

Card payments are handled by Stripe. We do not receive or store your full card number; we receive only a customer reference, subscription ID, and payment status via Stripe’s webhooks. Crypto payments are handled on-chain; for each confirmed payment we store a payment intent (amount, chain, token contract, expected sender, expiry) and a confirmation row containing the transaction hash, block number, sender and receiver address, token contract, and amount.

2.5 Trading activity

When you place an order via the Service, the order itself is signed by your wallet and broadcast to Polymarket’s CLOB with our builder code attached. We may log order metadata (market, side, size, price, builder code, timestamps) so that we can render your dashboard, support you, and reconcile builder rewards. We do not have custody of your funds or access to your private keys.

2.6 API and usage data

When you call the data API or load the website, we receive standard request metadata: timestamps, request paths, response status, request size, your IP address, user-agent, and (hashed) API key identifier. We use this to enforce rate limits and quotas, to diagnose issues, and to detect abuse.

2.7 Backtests and saved configurations

If you run a backtest or save a strategy configuration, we store the configuration, the input parameters, and any generated results so that you can revisit them. You can delete saved backtests from your dashboard.

2.8 Cookies and local storage

We use strictly necessary cookies set by Supabase to keep you signed in and to maintain session state, and local storage to remember UI preferences such as theme. We do not use third-party advertising cookies.

We use the information described above to:

• provide, operate and maintain the Service;
• create and authenticate your account and API keys;
• verify wallet ownership and credit on-chain payments;
• process subscriptions, renewals, refunds and chargebacks;
• render dashboards, backtests, charts and overlays;
• enforce plan quotas, rate limits, and the rules described in our Terms of Service;
• detect, investigate and prevent fraud, market manipulation, sanctions evasion, abuse, and security incidents;
• communicate with you about your account, billing, security notices, and material changes to the Service;
• comply with legal obligations, court orders, and lawful requests from competent authorities.

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

• Performance of a contract — to provide the Service you have signed up for, including processing subscriptions and routing orders.
• Legitimate interests — to secure the Service, prevent fraud and abuse, run analytics on usage, and improve the product.
• Legal obligation — to comply with tax, sanctions, anti-money-laundering and other regulatory requirements.
• Consent — where we ask for it (for example, for optional product-update emails). You can withdraw consent at any time.

We do not sell your personal data. We share information only with the following categories of recipients, and only to the extent needed for them to perform their function:

• Supabase — hosting our database, authentication, row-level security and storage.
• Stripe — processing card payments, subscriptions, invoices, refunds and disputes.
• Cloudflare R2 — hosting the historical datasets we serve through the API.
• Polymarket — the order venue. Orders you place through the Service, including the signed payload and our builder code, are sent to Polymarket so they can be matched on-chain.
• Public blockchains (Polygon, Ethereum) — any on-chain transaction you submit, and the corresponding transfer logs, are public by design.
• Wallet providers and RPC endpoints — your browser communicates directly with these to read on-chain state and sign transactions.
• Email and infrastructure providers — used to send transactional email (verification, password reset, billing notices) and to operate the Service.
• Professional advisers and authorities — where disclosure is required by law, court order, or to protect our rights, our users, or the public.
• In a business transfer — if PolyTRADRR or its assets are acquired, your information may be transferred, subject to this Policy.

The infrastructure that runs the Service may be located outside your country of residence. Where we transfer personal data out of the EEA / UK, we rely on appropriate safeguards such as Standard Contractual Clauses.

We implement reasonable technical and organisational measures designed to protect your information, including: TLS in transit, encrypted Postgres storage at rest via Supabase, password hashing handled by Supabase Auth, SHA-256 hashing of API keys (we never store the plaintext), server-side handling of all order signing and credentials, row-level security policies that restrict each row to its owning user, and replay protection on on-chain payments via a unique constraint on the transaction hash. No system is perfectly secure; you are responsible for keeping your own credentials, wallet, and devices safe.

We retain your information for as long as your account is active and for a reasonable period afterwards to comply with legal, accounting, and dispute-resolution requirements. Specifically:

• Account, profile, wallet binding, payment records — retained while your account exists and for up to seven (7) years after closure where required by tax or financial-records law.
• API-key hashes — retained until you revoke the key or delete your account.
• Request logs and security telemetry — retained for a rolling window (typically 30–90 days) for abuse detection.
• On-chain records — cannot be deleted by us and remain publicly visible on the relevant blockchain.

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data deleted (subject to the limits in section 8);
• restrict or object to certain processing;
• receive a portable copy of your data;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local data-protection authority (for EEA / UK users) or attorney general (for certain US states).

You can exercise most of these rights directly from the Settings page (including account deletion) or by emailing support@polyreplay.dev. We will respond within the timeframes required by applicable law.

The Service is not directed to anyone under 18 and we do not knowingly collect personal information from children. If you believe a minor has used the Service, contact us and we will delete the relevant data.

The Service may link to third-party websites (including Polymarket, exchanges, block explorers, and documentation). We are not responsible for their privacy practices. Review their policies before sharing data with them.

We may update this Policy from time to time. When we do, we update the “Last updated” date above and, for material changes, give reasonable notice through the Service or by email. Your continued use of the Service after the update means you accept the revised Policy.

Privacy questions and rights requests can be sent to support@polyreplay.dev. For general support use support@polyreplay.dev.