Privacy Policy

Last updated: 17 June 2026

This Privacy Policy explains what information Nakkatto (the "Service") collects, how we use it, and the choices you have.

1. Information we collect

Account info: your email address and a user identifier, via Google sign-in (we do not receive or store your Google password).
Usage data you create: your watchlist, tracked positions, likes, and related preferences.
Brokerage connection tokens: if you connect a broker (e.g., Alpaca, Tradier) via OAuth, we store the resulting scoped, revocable access token — encrypted at rest. We never receive or store your brokerage username, password, or API keys.

2. How we use information

To provide the Service: show analytics for your tickers, maintain your watchlist/performance, and — only at your explicit direction — submit orders to your connected broker.
To operate, secure, and improve the Service.

We do not sell your personal information, and we do not place trades without your per-order confirmation.

3. How brokerage tokens are handled

OAuth tokens are encrypted at rest and used only to read your account information and submit orders you confirm. Tokens are scoped to the permissions you grant and can be revoked at any time — from within the app ("Disconnect") or from your broker's dashboard. We do not custody your funds or securities.

If you enroll in a Challenge, you additionally authorize us to use your stored token to automatically place and close trades on your behalf in your connected PAPER account per the challenge rules, without you being present, until you leave the challenge. This applies to simulated paper accounts only — never real money.

4. Third-party services

We rely on third parties to operate the Service, including: authentication and database hosting (e.g., Supabase), application hosting (e.g., Render), market-data providers, and the brokerage(s) you choose to connect (e.g., Alpaca, Tradier). Your use of a connected broker is also governed by that broker's privacy policy and terms.

5. Community features & public visibility

Public leaderboards and trade sharing are opt-in and off by default. When you opt in, we display your chosen public alias and statistics derived from your activity (e.g., tracked-position returns, shared trades, upvotes). We never display your email address publicly — only your alias (or, if unset, a masked form like na•••@domain). You can turn public visibility off, change your alias, or remove shared content at any time from your profile settings.

6. Data retention & deletion

We retain your data while your account is active. You can disconnect a broker at any time (which deletes the stored token), and you may request deletion of your account data by contacting us.

7. Security

We use reasonable technical measures, including encryption of stored brokerage tokens and transport-layer security. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Changes

We may update this Policy from time to time; material changes will be reflected by the "Last updated" date above.

9. Contact

Privacy questions or deletion requests: nakkattos@gmail.com.