Privacy Policy

This Privacy Policy explains how Bull Forge ("Bull Forge", "we", "our", "us") collects, uses, and protects information when you use bullforge.io and the Bull Forge web application, scanner, and broker execution tools (collectively, the "Service"). By using the Service, you agree to the practices described here.

1. Information we collect

Information you provide directly

• Account details: name, email address, password (stored as a salted hash — never as plain text).
• Profile preferences: themes, layouts, watchlists, scanner filters, keyboard shortcuts.
• Broker API credentials: encrypted at rest with AES-256, isolated in a hardware-backed key vault, decrypted only at the moment of order signing. Never logged in plain text.
• Communications: support emails, Discord messages you send to us directly.

Information collected automatically

• Usage logs: features used, scanner queries, trade actions, error reports.
• Device and connection: browser type, operating system, IP address (last octet truncated for storage), session timestamps.
• Cookies: session cookies, Cloudflare bot-detection cookies, and preference cookies. We do not use third-party advertising or behavioral tracking cookies.

Information from third-party services

• Market data from Polygon.io: tick data, news, fundamentals — no personal information.
• Trade data from your broker: only what is required to reconcile your trading activity (fills, positions, balances).
• AI inference from Anthropic Claude API: anonymized signal context (indicators, candle patterns, ticker symbol) — never your account identity, name, or email.

2. How we use information

We use the information we collect to:

• Operate, maintain, and improve the Service
• Authenticate users and protect accounts from unauthorized access
• Display your scans, trades, journal data, and AI signals
• Reconcile your broker fills against the Service's order log
• Send service-related communications — beta updates, downtime notices, security alerts
• Detect abuse, fraud, or unauthorized access
• Comply with legal obligations

We do not:

• Sell your data to advertisers, brokers, or any third party
• Trade against your positions, ever
• Use your account or trading data to train AI models
• Share your trading data with other users without your explicit consent

3. Third-party services we rely on

Bull Forge depends on a small number of external providers, each with its own privacy practices:

• Polygon.io — real-time market data, news, fundamentals (no PII shared)
• Webull OpenAPI — broker integration (you authorize this directly via API token)
• Anthropic (Claude API) — AI co-pilot inference (anonymized signal context only)
• Cloudflare — DNS, CDN, DDoS protection (standard server logs, retained 30–90 days)
• Discord — community access (you control your Discord identity directly)
• Google (Gmail) — current support inbox (bullforge.app@gmail.com) until our corporate domain email is provisioned

4. Data retention

• Account data: retained while your account is active.
• Trade journal data: retained for the life of your account; exportable as CSV at any time.
• Encrypted broker credentials: deleted immediately when you disconnect the broker integration.
• Server logs and security telemetry: retained for up to 90 days.
• After account deletion: data is purged within 30 days, except where law requires longer retention (for example, financial-recordkeeping obligations on broker activity).

5. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Export your trade journal in CSV format at any time (built into the Service)
• Object to or restrict certain processing
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email us at bullforge.app@gmail.com.

6. Security

• Data in transit is encrypted via TLS 1.3
• Data at rest is encrypted using AES-256
• Broker API credentials are stored in an isolated key vault and decrypted only at order-signing time
• We never log credentials, full IP addresses, or signed order payloads
• HTTPS is enforced everywhere; HSTS preload applies on all .app assets
• Production access is restricted under the principle of least privilege

No system is perfectly secure. If you suspect unauthorized access to your account, contact us immediately at bullforge.app@gmail.com.

7. Children

Bull Forge is intended exclusively for individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has registered, we will delete the account and any associated data.

8. International users

Bull Forge is operated from the United States. By using the Service, you understand that your information will be processed in the United States, which may have different data-protection laws than your country of residence.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users by email and update the "Last updated" date at the top of this page. Continued use of the Service after a change takes effect constitutes acceptance.

10. Contact

If you have questions about this Privacy Policy or our data practices:

Bull Forge
Email: bullforge.app@gmail.com
Web: bullforge.io