Privacy Policy

Effective: 2026-04-21
Updated: 2026-04-21

This Privacy Policy explains how LAPOS collects, uses, discloses, and protects personal information when you use our services. It is provided under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and applicable data protection laws worldwide.

If terms defined in the Terms of Service are not re-defined here, they retain the meaning given there.

1. Plain English Summary (non-binding)

We built LAPOS for traders who care about their money and their data. Here is the deal:

We do not sell your data. Not to advertisers, not to data brokers, not to anyone.
We do not run ads. We make money from subscriptions and credits.
We do not store your private keys. Your wallet keys never touch our servers.
We do not store your card details. Stripe handles that.
Your notebook entries are private. We store them only so you can re-open them. They are never shared or analyzed unless you personally click "Check thesis" on a specific entry.
We use AI to analyze markets you asked us to analyze — not to profile you. AI responses are stored per-user so you can access them again.
You can delete your account and all data at any time. One click, no guilt trips.
You can export all your data at any time. JSON format, machine-readable, GDPR-compliant.
Polygon blockchain transactions are permanent — we cannot delete them.

If any of the above changes, we will notify you before it takes effect.

The formal provisions below govern in case of conflict with this summary.

2. Controller Identity and Contact

Data Controller: LAPOS (trade name)

IMPORTANT — LEGAL ENTITY PENDING INCORPORATION. Until a LAPOS legal entity is registered (Wyoming LLC registration in progress), the de-facto controller is a single natural-person operator acting in an individual capacity. The operator's legal name and current residential or postal address will be disclosed to any user submitting a written data-subject rights request or legal notice to [email protected] or [email protected], and will in any event appear on any individually executed legal instrument. Legal notices and service of process: [email protected]. The registered company name, registration number, and registered office will be added here upon incorporation and notified to users via in-app message and (where available) email.

Routed contact addresses (aliases may forward to a single operator mailbox during the pre-incorporation period while audit-trail routing is implemented; use the correct alias so your request is timed and routed appropriately):

Purpose	Address
Data subject rights requests (Art. 15-22 GDPR, CCPA §1798.100-.125)	`[email protected]`
Data Protection Officer (upon appointment)	`[email protected]`
EU Representative (GDPR Art. 27, upon appointment)	`[email protected]`
Legal notices and service of process	`[email protected]`
General product support	`[email protected]`

Include "Privacy request" or "Data subject request" in your subject line for routing.

Data Protection Officer (DPO):

Status: Appointment pending counsel review. GDPR Article 37(1)(b) requires a DPO where core activities consist of processing operations that, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale. EDPB Guidelines (WP243 rev.01) explicitly reject bright-line user-count thresholds as the sole trigger. Our processing — continuous monitoring of trading activity, slider estimates, notebook interactions, and Auto-Feature decisions — is regular and systematic monitoring; scale is a separate question. Rather than rely on an invented MAU threshold, LAPOS commits to appointing a qualified DPO (including the option of a fractional external DPO) before any active EU marketing activity and in any event before public EU launch. Until appointment, DPO-routed correspondence to [email protected] is handled by the operator in the DPO-routing queue; this is a pre-appointment transitional arrangement disclosed to you in the interest of transparency.

EU Representative (GDPR Article 27):

Status: Appointment pending counsel review. Because LAPOS offers services to data subjects in the EU, Article 27 ordinarily requires a representative in an EU member state. (We also note that our hosting at Hetzner Nürnberg may itself constitute EU establishment under the CJEU's reasoning in Weltimmo and Google Spain, which would engage direct Art. 3(1) applicability and could eliminate the Art. 27 appointment need while triggering full substantive GDPR obligations.) LAPOS commits to appointing an EU Representative before any active EU marketing activity and in any event before public EU launch. In the interim, correspondence routed to [email protected] is handled by the operator; this is disclosed as a pre-appointment transitional arrangement. We do not, pending appointment, actively market or promote the Services to EU residents.

3. Personal Information We Collect

We collect only what is necessary to operate the Services. Categories below use GDPR and CCPA terminology.

3.1 Identifiers

Data	Source	Legal basis (GDPR)	Retention
Email address (if you log in via Privy email method)	Directly from you via Privy	Contract performance, Art. 6(1)(b)	Until account deletion
Wallet address (Polygon)	Derived from your Privy wallet signing	Contract performance, Art. 6(1)(b)	The association between your LAPOS account and a wallet address is retained until account deletion, at which point the association is removed from our systems. The wallet address itself is a public on-chain identifier that we cannot delete; it remains on the Polygon blockchain independently.
Privy user ID	From Privy authentication service	Contract performance, Art. 6(1)(b)	Until account deletion
Username / display name (optional)	Directly from you	Consent, Art. 6(1)(a)	Until you remove it
Telegram user ID (if you link Telegram)	From Telegram OAuth flow	Consent, Art. 6(1)(a)	Until you unlink or delete account

3.2 Trading and Financial Information

Data	Source	Legal basis	Retention
Trade history (orders, fills, P&L)	Polymarket API + your on-chain transactions	Contract performance, Art. 6(1)(b)	Until account deletion (on-chain data remains permanent; see Section 11)
Position data	Polymarket API + our analytics	Contract performance	Until account deletion
Slider estimates (your probability forecasts)	Directly from you	Contract performance	Retained while your account is active — they are your historical forecasting track record. Removed only on account deletion.
Notebook entries (your private thesis text about a market — Free-tier F17)	Directly from you	Contract performance	Stored only so you can re-open and edit them later. Notebook text is never shared with Anthropic, published, analyzed, or used for product analytics unless you yourself click "Check thesis" (Notebook Red Team) on a specific entry, at which point only that entry is sent to Anthropic for that specific invocation. Retained while account active; removed on deletion.
Portfolio balance (USDC, positions)	Polymarket API + Polygon RPC	Contract performance	Real-time, not stored
Subscription status + payment method	Stripe / CryptAPI	Contract performance + legal obligation (Art. 6(1)(b), 6(1)(c))	Until account deletion; anonymized transaction log retained 7 years for tax compliance

3.3 AI Interaction Data

Data	Source	Legal basis	Retention
AI prompts sent to Anthropic (market data, article text, your notebook thesis)	Constructed from your actions + third-party content	Contract performance + consent for Auto-Shield AI (Art. 6(1)(a))	Processed by Anthropic per their retention policy; our logs: 30 days
AI responses (Lens, Red Team, Daily Review, Auto-Shield AI outputs)	Generated by Anthropic	Contract performance	Until account deletion (for your reference)

3.4 Usage and Device Information

Data	Source	Legal basis	Retention
IP address	HTTP request headers (via Cloudflare)	Legitimate interest (security, rate limiting), Art. 6(1)(f)	Full IP addresses are received by Cloudflare (our CDN and DDoS-protection processor) and retained by Cloudflare per its log policy (see Cloudflare privacy policy, Section 5 of this Policy). LAPOS receives the full IP via the Cloudflare `cf-connecting-ip` header; we hold the full value in application memory for the duration of the request and for short-term rate-limit counters (seconds to minutes), and for up to 72 hours in incident-response buffers when a specific security investigation is in progress. For longer-term security logging, the IP is bucketed to a /24 subnet and retained for up to 14 days, then deleted. LAPOS does not retain full IPs beyond 72 hours absent an active security incident.
Session tokens (JWT access + refresh)	Generated at login	Contract performance	Access token 24h; refresh token 7d; revoked on logout or deletion
Feature usage timestamps (which feature used when, for plan limits)	Application instrumentation	Contract performance	Retained while your account is active. Removed on account deletion. Aggregate, fully de-identified statistics may be retained for the life of the Services.

3.4.1 VPN and geographic-circumvention signals

Our Terms of Service (§10.6 and §11.4) prohibit the use of a VPN, proxy, Tor, or similar service to circumvent geographic restrictions imposed by Polymarket or by the Terms. To enforce those restrictions, LAPOS processes the following limited signals:

Signal	Source	Purpose	Legal basis	Retention
Cloudflare bot-management classification (`__cf_bm`) + edge challenge outcome (`cf_clearance`)	Our CDN (Cloudflare), at the edge	Distinguish automated / high-risk traffic; surface anonymity-network signals to our origin	Legitimate interest, GDPR Art. 6(1)(f) — preventing circumvention of third-party geographic restrictions that would expose the user to Polymarket fund-freeze, and preventing sanctions-regime violations	Processed transiently in application memory per request; no server-side persistence beyond the general incident-response buffer described at §3.4 (up to 72h, active investigations only)
IP-address allocation metadata received from Cloudflare headers (datacenter / hosting-ASN flags)	Cloudflare request headers	Flag accounts that consistently route through anonymity infrastructure; decline high-risk sign-ups	Legitimate interest, GDPR Art. 6(1)(f) (same justification as above)	Not stored beyond the request evaluation; the resulting flag (allow / soft-review / decline) is stored in your account record while the account exists
Wallet-onboarding region signals surfaced by Privy (our embedded-wallet provider)	Privy (see §5)	Match Privy's own geographic onboarding gating; avoid enabling trading flows that would fail at the Privy layer	Legitimate interest, GDPR Art. 6(1)(f)	Binary flag held in the Privy-side record per Privy's policy; our own copy is bounded by the session and by §3.4 retention

What we do NOT do. We do not operate a dedicated commercial VPN-detection service, do not build behavioral fingerprints of our users beyond Cloudflare's bot-management signals, do not resolve IP addresses to precise geolocation, and do not share VPN/proxy indicators with third parties other than the processors listed in §5.

User-facing consequence. Where the above signals strongly indicate circumvention of a restricted-jurisdiction list, LAPOS may: (a) decline account creation or block Wallet linking; (b) route the account to a manual review queue; or (c) require additional attestations under §11.4 of the Terms. You have the right under GDPR Article 22(3) (and §6.3.1 above) to contest an automated decline and to request human review at [email protected].

Security-by-obscurity caveat. We do not publish the specific detection thresholds or heuristics, because publishing them would undermine their effectiveness against the circumvention behaviour they are designed to detect. The categories of data processed and the purposes are disclosed in full above; only the tuning parameters are withheld, consistent with GDPR Recital 63 (trade-secret protection for detection logic where disclosure would undermine the right it secures).

3.5 Feedback and Support

Data	Source	Legal basis	Retention
Feedback form submissions	Directly from you	Consent, Art. 6(1)(a)	Until account deletion
Support emails	Directly from you	Legitimate interest (Art. 6(1)(f))	Retained while your account is active. Removed on account deletion (exception: messages subject to an open legal claim are retained until the claim is resolved).

3.6 What we do NOT collect

Private keys, seed phrases, or passwords — ever. Privy manages key generation and signing in a secure enclave that LAPOS cannot read.
Card details. Stripe tokenizes and stores cards directly. We receive only a Stripe customer ID.
Precise geolocation / GPS. We do not request GPS, device location, or fine-grained location data. We use IP addresses for rate limiting and abuse prevention (see Section 3.4); while an IP address can be resolved to an approximate city, we do not do this intentionally, do not store geocoded location, and do not use IP as "precise geolocation" in the CCPA sensitive-PI sense.
Browsing history outside LAPOS. No tracking pixels, third-party cookies, fingerprinting, or cross-site trackers.
Biometric data.
Health, political, religious, sexual orientation, or other GDPR Article 9 special-category data — we do not collect or process special categories.
Data of users under 18. Our Terms of Service require users to be 18 or older. We rely on user self-representation at signup and we do not independently verify age. If we learn that a user is under 18, we will terminate the account and delete the data promptly. Parents or guardians who believe a minor has created an account should contact us at [email protected].

3.7 Our commitments to you (trust baseline)

Beyond legal obligations, LAPOS makes the following contractually binding commitments regarding user-submitted content — especially notebook thesis entries, support messages, and any text you write in the application:

Zero AI training on your content. LAPOS will not train, fine-tune, or otherwise use user-submitted content to train any AI model under LAPOS's control, including any future LAPOS model. For third-party processors, LAPOS relies on contractual assurances in effect at the date of this Policy: Anthropic's Commercial API terms as of 2026-04-21 do not permit Anthropic to use customer API inputs or outputs to train Anthropic's models. If Anthropic amends those terms in a way that would permit such use of LAPOS-originated data, LAPOS will (a) notify users at least 30 days before any such change takes effect on our integration, and (b) assess whether to continue the integration or migrate to an alternative provider. Users are invited to verify Anthropic's current policy independently at https://www.anthropic.com/legal/privacy.
No human reading of notebook contents. LAPOS staff, contractors, or automated internal tools do not read, analyze, or otherwise access notebook thesis contents, except (a) when you explicitly consent as part of a support request you filed, (b) under a valid lawful legal order, or (c) under a documented security incident that requires narrow, audited inspection. All such access events are logged.
Never sold, licensed, or shared for commercial purposes. Notebook contents, slider rationale, support messages, and other user-submitted free-text will never be sold, licensed, or shared with any third party for marketing, advertising, analytics, data-brokerage, or other commercial purposes. This is unconditional and not overridable by future Terms amendments without a material-change notice under Section 15.
Breach transparency. If LAPOS systems experience a confirmed security breach affecting notebook or other user-submitted content, LAPOS commits to the following staged notification and disclosure timeline:
- Supervisory-authority notification (GDPR Art. 33). Notification to the competent supervisory authority within 72 hours of becoming aware of the breach, where required under Art. 33.
- Affected-user notification (GDPR Art. 34). Notification of affected users without undue delay once the breach is confirmed, with a target of within 7 days of confirmation, unless a law-enforcement hold, ongoing forensic investigation, or similar legitimate reason requires a reasonable further delay. Where delay is required, the reason will be documented internally and explained to affected users at the time of notification.
- Public post-mortem. Publication of a full, user-readable incident post-mortem within 30 days of confirmation, except where doing so would itself compromise the security of affected users or users at large (e.g., exposure of a not-yet-patched vulnerability). In such cases the post-mortem will be published as soon as the obstacle is removed.

3.8 Phase 2 roadmap — optional end-to-end encryption

We plan to offer (as a Phase 2, post-launch feature) an optional "Private Mode" for notebook content. In Private Mode, your thesis is encrypted client-side using a key derived from your Privy wallet signature before being sent to our servers. LAPOS stores ciphertext only and physically cannot decrypt the content. Running an AI feature on a private entry requires you to sign a per-invocation decryption ticket.

Until Private Mode ships, the commitments in §3.7 are the binding trust baseline. Private Mode, when available, will be opt-in with a clear trade-off disclosure (losing your wallet = losing your private notebook data, identical to losing your USDC).

4. How We Use Personal Information

Purpose	Data used	Legal basis (GDPR)	CCPA business purpose
Provide and operate the Services (accounts, trades, analytics)	Identifiers, trading data, usage data	Contract performance (Art. 6(1)(b))	Performing services, Ca. Civ. Code §1798.140(e)(1)
Process payments	Email, subscription data, Stripe customer ID	Contract performance; legal obligation (tax)	Processing payments
Generate AI analysis (Lens, Red Team, Daily Review, Blind Spot)	Trading data, AI prompt content	Contract performance	Performing services
Execute Auto-Features (Auto-Shield, Conditional Orders, Auto-Forecast)	Position data, user configuration, AI inputs	Explicit consent, Art. 6(1)(a) + Art. 22(2)(c) (single basis) — withdrawable under Art. 7(3). See §6.2 for why Art. 22(2)(a) "contract performance" is not relied on.	Performing services
Security, fraud prevention, rate limiting	IP address, usage patterns	Legitimate interest (Art. 6(1)(f))	Preventing security incidents and fraud
Communicate about the Services (transactional notifications, billing, security, service updates)	Email, Telegram ID (if linked)	Contract performance, Art. 6(1)(b) (transactional); legal obligation, Art. 6(1)(c) (billing, breach notice); legitimate interest, Art. 6(1)(f) (security updates). We do not currently send promotional/marketing email. If we ever do, a separate opt-in consent process will govern.	Providing customer service; security notifications
Meet legal obligations (tax, anti-money-laundering, responding to lawful requests)	All relevant categories	Legal obligation (Art. 6(1)(c))	Compliance with laws
Improve the Services (product analytics)	Aggregated, de-identified usage data	Legitimate interest (Art. 6(1)(f))	Internal research and development

We do not use your personal information for targeted advertising, data sales, or profiling outside the narrow Auto-Features contexts described in Section 6.

5. Third-Party Recipients (Processors and Sub-Processors)

We share data with the services below only to the minimum extent necessary to operate. Each is a processor acting on our documented instructions under Article 28 GDPR.

Processor	Data shared	Purpose	Location	Transfer safeguards (GDPR Art. 46)	Privacy Policy
Anthropic PBC — Messages API	Market data, article text, your notebook thesis, slider estimates, position context	Real-time AI analysis (Lens, Red Team, Daily Review, Auto-Shield AI enhancement, Rules Parser, Blind Spot Report)	United States	SCCs, Module Two (C→P) + Data Processing Addendum. Retention: Anthropic's Messages API retains prompt/response data for up to 30 days for abuse monitoring per the Anthropic Zero Data Retention posture we have contracted for where available; contact Anthropic privacy for current retention length.	`https://www.anthropic.com/legal/privacy`
Anthropic PBC — Batch API	Same categories as Messages API, batched	Daily Review async batched generation, overnight Blind Spot Report regeneration	United States	SCCs, Module Two (C→P) + DPA. Retention differs from Messages API: Batch API responses are retained by Anthropic for up to 30 days after job completion to permit job retrieval; underlying prompt/response content follows the abuse-monitoring retention posture. Split into its own row (decision 2026-04-22) because retention characteristics differ from the synchronous Messages API path.	`https://www.anthropic.com/legal/privacy`
Stripe, Inc.	Email, Stripe customer ID, subscription metadata	Card payment processing	United States	SCCs, Module Two (C→P) + DPA; Stripe is certified under the EU-US Data Privacy Framework (DPF) — the successor to the invalidated Privacy Shield	`https://stripe.com/privacy`
CryptAPI	Your LAPOS deposit wallet address (public, on-chain)	Crypto payment forwarding	Operating entity currently operates from Estonia and the EU; infrastructure within EEA. Verify at their privacy page for current entity	Intra-EEA transfer where applicable; otherwise SCCs	`https://cryptapi.io/privacy`
Polymarket Corp. — QCX LLC (US, CFTC-registered DCM)	Wallet address, order data for US-accessible markets where relevant	Prediction market order execution	United States	SCCs, Module Two + public on-chain data	`https://polymarket.com/privacy`
Polymarket — non-US liquidity route	Wallet address and order parameters (market ID, outcome, price, size) — all of which are also publicly visible on-chain on Polygon once executed	Prediction market order execution for non-US markets	Various non-EU jurisdictions	For non-US markets, LAPOS transmits your signed order instructions to Polymarket's non-US matching infrastructure. We treat this routing as a sub-processor relationship under GDPR Art. 28(3) and limit the data shared to what is strictly necessary to execute your instruction (wallet address, market ID, outcome, price, size — no notebook content, no AI inputs, no account identifiers beyond the wallet). Once executed, the wallet and order data are public on-chain and the on-chain record is outside any party's further processing control (see §11). Where the Polymarket entity operating that infrastructure otherwise processes personal data, its own privacy policy governs; LAPOS does not control that party's processing.	`https://polymarket.com/privacy`
Privy Inc.	Email or social login token, wallet signatures	Authentication and embedded-wallet infrastructure	United States	SCCs, Module Two + DPA	`https://www.privy.io/privacy-policy`
Cloudflare, Inc.	IP address (proxied), request metadata, security challenge data	CDN, DDoS protection, bot management	Global edge network (including EU and US)	SCCs, Module Three (P→P) + DPA; Cloudflare is DPF-certified	`https://www.cloudflare.com/privacypolicy/`
Hetzner Online GmbH	Server logs, encrypted at-rest database	VPS hosting for our application, PostgreSQL, Redis	Germany (EEA)	Intra-EEA; Article 28 controller–processor agreement	`https://www.hetzner.com/legal/privacy-policy`
Polygon RPC providers (Infura, Alchemy, Ankr, or equivalent — current provider listed at our support page)	Wallet address, read-only RPC queries	On-chain data reads (balances, positions)	Primarily United States	SCCs, Module Two + provider DPA	Provider-specific (see their websites)
Sentry (Functional Software, Inc.)	Technical error traces; no PII is intentionally logged to Sentry, and known-PII fields are scrubbed before transmission	Error monitoring and debugging	United States	SCCs, Module Two + DPA; Sentry supports EU-region data residency, which we will enable at scale	`https://sentry.io/privacy/`
Telegram Messenger Inc. (optional)	Telegram user ID (if you link Telegram), notification content you opted in to receive	Delivery of Telegram notifications you opt into	UAE (headquarters)	Schrems-II posture — best-effort 2026-04-21, confirm with counsel before launch. (a) Telegram-specific explicit opt-in. When you link Telegram, a dedicated disclosure modal informs you that Telegram is operated from the UAE, which lacks an EU adequacy decision, and that Telegram may retain your user ID and notification content per its own privacy policy outside EU control. You must expressly consent to this specific transfer as a GDPR Art. 49(1)(a) informed-consent derogation, in addition to these Terms. (b) Strict data minimization. Only two categories of data cross the border: your Telegram user ID and the text of the notification you opted in to receive. No trade-decision inputs, account credentials, or notebook content are sent. (c) User can disable at any time. Unlinking Telegram in settings stops all transfers immediately. (d) Phase 2 commitment. LAPOS commits to evaluating migration to an EU-hosted Telegram-bot proxy (EU-residency notification gateway that strips PII before the UAE leg) or to an equivalent EU-established notification provider, with a target implementation before public EU launch. (e) SCCs, Module Two are in place as a baseline safeguard on top of the explicit-consent derogation.	`https://telegram.org/privacy`

We do not share data with: advertisers, data brokers, marketing platforms, analytics aggregators, or any party for purposes other than those listed above.

5.1 Ongoing verification of EU-US Data Privacy Framework (DPF) certification

LAPOS relies on the EU-US DPF adequacy decision (Commission Implementing Decision (EU) 2023/1795) as part of the transfer-safeguard stack for certain US-established processors, alongside Standard Contractual Clauses. DPF certifications can lapse, be withdrawn, or be invalidated by Commission or CJEU action. LAPOS commits to the following ongoing-verification process:

Quarterly review. LAPOS reviews the DPF certification status of Stripe and Cloudflare (and any other DPF-named processor) at the official DPF program registry (https://www.dataprivacyframework.gov/list) at least once per calendar quarter.
Additional review on trigger events. LAPOS additionally reviews certification status upon any Commission or CJEU decision affecting the DPF adequacy finding, upon any public announcement of withdrawal or lapse, and upon any news of processor-specific compliance issues brought to our attention.
If a certification lapses or is withdrawn. LAPOS commits, in that case, to: (a) notifying affected users within 30 days of discovery, via in-app notification and (where available) email; (b) assessing whether SCCs alone, together with supplementary measures, remain a lawful basis for continued transfers; (c) updating this Privacy Policy within the notice period; and (d) where continued use is not lawful, beginning migration to an alternative processor.
If the DPF as a whole is invalidated. LAPOS commits to the same assessment on a portfolio basis and to a good-faith effort to move to EU-based alternatives where operationally feasible.

6. Automated Decision-Making and Profiling (GDPR Article 22 + CCPA ADMT)

6.1 Scope

Three features involve automated decisions with legal or similarly significant effect on you (including financial effect):

Auto-Shield (Pro and Sentinel) — automatically sells your positions when pre-configured triggers fire.
Conditional Orders (Sentinel) — automatically executes sell/buy orders on news or oracle events.
Auto-Forecast (Sentinel) — AI-driven sell/buy/hold decision based on news analysis.

6.2 Explicit consent

These features are opt-in only and require a two-step consent flow before activation (explanation + "I understand the risk" checkbox). Mere acceptance of the Terms of Service does not enable them.

Legal basis: explicit consent under GDPR Article 6(1)(a), combined with Article 22(2)(c) — this is the single legal basis we rely on. Consent is withdrawable at any time under Article 7(3) by disabling the feature in settings; withdrawal does not affect the lawfulness of processing already carried out.

Why we do not rely on Article 22(2)(a) "contract performance." Under EDPB Guidelines on automated decision-making (WP251 rev.01), the "necessary for a contract" exception in Art. 22(2)(a) is interpreted narrowly and does not extend to features that are merely useful enhancements. Auto-Features are optional enhancements to the LAPOS trading terminal — the underlying product functions without them — so they do not meet the WP251 "strictly necessary" standard. Accordingly, LAPOS relies solely on explicit consent.

6.3 Your rights regarding automated decisions (GDPR Article 22(3))

Right to obtain human intervention. Email [email protected] to request review of any automated decision.
Right to express your point of view. Use the in-app dispute button on execution notifications, or include your position in an email to [email protected].
Right to contest the decision. See the Auto-Feature Contest Procedure annex at §6.3.1 below for the operational SLA. Blockchain transactions are irreversible, so a successful contest does not reverse an executed on-chain trade. Where we determine that LAPOS was materially at fault for the outcome (e.g., a rules-engine bug, a failure of documented safety checks, or a missed kill-switch), we will offer reasonable remedies such as a credit to your account, a subscription-fee refund, or an equivalent. Remedies remain subject to the Limitation of Liability in Section 17 of the Terms of Service.
Right to meaningful information. We can explain the logic: Auto-Shield operates on deterministic rules (price-drop threshold, health-badge grade change, VWAP anomaly band, pre-sell slippage estimate, data-freshness gate, UMA dispute pause, user-configured daily loss cap). Sentinel adds an optional AI enhancement layer that can suppress (but not originate) a rules-triggered sell. Conditional Orders execute on pre-defined triggers (price / health / news / UMA events) chosen by you at order creation. Auto-Forecast evaluates incoming news via an AI model (currently Anthropic Claude Sonnet family) with a hardened prompt and a specialized prompt-injection-detection filter (currently provided by Lakera Guard; vendor may change without notice so long as equivalent capability is retained). Full technical details available on request.

6.3.1 Auto-Feature Contest Procedure (Annex)

This annex operationalizes the Art. 22(3) rights above:

How to open a contest. In-app: use the dispute button attached to the execution notification. By email: [email protected] with "Auto-Feature Contest — [feature] — [market ID]" in the subject line. Include the execution ID, your account identifier, and a short description of why you believe the decision was wrong.
Acknowledgment SLA. We will acknowledge receipt within 24 hours.
Decision SLA. We will issue a written decision within 10 business days of acknowledgment. Complex cases (e.g., those that require review of Anthropic-side telemetry or UMA-adapter forensics) may be extended by up to 10 additional business days with written notice and reasons.
Reviewer. Decisions are taken by the LAPOS Trading Safety Lead — a named human role, independent of the AI system that made the original decision and independent of the operator's general inbox.
Decision letter content. Each decision letter will include: (i) the facts relied on, (ii) the reasoning applied, and (iii) the remedy (credit to your account, refund of a subscription fee, correction of feature configuration, or a reasoned denial). Decisions are written in plain language.
Appeal. A denied contestant may appeal within 30 days to [email protected] with "Auto-Feature Contest Appeal" in the subject line. Appeals are reviewed by a different individual than the initial reviewer.
No retaliation. Lodging a contest does not affect your subscription, pricing, or service quality.

6.4 CCPA Automated Decision-Making Technology (ADMT)

Under the 2026 California ADMT regulations (California Consumer Privacy Protection Agency rulemaking under Cal. Civ. Code §1798.185(a)(16)), Auto-Shield, Conditional Orders, and Auto-Forecast qualify as Automated Decision-Making Technology. California residents have the following rights, which are distinct from the general-purpose "disable Auto-Features" toggle:

(a) Pre-use notice. Before activation of an Auto-Feature you receive: (i) the category of decision the ADMT makes, (ii) the logic in plain language, (iii) the factors and relative weighting (where applicable), and (iv) the output. This is delivered in the two-step consent modal and restated in this Policy at §6.3.

(b) Access right — ADMT-specific. You may request information about how a specific ADMT decision was made about you. Submit to [email protected] with "ADMT access request" in the subject.

(c) Opt-out of ADMT — distinct from feature disable. CCPA recognizes a statutory right to opt out of ADMT that is independent of disabling the feature. If you exercise this right, LAPOS will: (i) stop making significant automated decisions about you using the listed ADMT features, and (ii) continue to make the underlying features available to you in a non-automated form where feasible (for example: manual Auto-Shield-equivalent trigger alerts that you act on manually; manual Auto-Forecast news alerts without automated sell/buy). Opt-out does not require you to give up functionality, only the automation. To exercise, email [email protected] with "ADMT opt-out" in the subject or use the in-app control at /api/account/admt-opt-out (endpoint exposed in account settings).

(d) Appeal. If an ADMT decision adversely affects you, you may appeal via the Auto-Feature Contest Procedure in §6.3.1. Appeal of an ADMT-denied decision goes to a reviewer independent of the original one.

(e) No retaliation. Exercising any of the above rights does not affect your pricing, subscription, or service quality (consistent with Cal. Civ. Code §1798.125 and §9 of this Policy).

7. Retention Periods

Data	Retention
Account identifiers (email, wallet, Privy ID)	Until account deletion
Trade history	Until account deletion
Slider estimates (individual)	Until account deletion (your personal forecasting track record)
Notebook entries (your private thoughts / theses you wrote)	Until account deletion — stored only so you can read them again; never shared externally unless you explicitly run an AI feature on a specific entry
AI responses (your archived Lens, Red Team, etc.)	Until account deletion
Notifications (in-app inbox)	Until account deletion
Feature usage counters	Until account deletion
Session tokens (JWT)	24 hours (access) / 7 days (refresh)
IP address in logs	Full IP received via Cloudflare; held in application memory for the request and for short-term rate-limit counters (seconds to minutes); up to 72 hours in incident-response buffers during active security investigations; for longer-term logging, bucketed to /24 subnet and retained up to 14 days, then deleted. Full details in §3.4.
Support emails	Until account deletion (exception: messages linked to an unresolved legal claim)
Payment transaction logs	7 years (tax/accounting obligation) — anonymized after account deletion
On-chain transaction data (Polygon)	Permanent and outside our control — see Section 11

After account deletion: all data in our databases is removed immediately. Database backups are overwritten within 7 days.

8. International Data Transfers

Our processors include entities located in the United States (Anthropic, Stripe, Privy, Polymarket, Cloudflare), the United Arab Emirates (Telegram), and the European Economic Area (Hetzner, CryptAPI).

For transfers outside the EEA, we rely on:

European Commission Standard Contractual Clauses (SCCs) — 2021 version, where applicable
Data Processing Agreements (DPAs) with each processor
Supplementary measures — encryption in transit (TLS 1.3), encryption at rest (AES-256-GCM for sensitive fields), minimization of data transmitted

We have assessed the countries of our non-EEA processors under Schrems II criteria. For the United States, we rely on the EU-US Data Privacy Framework (where the processor participates) plus SCCs as a belt-and-suspenders approach.

You may request a copy of our SCCs and transfer impact assessments by emailing [email protected].

9. Your Rights

Subject to applicable law (GDPR, CCPA, or other), you have the following rights:

Right	How to exercise
Access (GDPR Art. 15 / CCPA §1798.110)	`GET /api/account/export` or email `[email protected]`
Rectification (GDPR Art. 16)	Update profile in-app or email us
Erasure / Deletion (GDPR Art. 17 / CCPA §1798.105)	`DELETE /api/account` or email us
Restriction of processing (GDPR Art. 18)	Email `[email protected]`
Portability (GDPR Art. 20)	`GET /api/account/export` returns JSON
Object to processing (GDPR Art. 21)	Email `[email protected]`
Withdraw consent (GDPR Art. 7(3))	Disable relevant features or delete account
Not be subject to solely automated decisions (GDPR Art. 22)	Do not enable Auto-Features, or contest specific decisions
Lodge a complaint with a supervisory authority (GDPR Art. 77)	Contact your national data protection authority. For processing carried out via our Hetzner hosting, the competent German state supervisory authority depends on the Hetzner data-center location (e.g., Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) for Nürnberg data-center, `https://www.lda.bayern.de`; or the authority of the Land of the data center actually serving you). The federal authority (BfDI) handles cross-border coordination.
Do Not Sell or Share My Personal Information (CCPA)	Not applicable — we do not sell or share personal information. If this changes, a conspicuous opt-out link will appear on `lapos.it`.
Limit Use of Sensitive Personal Information (CCPA)	Not applicable — we do not collect sensitive personal information (no SSN, driver's license, precise geolocation, biometric, union/health/religious data)
Opt out of ADMT (CCPA, 2026 regulations)	Email `[email protected]` with "ADMT opt-out" in the subject line, or use the in-app control at `/api/account/admt-opt-out` (see §6.4). Distinct from disabling the feature — if you opt out, the following non-automated substitutions apply: (a) Auto-Shield: replaced with manual alert-only mode — you receive the same price-trigger and health-badge notifications the automated system would have fired on, but no sell is executed without your confirmation; (b) Conditional Orders: unavailable — there is no non-automated equivalent to event-triggered order placement, so opting out disables this feature for your account; (c) Auto-Forecast: unavailable for the same reason as (b). In all cases, manual trading through the LAPOS terminal remains fully available.
Appeal denied rights requests	Email `[email protected]` with "APPEAL" in subject

Response time: we aim to respond to rights requests within 30 days (GDPR requirement). CCPA requests: within 45 days, extendable to 90 days for complex requests with notice.

Verification: for security, we may require you to verify your identity before processing a rights request. Verification method depends on how you authenticated:

Wallet-linked accounts — sign a challenge message with the wallet bound to your account.
Email-only accounts (Privy email login without wallet) — confirm control of the email address via a signed verification link or code, and confirm one or more pieces of account-specific information known only to you (recent activity, subscription dates).
Social login accounts — confirm control of the third-party identity provider account you used at signup.

If you cannot complete verification, we may decline the request per GDPR Art. 12(6) / CCPA §1798.140(v).

No retaliation. We will not deny service, charge different prices, or provide a different level of quality because you exercised your privacy rights.

9.1 Data subject export — `GET /api/account/export` schema

The export is a single UTF-8 JSON document returned by GET /api/account/export. Field names listed below are stable contract; nested objects may gain additional forward-compatible fields without a schema-version bump. Breaking changes to this schema are announced under §15 (Changes to This Policy) with the same 14-day material-change notice.

Top-level schema.

{
  "export_version": "2026-04-22",          // dated schema version
  "exported_at": "<ISO 8601 UTC>",
  "data_subject": {                         // from §3.1
    "email": "<string | null>",
    "wallet_address": "<0x… | null>",
    "privy_user_id": "<string>",
    "username": "<string | null>",
    "telegram_user_id": "<string | null>"
  },
  "trades": [ /* full trade history per §3.2 */ ],
  "positions": [ /* open positions snapshot at export time per §3.2 */ ],
  "slider_estimates": [ /* every slider you submitted, with market ID, timestamp, value, confirmed_at */ ],
  "notebook_entries": [ /* verbatim text you wrote, per §3.2 */ ],
  "ai_responses": [ /* archived Lens, Red Team, Daily Review, Blind Spot, Rules Parser, Auto-Forecast outputs, per §3.3 */ ],
  "ai_prompts": [ /* the prompt content transmitted to Anthropic for each ai_responses row (cross-referenced by id); present in the export even though our server-side log window is 30 days (§3.3), because the archived response + your action history makes the prompt reconstructible */ ],
  "notifications": [ /* in-app inbox history per §3.1.* */ ],
  "feedback_submissions": [ /* your submitted feedback text per §3.5 */ ],
  "support_threads": [ /* subject line + our-side timestamps per §3.5; message bodies included where they contain only your own text. Any third-party content you were replying to is redacted. */ ],
  "subscription_history": [ /* plan changes, renewal dates, cancellation dates per §3.2 */ ],
  "credit_ledger": [ /* credit purchases and per-feature consumption events */ ],
  "telegram_link": { /* current Telegram link status per §3.1 */ },
  "feature_usage_counters": { /* monthly/period counters per feature gate, per §3.4 */ },
  "consent_records": [ /* grants and withdrawals for Auto-Features, Telegram transfer consent, cookie categories, per §6.2 and Art. 7(1) audit requirement */ ],
  "admt_opt_out_status": { "opted_out": "<bool>", "opted_out_at": "<ISO 8601 | null>" },  // §6.4
  "auto_feature_configs": { /* current Auto-Shield / Conditional-Orders / Auto-Forecast configuration per user, per §6.1 */ }
}

What the export deliberately does not contain (and why).

Category	Why it is excluded	Where to find it
IP address logs	After the §3.4 incident-response window (72h) and the /24-bucket 14-day log period, LAPOS no longer holds personal data linked to you; aggregate /24 counters are statistical, not personal data under GDPR Art. 4(1)	Not available
Payment-card details, Stripe tokens	Processed by Stripe, not stored by LAPOS (§3.6)	`stripe.com` — request a dump of your Stripe customer record
Payment transaction amounts after account deletion	Anonymized per §7 retention (transaction log remains for 7-year tax obligation but is disassociated from you upon deletion)	Pre-deletion only; included while account active
On-chain transaction data	Public and permanent on the Polygon blockchain; not in LAPOS custody (§11)	Any Polygon block explorer (e.g., Polygonscan), using the `wallet_address` in the `data_subject` block
Session tokens (JWTs)	Security — exporting active tokens would enable unauthorized account use	Not exportable by policy
Internal service logs unrelated to you	Service health metrics are not personal data	Not applicable
AI prompt text older than 30 days, server-side log copy	LAPOS's own prompt log rolls at 30 days (§3.3); but the `ai_prompts` block reconstructs prompt content from your persistent archived responses, so no information is lost to the data subject	See `ai_prompts` block

Machine-readability. The export is returned with Content-Type: application/json; charset=utf-8. Every timestamp is ISO 8601 UTC. Decimal fields are serialized as JSON strings to preserve precision per LAPOS's money-handling rule. Binary fields are base64url-encoded with an explicit _encoding: "base64url" sibling. null means "value not applicable to you"; a missing key means "not yet added to this schema version" and is a forward-compatibility signal.

Verification path. You can confirm completeness by (i) counting trades in your export vs. the count surfaced by the LAPOS terminal's Portfolio view at export time, (ii) spot-checking notebook entries against the in-app list, and (iii) asking [email protected] to walk through any category above where the export appears empty.

Cross-border portability. The schema is stable and machine-readable, satisfying GDPR Art. 20 portability for the records in trades, positions, slider_estimates, notebook_entries, and ai_responses (records processed on the Art. 6(1)(b) contract basis). Categories processed on another legal basis (e.g., legitimate interest) are included for Art. 15 access but not guaranteed portable to a third controller under Art. 20.

10. Cookies and Similar Technologies

LAPOS uses only essential cookies and local storage required to operate the Services. No analytics cookies. No third-party trackers. No advertising pixels.

Cookie / Storage	Purpose	Duration
`session` (HTTP-only, Secure, SameSite=Lax)	JWT access token for authenticated requests	24 hours
`refresh` (HTTP-only, Secure, SameSite=Lax)	Silent re-authentication	7 days, revoked on logout or deletion
`theme` (localStorage)	Your dark/light mode preference	Until you clear browser storage
`lang` (localStorage)	Language preference	Until you clear browser storage
`__cf_bm` (Cloudflare)	Bot management (distinguishes humans from automated traffic)	30 minutes, rolling
`cf_clearance` (Cloudflare)	Records completion of a security challenge	Up to 30 days

Essential cookies do not require prior consent under the EU ePrivacy Directive (2002/58/EC as amended; and under the anticipated ePrivacy Regulation once it enters force). We do not use any non-essential cookies (no analytics, no advertising, no cross-site tracking); therefore no cookie consent banner is displayed.

11. On-Chain Data

Your trades on Polymarket occur on the Polygon blockchain. On-chain data is:

Public. Wallet addresses and transaction history are visible to anyone with blockchain explorer tools (e.g., Polygonscan).
Permanent. Blockchain transactions cannot be deleted, ever.
Outside our control. LAPOS cannot modify, censor, or remove on-chain records.

If you delete your LAPOS account, we remove all data from our databases. Your on-chain trade history remains on the Polygon blockchain permanently and is not affected by LAPOS account deletion. You should consider this before linking a wallet to LAPOS — if you require deniable history, use a separate wallet.

12. Security

We implement reasonable technical and organizational measures to protect personal data:

Encryption in transit — TLS 1.3 for all HTTPS traffic; encrypted origin-pull between our CDN and hosting.
Encryption at rest — database volumes use full-disk encryption. Sensitive application-level fields (e.g., any encrypted credentials) use authenticated encryption (AES-256-GCM).
Access controls — administrative access to production systems requires IP whitelist, SSH key, and constant-time credential verification. Administrative endpoints are rate-limited.
No plaintext secrets — private keys remain in the Privy wallet-infrastructure trusted execution environment; LAPOS never has access to them.
Least privilege — internal services authenticate via scoped API tokens; database connections use role-based access control with minimum-necessary permissions.
Monitoring — security and error events are logged to an error-monitoring service (processor listed in Section 5); critical alerts route to the operator via encrypted messaging.

No system is perfectly secure. We commit to notifying the competent supervisory authority within 72 hours under GDPR Article 33 where required, and to notifying affected users without undue delay under Article 34 with the staged timeline described at §3.7.4.

13. Children's Privacy

LAPOS is not intended for use by persons under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we learn that a minor has created an account, we will terminate the account and delete the data.

14. AI Transparency (EU AI Act Article 50)

In compliance with Article 50 of the EU AI Act (Regulation 2024/1689), entering force 2 August 2026:

When you use Lens, Notebook Red Team, Daily Review, Auto-Shield AI, Blind Spot Report, Rules Parser, or Auto-Forecast, you are interacting with an artificial intelligence system provided by Anthropic PBC (Claude model family). AI outputs may be factually wrong, biased, or overconfident; see Risk Disclosure §10 for a longer explanation.
AI outputs are advisory and are not financial advice.
Your inputs to AI features are processed by Anthropic under the terms described in Section 5 and Anthropic's privacy policy.

Provider and deployer identity. For the purposes of the EU AI Act:

Anthropic PBC is the "provider" of the underlying general-purpose AI models (Art. 3(3) of the Regulation).
LAPOS is the "deployer" (Art. 3(4)) that uses those models in its product. LAPOS's identity as deployer is disclosed here. The deployer obligations that attach to LAPOS under Article 50 include (a) informing natural persons that they are interacting with an AI system (this section); (b) where Art. 50(4) applies to AI-generated text published to inform the public on matters of public interest, disclosing that such text has been artificially generated; and (c) where AI-generated synthetic audio, image, or video content is deployed, applying the machine-readable marking requirement of Art. 50(2).

Pre-commitment on future synthetic content. LAPOS does not currently generate synthetic audio, image, or video content. LAPOS pre-commits to applying the Article 50(2) machine-readable marking obligation if and when such content is introduced, and to using industry-standard provenance formats (such as C2PA or any then-current EU-recognized standard) where available.

UI labeling commitment. All AI-generated outputs in the LAPOS interface (Lens, Red Team, Daily Review, Blind Spot Report, Rules Parser, Auto-Forecast) are displayed with a visible "AI-generated" provenance label.

15. Changes to This Policy

We may update this Privacy Policy. If we make material changes — expanding data collection, adding processors, modifying your rights, or increasing retention periods — we will notify you via in-app notification and email at least 14 days before the change takes effect.

The "Last updated" date at the top reflects the most recent revision. Prior versions are available on request.

16. Contact

Privacy inquiries, data subject rights requests, ADMT opt-out: [email protected]
Data Protection Officer (upon appointment): [email protected]
EU Representative (GDPR Art. 27, upon appointment): [email protected]
Legal notices and service of process: [email protected]
Complaints that did not reach a satisfactory resolution:
- EU residents: your national data protection authority. For processing carried out at our German hosting, the competent state supervisory authority of the Land where the serving data center is located (e.g., BayLDA for Nürnberg — https://www.lda.bayern.de). Federal coordination: BfDI — https://www.bfdi.bund.de. EU Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr.
- California residents: California Privacy Protection Agency — https://cppa.ca.gov.
- UK residents: Information Commissioner's Office — https://ico.org.uk.
- Other jurisdictions: your applicable national or regional data-protection authority.

By using LAPOS, you acknowledge that you have read and understood this Privacy Policy. If you do not accept, you must not use the Services.