Privacy Policy

Kestrel Signal is operated as a sole proprietorship based in Pune, India. We are the data controller for all personal data processed through Kestrel Signal. For any privacy-related questions, contact us at privacy@kestrelsignal.io.

Account data — your email address, display name, and hashed password (Argon2id). We need this to identify you and let you log in. If you use Google sign-in, we receive your email and name from Google; we do not receive or store your Google password.

Strategy and backtest data — the strategy definitions (JSON DSL or Python code), backtest configurations, and results you create. This is the core of what the service does. We store it so you can access it across sessions.

Billing data — subscriptions are processed by Paddle (our Merchant of Record). Paddle handles your card details directly under PCI-DSS standards. We store only what Paddle gives us: your Paddle customer ID, subscription status, and renewal date. We never see or store your card number, CVC, or full billing address.

Usage data — pages visited, features used, and errors encountered (via Sentry and PostHog). We use this to fix bugs and improve the product. PostHog does not use your data for advertising.

Server logs — IP addresses, timestamps, and HTTP request metadata, retained for up to 30 days for security and debugging. We do not link logs to your account profile.

• We do not collect brokerage account details, trading positions, or real portfolio data
• We do not collect information about the financial instruments you actually trade
• We do not use tracking pixels, third-party ad networks, or retargeting
• We do not collect device fingerprints or build persistent cross-site profiles
• We do not perform KYC identity verification — we are not a financial service

Paddle — processes subscription payments as our Merchant of Record. Paddle is PCI-DSS compliant. Their privacy policy is at paddle.com/privacy. Data may be processed in the US and UK.

Sentry — receives error reports containing stack traces and anonymised user IDs. Sentry does not receive your strategies, backtest data, or email. Data may be processed in the US.

PostHog — receives anonymised usage events (page views, feature interactions). We do not send PostHog your email or strategy content. Data is processed in the EU.

Resend — sends transactional emails (verification, billing receipts). They receive your email address for the purpose of sending those emails only. Data may be processed in the US.

Hetzner / Cloudflare — our servers and CDN. Your data is stored on Hetzner Cloud (EU data centers) and served through Cloudflare, which may cache public pages globally.

We do not sell your data to any third party. We do not share your personal data with data brokers or analytics marketplaces.

We use a single session cookie (encrypted, httpOnly, secure) to keep you logged in. We do not use third-party tracking cookies.

PostHog sets a first-party analytics cookie to count unique visitors (no cross-site tracking). You can opt out by emailing privacy@kestrelsignal.io.

Your account and all associated data (strategies, backtest results) are retained until you delete your account. After deletion, we keep a copy for 14 days as a grace period in case of accidental deletion, then permanently purge it.

Billing records are retained for 7 years as required by applicable Indian accounting regulations. Server logs are retained for 30 days. Sentry error events are retained for 90 days.

You have the following rights under India's Digital Personal Data Protection Act 2023 (DPDPA), GDPR (if you are in the EEA or UK), and CCPA (California, where applicable):

• Access — request a copy of the personal data we hold about you
• Portability — export your strategies and backtest results via Settings → Data Export (machine-readable JSON)
• Rectification — correct inaccurate data by updating your profile in Settings
• Erasure — delete your account and all data from Settings → Delete Account (14-day grace period applies)
• Objection / restriction — contact us to restrict processing in specific circumstances

To exercise any right not available via Settings, email privacy@kestrelsignal.io. We will respond within 30 days.

Passwords are hashed with Argon2id. Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by our hosting provider. Session tokens are short-lived JWTs signed with RS256. Despite these measures, no system is perfectly secure — if you discover a vulnerability, please report it to security@kestrelsignal.io.

Our primary servers are in the EU (Hetzner). Some processors (Paddle, Sentry, Resend) may process data in the US or UK. We ensure such transfers occur under appropriate contractual safeguards. If you are in the EEA, transfers are covered by Standard Contractual Clauses (SCCs) in our data processing agreements.

Kestrel Signal is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us and we will delete it promptly.

We may update this policy from time to time. For material changes, we will email registered users at least 14 days before they take effect. The effective date at the top of this page always reflects the latest version.

Privacy enquiries: privacy@kestrelsignal.io

If you are in the EEA and unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For Indian users, you may contact the Data Protection Board of India once operational under the DPDPA 2023.